We live in a fast-paced, technology-driven world. As such, consumers have a growing list of expectations when communicating with companies, and healthcare is no exception.
Today, many patients expect access to their personal health information (PHI) at any time and from anywhere. To make this even more challenging for healthcare providers, they also want access in a variety of ways-text, email, websites, chats, phone calls, and more.
Unfortunately, these patient expectations often create unmeetable-and sometimes unsafe- communication conditions for healthcare providers. Most may not realize that many of the ways they’re used to communicating in their personal lives are unsafe for PHI or personally identifiable information (PII) transmissions.
As patients demand more ways to access PHI, your organization should understand the potential risks of each communication channel, as well as provider obligations for data security and HIPAA compliance.
Texting Patients
58% of consumers say texting is the best way to reach them quickly; something healthcare has applied to patient communication, too. Digital health companies are making this easier and more efficient with software platforms built specifically to leverage texting as a best practice for patient communication-and while many have worked hard to account for HIPAA in their technology solutions, much of this depends on users to comply. While warnings, pop-ups, and hard stops built into the software can help remind users how to ensure they are following best practices for HIPAA compliance, users can often override or ignore these safeguards, so it’s important to understand how to effectively and safely use texting with your patients.
Text Do’s
- Develop policies and procedures that set parameters for patient text communications
- Determine if an application (particularly in an EHR) allows texting through a more secure mechanism and if you can capture data back into your into your records
- Use company-controlled devices. If you allow BYOD (bring your own device) have controls that allow device management, such as insight into transmissions. Also, consider enabling capabilities to wipe the device if the employee leaves your organization
Text Don’ts
- Let employees use a personal device unless you have to
- Give patients personal cell numbers
- Assume patient consent to messages in-kind. For example, if your patient communicates via text, don’t assume you can respond with PHI. You must clarify and get consent.
- Keep messages on devices once moved to official systems
Drop Me an Email
Many public email platforms are not secure enough to meet HIPAA standards. Email is also a target for attackers who use phishing scams to gain credentials, launch malware, or initiate other breach methods.
Email Do’s
- Analyze and document email-related risks and information about your decision to use it for patient communications, understanding the scope of your HIPAA risk analysis and risk threshold.
- Use encryption. Encrypt data at rest and devices that could be stolen or lost.
- Make suggestions to help patients protect their PHI
- Establish related procedures with business associates
- Address backup and message retrieval
- Determine how to audit
- Ensure move to Designated Record Set (DRS)
- Consider full device encryption
- Determine the need for business associate agreements
- Develop and document related policies and procedures
Email Don’ts
- Share accounts
- Keep messages on the platform once recorded in official systems
- Use personal accounts for patient communications
Let’s Get Social
A common communication method today is via social media, for example, Instagram, Twitter, Snapchat, Facebook, Clubhouse, LinkedIn, YouTube, and others.
Unfortunately, many social media platforms don’t have effective privacy controls, and few have HIPAA-compliant security and privacy practices.
Social Media Do’s
- Keep information limited to details the public needs to know about your practice such as office location, hours, and contacts
- If a patient reaches out to you via social media, keep it professional. You’re obligated to meet HIPAA standards.
- When using social media with patients, know what kind of tracking mechanisms are in use
Social Media Don’ts
- Respond to social media posts (or things like Google or Yelp reviews) with potential PHI or PII
- Accept friend requests or other personal social media connections with patients without careful consideration
- If a patient self-discloses PHI at will, don’t respond in kind
The Rise of APIs
Many common apps use application programming interfaces (APIs) for communication pathways and to share data. An API allows two different applications to communicate through common methods – for example, an application that rates businesses can communicate with a map application to give directions to the selected business. In healthcare, for example:
- Patient access: Records held in an EHR can, through an API, be provided to the patient in the health apps of their choosing
- Provider directory: For access to certain Medicaid and CHIP programs
- Conditions of participation: For example, hospital electronic notifications
API Do’s
- Understand compliance dates and requirements
- Establish policies and procedures
- Risk analyze and security test APIs
- Monitor third-party app related threats
- Establish business associate agreements with third-party vendors
API Don’ts
- Ignore requirements or assume vendor will handle them
- Forget to document decisions regarding establishing and using APIs
- Delay educating staff
Telehealth and Video Conferencing
Since the coronavirus pandemic, we’ve seen increased usage of video conferencing tools such as Zoom, GoToMeeting, FaceTime, and others for telehealth and telemedicine.
There is a HIPAA expectation that providers ensure digital data exchanges are secure and compliant. However, the Office for Civil Rights (OCR) eased some enforcement during the pandemic, and as a result, some healthcare providers may have used platforms that are not considered compliant due to the lack of Business Associate (BA) Agreements and receiving assurances of the security/privacy of the platform. While OCR’s enforcement discretion allowed this type of usage, it’s best to use HIPAA-compliant digital communication tools. Once the public health emergency ends, all use of non-compliant remote communications products must be immediately reevaluated, and BA Agreements established or moving to compliant products initiated.
And while we often associate video conferencing with telehealth, the pandemic shed light on barriers to accessing video telehealth, including financial resources, limited English proficiency, disability, lack of internet access, availability of sufficient broadband, and cell coverage in the geographic area. In recognition of these barriers and the need for guidance around audio-only telehealth, HHS recently released this resource.
Telehealth Do’s
- Enable available encryption and privacy modes
- Stop using all non-compliant platforms
- Consider steps to move to compliant tools, including policies and procedures changes
- Consider using HIPAA-compliant products:
- Microsoft Teams
- Zoom for Healthcare
- Go to Meeting
- Get business associate agreements
- Inform patient of privacy risks
- If the patient still wants to communicate in an unsecure medium, proceed, but document their preferences and that they were warned about risks
- Train and educate your staff on compliant practices, all policies, and expectations
Telehealth Don’ts
- Use public-facing communication products, for example, Facebook Live, Twitch, Tik-Tok, etc.
Right of Access Initiative
Patient right of access is a high priority for OCR, affirmed by the recent announcement of 11 new enforcement actions, but the proliferation of new technologies can complicate communication practices.
Right of Access Do’s
- Formally define (in policy) data elements and record systems
- Ensure all data in your DRS is in-scope
- Consider any record used to make a decision about patient
- Identify the location of paper records and medical device output
Right of Access Don’ts
- Forget about emails and texts that must also be captured
- Forget billing and other types of records
- Delay responding. Remember, you must respond within 30 days, with one 30-day extension possible
As technology evolves and patient expectations change, providers will continue to face risks related to digital patient communications. It’s your responsibility to ensure that whichever communication methods you use are HIPAA compliant and protect your patients’ PHI.
Need help navigating compliance requirements for digital patient communications? Contact a Clearwater advisor today.