HIPAA, Texting, and E-mail in 2023 - PowerPoint PPT Presentation

About This Presentation
Title:

HIPAA, Texting, and E-mail in 2023

Description:

The use of texting and e-mail for communications with patients and between professionals is one of the most current issues in HIPAA compliance and enforcement. Providing appropriate access is one of the cornerstones of HIPAA and has been identified as an area of serious non-compliance that has been targeted in the most recent round of HIPAA Audits, and is now the subject of proposed changes to HIPAA designed to ease patient access and sharing of Protected Health Information. – PowerPoint PPT presentation

Number of Views:2
Slides: 21
Provided by: confpanel5
Category: Other
Tags:

less

Transcript and Presenter's Notes

Title: HIPAA, Texting, and E-mail in 2023


1
HIPAA, Texting, and E-mail Using Appropriate
Patient and Professional Communications
  • Jim Sheldon-Dean
  • Director of Compliance Services
  • Lewis Creek Systems, LLC
  • www.lewiscreeksystems.com

2
Agenda
  • Discuss how to handle patient communications
  • Discuss how E-mail and Texting can work under
    HIPAA
  • Identify guidance from HHS for patient
    communications
  • Identify HIPAA policies that may need to be
    changed
  • Discuss rights for electronic copies of
    electronic records
  • Learn about recent guidance and court decisions
    affecting how access to PHI is provided, and the
    allowable fees
  • Show the process that must be used in the event
    of breach
  • Learn about being prepared for enforcement and
    auditing
  • Learn how to approach compliance
  • QA session

3
HIPAA Privacy and Security Rules
  • Privacy Rule
  • 45 CFR 164.5xx Enforceable since 2003
  • Establishes Rights of Individuals
  • Controls on Uses and Disclosures
  • Access of PHI is a hot button issue for HHS
  • New changes proposed in December 2020
  • Security Rule
  • 45 CFR 164.3xx Enforceable since 2005
  • Applies to all electronic PHI
  • Flexible, customizable approach to health
    information security
  • Uses Risk Analysis to identify and plan the
    mitigation of security risks

4
HIPAA Breach Notification Rule
  • Breach Notification Rule
  • 45 CFR 164.4xx Enforceable since February 2010
  • Requires reporting of all PHI breaches to HHS and
    individuals
  • Extensive/expensive obligations
  • Provides examples of what not to do on the HHS
    Wall of Shame https//ocrportal.hhs.gov/ocr/bre
    ach/breach_report.jsf
  • Combined Rules as of March 2013 published by HHS
    OCR http//www.hhs.gov/hipaa/for-professionals/pr
    ivacy/laws-regulations/combined-regulation-text/in
    dex.html
  • 2013 Omnibus Update Rule, with Preamble,
    available at http//www.gpo.gov/fdsys/pkg/FR-2013
    -01-25/pdf/2013-01073.pdf
  • 2020 Proposed changes for the Privacy
    Rulehttps//www.hhs.gov/hipaa/for-professionals/
    regulatory-initiatives/index.html

5
How do patients want to use e-mail and texting
in health care?
  • Manage Appointments
  • Make/Change Appointments
  • Keep Appointment Calendar
  • Receive Test Results
  • By Message
  • By Secure Portal
  • Ask Health Care Questions
  • By phone, text message, e-mail, portal
  • Provide Health Care Information
  • By phone, message, portal, or App
  • Query Medical Records
  • Receive Detailed Records

6
How do providers want to use e-mail and texting
in health care?
  • Accessing/Receiving results and patient
    information
  • Interacting with the Hospital
  • Multitude of activities, schedules, requests,
    meetings
  • Keeping appointment calendar
  • Dictation
  • By phone and App
  • Personal Uses

