HIPAA, Texting, and E-mail — Using Appropriate Patient and Professional Communications

HIPAA, Texting, and E-mail
Using Appropriate Patient and
Professional Communications
Jim Sheldon-Dean
Director of Compliance Services
Lewis Creek Systems, LLC
www.lewiscreeksystems.com
1
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com

Agenda
• Discuss how to handle patient communications
• Discuss how E-mail and Texting can work under HIPAA
• Identify guidance from HHS for patient communications
• Identify HIPAA policies that may need to be changed
• Discuss rights for electronic copies of electronic records
• Learn about recent guidance and court decisions affecting how
access to PHI is provided, and the allowable fees
• Show the process that must be used in the event of breach
• Learn about being prepared for enforcement and auditing
• Learn how to approach compliance
• Q&A session
2

HIPAA Privacy and Security Rules
• Privacy Rule
– 45 CFR §164.5xx; Enforceable since 2003
– Establishes Rights of Individuals
– Controls on Uses and Disclosures
– Access of PHI is a hot button issue for HHS
– New changes proposed in December 2020
• Security Rule
– 45 CFR §164.3xx; Enforceable since 2005
– Applies to all electronic PHI
– Flexible, customizable approach to health information security
– Uses Risk Analysis to identify and plan the mitigation of security
risks
3

HIPAA Breach Notification Rule
• Breach Notification Rule
– 45 CFR §164.4xx; Enforceable since February 2010
– Requires reporting of all PHI breaches to HHS and individuals
– Extensive/expensive obligations
– Provides examples of what not to do on the HHS “Wall of Shame”:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• Combined Rules as of March 2013 published by HHS OCR:
http://www.hhs.gov/hipaa/for-professionals/privacy/laws-
regulations/combined-regulation-text/index.html
• 2013 Omnibus Update Rule, with Preamble, available at:
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
• 2020 Proposed changes for the Privacy Rule:
https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html
4

How do patients want to use
e-mail and texting in health care?
• Manage Appointments
– Make/Change Appointments
– Keep Appointment Calendar
• Receive Test Results
– By Message
– By Secure Portal
• Ask Health Care Questions
– By phone, text message, e-mail, portal
• Provide Health Care Information
– By phone, message, portal, or App
• Query Medical Records
• Receive Detailed Records
jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839
5

How do providers want to use
e-mail and texting in health care?
• Accessing/Receiving results and patient
information
• Interacting with the Hospital
– Multitude of activities, schedules, requests, meetings…
• Keeping appointment calendar
• Dictation
– By phone and App
• Personal Uses
6

So, what are we allowed to do?
• Do what the patient (or their representative) wants
– Meet HIPAA Requirements
– Accommodate what you reasonably can
• Meet the Patient’s Needs
– Communication with the office for Prescription Renewals, Scheduling
etc.
– Discussion of particular health issues
– Access of Medical Records, test results
• Do what you can handle properly
– For Patient Care
– For Medical Records
7

Many Prefer E-mail to Telephone
• Scheduling
• Reporting of status
• Inquiries about issues, treatments
• Requesting copies of records
• Communication of test results
• Can be more accurate than the phone
• Provides a documented record of
communication
8

Three Issues with Plain SMS Texting
• It’s a Privacy thing: Patients may not appreciate the risks of loss of privacy
– HIPAA requires you to do your best to meet patient preferences for
communication method
– Use Risk Analysis to evaluate and explain risks
– It’s a new technology and people will not understand it fully for quite some time
• It’s a Medical Records thing: Documentation is key to health care
– Regular texting doesn’t provide a paper trail of conversations and contacts
– If it’s part of patient care, it must be documented properly
– Secure, traceable texting is essential when medical record information is texted
• It’s a patient safety thing: Triage of incoming messages is essential
– Regular texting doesn’t automatically route to the most appropriate individual
– Texts may arrive at all hours, 24/7 and may include a variety of information and
situations, including emergencies
– Texting with patients must be managed to protect patients and provide
appropriate service
9

Preventing E-mail & Texting Issues
• Educate the staff as to the risks and what MUST NOT be sent via
plain e-mail or text message
• Establish secure, private e-mail and text messaging for professional
information that includes PHI
• Define policies for use of e-mail and texting
– Require Risk Analysis for any uses of any e-mail or texting involving PHI
– Include process for approving and monitoring uses
– Include standards for allowable interactions via regular e-mail and
texting
– Identify secure services to be used where secure e-mail and texting
would be appropriate
10

So, how do we handle texting with
Patients?
• One of several options…
1. Insecure plain old texting with limited/no PHI – must be limited
to simple reminders without identifying details or provider
information, may be sent by 3rd party
2. Plain texting by preference of the individual (“Would you prefer
to… despite the risks?”) – more flexibility but still should
communicate minimum necessary for the purpose
3. Using an informal but secure process – secure but may have
limited ability to interact and document
4. Using a secure communications platform that includes a secure
texting App and process for patient engagement
11

