1 / 20

Communicating Effectively & Securely with Patients and Healthcare Professionals

This session will examine the rights of individuals under HIPAA to communicate in the manner they desire, and how to decide what is an acceptable process for communication with individuals. The session will explain how to discuss communications options with individuals so that you can best meet their needs and desires while preserving their rights under the rules. The 2016 guidance on individual access to information will be discussed. Register, https://conferencepanel.com/conference/hipaa-texting-and-e-mail-using-appropriate-patient-and-professional-communications

conferencepanel2
Download Presentation

Communicating Effectively & Securely with Patients and Healthcare Professionals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA, Texting, and E-mail Using Appropriate Patient and Professional Communications Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 1

  2. Agenda • Discuss how to handle patient communications • Discuss how E-mail and Texting can work under HIPAA • Identify guidance from HHS for patient communications • Identify HIPAA policies that may need to be changed • Discuss rights for electronic copies of electronic records • Learn about recent guidance and court decisions affecting how access to PHI is provided, and the allowable fees • Show the process that must be used in the event of breach • Learn about being prepared for enforcement and auditing • Learn how to approach compliance • Q&A session © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 2

  3. HIPAA Privacy and Security Rules • Privacy Rule – 45 CFR §164.5xx; Enforceable since 2003 – Establishes Rights of Individuals – Controls on Uses and Disclosures – Access of PHI is a hot button issue for HHS – New changes proposed in December 2020 • Security Rule – 45 CFR §164.3xx; Enforceable since 2005 – Applies to all electronic PHI – Flexible, customizable approach to health information security – Uses Risk Analysis to identify and plan the mitigation of security risks © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 3

  4. HIPAA Breach Notification Rule • Breach Notification Rule – 45 CFR §164.4xx; Enforceable since February 2010 – Requires reporting of all PHI breaches to HHS and individuals – Extensive/expensive obligations – Provides examples of what not to do on the HHS “Wall of Shame”: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf • Combined Rules as of March 2013 published by HHS OCR: http://www.hhs.gov/hipaa/for-professionals/privacy/laws- regulations/combined-regulation-text/index.html • 2013 Omnibus Update Rule, with Preamble, available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf • 2020 Proposed changes for the Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 4

  5. How do patients want to use e-mail and texting in health care? • Manage Appointments – Make/Change Appointments – Keep Appointment Calendar • Receive Test Results – By Message – By Secure Portal • Ask Health Care Questions – By phone, text message, e-mail, portal • Provide Health Care Information – By phone, message, portal, or App • Query Medical Records • Receive Detailed Records © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839 5

  6. How do providers want to use e-mail and texting in health care? • Accessing/Receiving results and patient information • Interacting with the Hospital – Multitude of activities, schedules, requests, meetings… • Keeping appointment calendar • Dictation – By phone and App • Personal Uses © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839 6

  7. So, what are we allowed to do? • Do what the patient (or their representative) wants – Meet HIPAA Requirements – Accommodate what you reasonably can • Meet the Patient’s Needs – Communication with the office for Prescription Renewals, Scheduling etc. – Discussion of particular health issues – Access of Medical Records, test results • Do what you can handle properly – For Patient Care – For Medical Records © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 7

  8. Many Prefer E-mail to Telephone • Scheduling • Reporting of status • Inquiries about issues, treatments • Requesting copies of records • Communication of test results • Can be more accurate than the phone • Provides a documented record of communication © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 8

  9. Three Issues with Plain SMS Texting • It’s a Privacy thing: Patients may not appreciate the risks of loss of privacy –HIPAA requires you to do your best to meet patient preferences for communication method –Use Risk Analysis to evaluate and explain risks –It’s a new technology and people will not understand it fully for quite some time • It’s a Medical Records thing: Documentation is key to health care –Regular texting doesn’t provide a paper trail of conversations and contacts –If it’s part of patient care, it must be documented properly –Secure, traceable texting is essential when medical record information is texted • It’s a patient safety thing: Triage of incoming messages is essential –Regular texting doesn’t automatically route to the most appropriate individual –Texts may arrive at all hours, 24/7 and may include a variety of information and situations, including emergencies –Texting with patients must be managed to protect patients and provide appropriate service © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 9

  10. Preventing E-mail & Texting Issues • Educate the staff as to the risks and what MUST NOT be sent via plain e-mail or text message • Establish secure, private e-mail and text messaging for professional information that includes PHI • Define policies for use of e-mail and texting – Require Risk Analysis for any uses of any e-mail or texting involving PHI – Include process for approving and monitoring uses – Include standards for allowable interactions via regular e-mail and texting – Identify secure services to be used where secure e-mail and texting would be appropriate © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839 10