7
So, what are we allowed to do?
  • Do what the patient (or their representative)
    wants
  • Meet HIPAA Requirements
  • Accommodate what you reasonably can
  • Meet the Patients Needs
  • Communication with the office for Prescription
    Renewals, Scheduling etc.
  • Discussion of particular health issues
  • Access of Medical Records, test results
  • Do what you can handle properly
  • For Patient Care
  • For Medical Records

8
Many Prefer E-mail to Telephone
  • Scheduling
  • Reporting of status
  • Inquiries about issues, treatments
  • Requesting copies of records
  • Communication of test results
  • Can be more accurate than the phone
  • Provides a documented record of communication

9
Three Issues with Plain SMS Texting
  • Its a Privacy thing Patients may not appreciate
    the risks of loss of privacy
  • HIPAA requires you to do your best to meet
    patient preferences for communication method
  • Use Risk Analysis to evaluate and explain risks
  • Its a new technology and people will not
    understand it fully for quite some time
  • Its a Medical Records thing Documentation is
    key to health care
  • Regular texting doesnt provide a paper trail of
    conversations and contacts
  • If its part of patient care, it must be
    documented properly
  • Secure, traceable texting is essential when
    medical record information is texted
  • Its a patient safety thing Triage of incoming
    messages is essential
  • Regular texting doesnt automatically route to
    the most appropriate individual
  • Texts may arrive at all hours, 24/7 and may
    include a variety of information and situations,
    including emergencies
  • Texting with patients must be managed to protect
    patients and provide appropriate service

10
Preventing E-mail Texting Issues
  • Educate the staff as to the risks and what MUST
    NOT be sent via plain e-mail or text message
  • Establish secure, private e-mail and text
    messaging for professional information that
    includes PHI
  • Define policies for use of e-mail and texting
  • Require Risk Analysis for any uses of any e-mail
    or texting involving PHI
  • Include process for approving and monitoring uses
  • Include standards for allowable interactions via
    regular e-mail and texting
  • Identify secure services to be used where secure
    e-mail and texting would be appropriate

11
So, how do we handle texting with Patients?
  • One of several options
  • Insecure plain old texting with limited/no PHI
    must be limited to simple reminders without
    identifying details or provider information, may
    be sent by 3rd party
  • Plain texting by preference of the individual
    (Would you prefer to despite the risks?)
    more flexibility but still should communicate
    minimum necessary for the purpose
  • Using an informal but secure process secure but
    may have limited ability to interact and document
  • Using a secure communications platform that
    includes a secure texting App and process for
    patient engagement

12
Is it important to manage Individual Access of
records properly?
  • Yes, it is one of only two circumstances when PHI
    must be released, per Privacy Rule 164.502(a)
  • Yes, based on 43 enforcement actions since
    September 2019
  • http//www.hhs.gov/hipaa/for-professionals/complia
    nce-enforcement/examples/cignet-health/index.html
  • Yes, in the 2012 HIPAA Audits, 3 of the top 5
    Privacy issues were individual access related
  • 1 Review process for denials of individual
    access to records
  • 2 Failure to provide appropriate individual
    access to records
  • 5 Disclosures to personal representatives
  • Yes, it was one of the few areas focused on in
    the 2016 Audits

13
Individual Access of PHI
  • Must have a process for individual to request
    access for free, with copies for a reasonable
    cost-based fee
  • Must have a process for managing denials of
    access
  • Must provide the entire record in the Designated
    Record Set if requested
  • Medical and Billing records used in whole or in
    part to make decisions related to health care
  • Exceptions for Psychotherapy notes, information
    for civil, criminal, or administrative
    proceedings, if harm may result, other specific
    exceptions
  • Information kept electronically must be available
    in electronic format if requested
  • Lab results may be accessed by the individual
  • Access of PHI by individuals is a HOT BUTTON
    issue for HHS
  • Proposed Rule cuts the response time to just 15
    days!