Is it important to manage Individual Access
of records properly?
• Yes, it is one of only two circumstances when PHI must be
released, per Privacy Rule §164.502(a)
• Yes, based on 43 enforcement actions since September 2019
– http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/examples/cignet-health/index.html
• Yes, in the 2012 HIPAA Audits, 3 of the top 5 Privacy issues
were individual access related
– #1: Review process for denials of individual access to records
– #2: Failure to provide appropriate individual access to records
– #5: Disclosures to personal representatives
• Yes, it was one of the few areas focused on in the 2016 Audits
12

Individual Access of PHI
• Must have a process for individual to request access for free, with
copies for a reasonable cost-based fee
• Must have a process for managing denials of access
• Must provide the entire record in the Designated Record Set if
requested:
– Medical and Billing records used in whole or in part to make decisions
related to health care
– Exceptions for Psychotherapy notes, information for civil, criminal, or
administrative proceedings, if harm may result, other specific exceptions
– Information kept electronically must be available in electronic format if
requested
– Lab results may be accessed by the individual
• Access of PHI by individuals is a HOT BUTTON issue for HHS
• Proposed Rule cuts the response time to just 15 days!
13

Telemedicine and HIPAA
• Using HIPAA-compliant fully encrypted services under a HIPAA
Business Associate Agreement is fully compliant for
telemedicine use
– Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me,
and Google G Suite Hangouts Meet
• Can follow the usual processes for Risk Analysis and secure
implementation, including a HIPAA BAA
• HIPAA has allowances for emergencies and life threatening
situations
• Patients and providers LOVE Telemedicine! It will be with us
after the emergency
14

Telemedicine, HIPAA and COVID-19
• HHS has issued an enforcement advisory on telemedicine during
the COVID-19 emergency: Relaxed enforcement for using services
that are non-public facing but may not meet HIPAA requirements
(such as a providing a BAA)
– Apple FaceTime, Facebook Messenger video chat, Google Hangouts video,
or Skype
• BUT: Do NOT use public-facing services that are not private
– Facebook Live, Twitch, TikTok, and similar
• And: Once the emergency is over you will need to use HIPAA
compliant services, under a Business Associate Agreement,
according to a HIPAA Security Risk Analysis
• See: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-
preparedness/notification-enforcement-discretion-telehealth/index.html
15

What is a HIPAA Breach?
• §164.402 Breach is any acquisition, access, use, or disclosure in
violation of the Privacy Rule, except if:
– Unintentional internal use, in good faith, with no further use
– Inadvertent internal use, within job scope
– Information cannot be retained (returned intact, unopened,
unviewed)
• Not Reportable if:
– Secured (encrypted) per HHS guidance, or destroyed
• Otherwise: Reportable unless there is a “low probability of
compromise” based on a risk assessment, examining at least:
1. what was the info, how well identified was it, and is its release
“adverse to the individual”
2. to whom it was disclosed
3. was it actually acquired or viewed
4. the extent of mitigation
16

What is a HIPAA Audit?
• HITECH §13411 requires HHS to conduct periodic audits
• Be able to show you have in place the policies and procedures
required by the HIPAA Privacy, Security, and Breach Notification
Rules
• AND! Show you have been using them
• 2 week notice! – You must be prepared in advance or it’s too late!
• Round 1 conducted in 2012
• For Round 2 in 2016-2017:
– Desk Audits of 166 Covered Entities & 41 HIPAA Business Associates
Completed
– Patient Access of information was one of the few areas examined
• Future Audits have been cancelled but may be resumed
• http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/index.html
17

Where do we start?
• Find out what people are doing already
• Consider professional communications and patient communications
separately
• Document your processes for proper methods of communications
with both patients and professionals
• Secure all professional communications with any PHI
• Offer secure patient communications
• Develop and document the process for adopting and using insecure
communications (plain e-mail or texting) if patients desire
• Have a clear process for discussion of risks and indication of patient
desires, with documentation
18

19
Your to-do list…
• Don’t be in denial – willful neglect costs more than compliance
• Accommodate individual rights
• Review and update your policies and procedures per the rules
• Establish your processes for Risk Analysis and Documentation
• Document your communications policies and procedures
• Update your Notice of Privacy Practices as necessary
• Train staff in new policies and procedures
• Document, document, document!
• Conduct drills in audit and breach response
• Make corrections based on results
• Always have a plan for moving forward, and follow it!

Thank you!
Any Questions?
For additional information, please contact:
Jim Sheldon-Dean
Lewis Creek Systems, LLC
5675 Spear Street, Charlotte, VT 05445
jim@lewiscreeksystems.com
www.lewiscreeksystems.com
20
Register Now!!!

HIPAA, Texting, and E-mail — Using Appropriate Patient and Professional Communications

More Related Content

Similar to HIPAA, Texting, and E-mail — Using Appropriate Patient and Professional Communications (20)

More from Conference Panel (20)

Recently uploaded (20)

HIPAA, Texting, and E-mail — Using Appropriate Patient and Professional Communications