  11. So, how do we handle texting with Patients? • One of several options… 1. Insecure plain old texting with limited/no PHI – must be limited to simple reminders without identifying details or provider information, may be sent by 3rdparty 2. Plain texting by preference of the individual (“Would you prefer to… despite the risks?”) – more flexibility but still should communicate minimum necessary for the purpose 3. Using an informal but secure process – secure but may have limited ability to interact and document 4. Using a secure communications platform that includes a secure texting App and process for patient engagement © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 11

  12. Is it important to manage Individual Access of records properly? • Yes, it is one of only two circumstances when PHI must be released, per Privacy Rule §164.502(a) • Yes, based on 43 enforcement actions since September 2019 – http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/examples/cignet-health/index.html • Yes, in the 2012 HIPAA Audits, 3 of the top 5 Privacy issues were individual access related – #1: Review process for denials of individual access to records – #2: Failure to provide appropriate individual access to records – #5: Disclosures to personal representatives • Yes, it was one of the few areas focused on in the 2016 Audits © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839 12

  13. Individual Access of PHI • Must have a process for individual to request access for free, with copies for a reasonable cost-based fee • Must have a process for managing denials of access • Must provide the entire record in the Designated Record Set if requested: – Medical and Billing records used in whole or in part to make decisions related to health care – Exceptions for Psychotherapy notes, information for civil, criminal, or administrative proceedings, if harm may result, other specific exceptions – Information kept electronically must be available in electronic format if requested – Lab results may be accessed by the individual • Access of PHI by individuals is a HOT BUTTON issue for HHS • Proposed Rule cuts the response time to just 15 days! © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 13

  14. Telemedicine and HIPAA • Using HIPAA-compliant fully encrypted services under a HIPAA Business Associate Agreement is fully compliant for telemedicine use – Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet • Can follow the usual processes for Risk Analysis and secure implementation, including a HIPAA BAA • HIPAA has allowances for emergencies and life threatening situations • Patients and providers LOVE Telemedicine! It will be with us after the emergency © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 14

  15. Telemedicine, HIPAA and COVID-19 • HHS has issued an enforcement advisory on telemedicine during the COVID-19 emergency: Relaxed enforcement for using services that are non-public facing but may not meet HIPAA requirements (such as a providing a BAA) – Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype • BUT: Do NOT use public-facing services that are not private – Facebook Live, Twitch, TikTok, and similar • And: Once the emergency is over you will need to use HIPAA compliant services, under a Business Associate Agreement, according to a HIPAA Security Risk Analysis • See: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency- preparedness/notification-enforcement-discretion-telehealth/index.html © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 15

  16. What is a HIPAA Breach? • §164.402 Breach is any acquisition, access, use, or disclosure in violation of the Privacy Rule, except if: – Unintentional internal use, in good faith, with no further use – Inadvertent internal use, within job scope – Information cannot be retained (returned intact, unopened, unviewed) • Not Reportable if: – Secured (encrypted) per HHS guidance, or destroyed • Otherwise: Reportable unless there is a “low probability of compromise” based on a risk assessment, examining at least: 1. what was the info, how well identified was it, and is its release “adverse to the individual” 2. to whom it was disclosed 3. was it actually acquired or viewed 4. the extent of mitigation © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 16

  17. What is a HIPAA Audit? • HITECH §13411 requires HHS to conduct periodic audits • Be able to show you have in place the policies and procedures required by the HIPAA Privacy, Security, and Breach Notification Rules • AND! Show you have been using them • 2 week notice! – You must be prepared in advance or it’s too late! • Round 1 conducted in 2012 • For Round 2 in 2016-2017: – Desk Audits of 166 Covered Entities & 41 HIPAA Business Associates Completed – Patient Access of information was one of the few areas examined • Future Audits have been cancelled but may be resumed • http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/audit/index.html © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 17

  18. Where do we start? • Find out what people are doing already • Consider professional communications and patient communications separately • Document your processes for proper methods of communications with both patients and professionals • Secure all professional communications with any PHI • Offer secure patient communications • Develop and document the process for adopting and using insecure communications (plain e-mail or texting) if patients desire • Have a clear process for discussion of risks and indication of patient desires, with documentation © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 18

  19. Your to-do list… • Don’t be in denial – willful neglect costs more than compliance • Accommodate individual rights • Review and update your policies and procedures per the rules • Establish your processes for Risk Analysis and Documentation • Document your communications policies and procedures • Update your Notice of Privacy Practices as necessary • Train staff in new policies and procedures • Document, document, document! • Conduct drills in audit and breach response • Make corrections based on results • Always have a plan for moving forward, and follow it! © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 19

  20. Thank you! Any Questions? For additional information, please contact: Jim Sheldon-Dean Lewis Creek Systems, LLC 5675 Spear Street, Charlotte, VT 05445 jim@lewiscreeksystems.com www.lewiscreeksystems.com Register Now!!! © Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 20

More Related