14
Telemedicine and HIPAA
  • Using HIPAA-compliant fully encrypted services
    under a HIPAA Business Associate Agreement is
    fully compliant for telemedicine use
  • Skype for Business, Updox, VSee, Zoom for
    Healthcare, Doxy.me, and Google G Suite Hangouts
    Meet
  • Can follow the usual processes for Risk Analysis
    and secure implementation, including a HIPAA BAA
  • HIPAA has allowances for emergencies and life
    threatening situations
  • Patients and providers LOVE Telemedicine! It
    will be with us after the emergency

15
Telemedicine, HIPAA and COVID-19
  • HHS has issued an enforcement advisory on
    telemedicine during the COVID-19 emergency
    Relaxed enforcement for using services that are
    non-public facing but may not meet HIPAA
    requirements (such as a providing a BAA)
  • Apple FaceTime, Facebook Messenger video chat,
    Google Hangouts video, or Skype
  • BUT Do NOT use public-facing services that are
    not private
  • Facebook Live, Twitch, TikTok, and similar
  • And Once the emergency is over you will need to
    use HIPAA compliant services, under a Business
    Associate Agreement, according to a HIPAA
    Security Risk Analysis
  • See https//www.hhs.gov/hipaa/for-professionals/s
    pecial-topics/emergency-preparedness/notification-
    enforcement-discretion-telehealth/index.html

16
What is a HIPAA Breach?
  • 164.402 Breach is any acquisition, access, use,
    or disclosure in violation of the Privacy Rule,
    except if
  • Unintentional internal use, in good faith, with
    no further use
  • Inadvertent internal use, within job scope
  • Information cannot be retained (returned intact,
    unopened, unviewed)
  • Not Reportable if
  • Secured (encrypted) per HHS guidance, or
    destroyed
  • Otherwise Reportable unless there is a low
    probability of compromise based on a risk
    assessment, examining at least
  • what was the info, how well identified was it,
    and is its release adverse to the individual
  • to whom it was disclosed
  • was it actually acquired or viewed
  • the extent of mitigation

17
What is a HIPAA Audit?
  • HITECH 13411 requires HHS to conduct periodic
    audits
  • Be able to show you have in place the policies
    and procedures required by the HIPAA Privacy,
    Security, and Breach Notification Rules
  • AND! Show you have been using them
  • 2 week notice! You must be prepared in advance
    or its too late!
  • Round 1 conducted in 2012
  • For Round 2 in 2016-2017
  • Desk Audits of 166 Covered Entities 41 HIPAA
    Business Associates Completed
  • Patient Access of information was one of the few
    areas examined
  • Future Audits have been cancelled but may be
    resumed
  • http//www.hhs.gov/hipaa/for-professionals/complia
    nce-enforcement/audit/index.html

18
Where do we start?
  • Find out what people are doing already
  • Consider professional communications and patient
    communications separately
  • Document your processes for proper methods of
    communications with both patients and
    professionals
  • Secure all professional communications with any
    PHI
  • Offer secure patient communications
  • Develop and document the process for adopting and
    using insecure communications (plain e-mail or
    texting) if patients desire
  • Have a clear process for discussion of risks and
    indication of patient desires, with documentation

19
Your to-do list
  • Dont be in denial willful neglect costs more
    than compliance
  • Accommodate individual rights
  • Review and update your policies and procedures
    per the rules
  • Establish your processes for Risk Analysis and
    Documentation
  • Document your communications policies and
    procedures
  • Update your Notice of Privacy Practices as
    necessary
  • Train staff in new policies and procedures
  • Document, document, document!
  • Conduct drills in audit and breach response
  • Make corrections based on results
  • Always have a plan for moving forward, and follow
    it!

20
Thank you!
  • Any Questions?
  • For additional information, please contact
  • Jim Sheldon-Dean
  • Lewis Creek Systems, LLC
  • 5675 Spear Street, Charlotte, VT 05445
  • jim_at_lewiscreeksystems.com
  • www.lewiscreeksystems.com

Register Now!!!
Write a Comment
User Comments (0)
About PowerShow.com