Email, Texting & HIPAA-TCPA Compliance – Electronic Message Rules & Myths

Patients prefer regular, or what are called unencrypted email and text messaging, for managing their Protected Health Information. The primary reason for this is that this method is an effective engagement and communication tool that patients have a right to use. Compliance with the rules set out by HIPAA and the TCPA (Telephone Consumer Protection Act) is necessary for safeguarding patient information and avoiding the hefty penalties that follow from noncompliance.

Not many are aware that all that is required for compliance is the implementation of a simple three-step HIPAA safeguard, which fully protects Covered Entities from violating both HIPAA and the TCPA (Telephone Consumer Protection Act), which, it goes without saying, is the most effective safeguard against potentially expensive TCPA class actions. However, the truth is that most HIPAA-governed entities fail to take advantage of the three-step safeguard, and instead, resort to the very misleading, generic information that they find on the Net, which can land them in a lot of trouble.

The new HIPAA Rules, which were first adopted in 2013, and the accompanying OCR guidance, have a thorough and clear-cut explanation of how Covered Entities and Business Associates should communicate with patients via unencrypted email and text messaging. This clarification is further strengthened by the new HIPAA Rules and a directive from the CMS Center for Clinical Standards and Quality/Survey & Certification Group, which also clearly state when Covered Entities and Business Associates must use encrypted email and text messages when they are communicating with persons like other Covered Entities who are not patients.

A webinar that is being organized on February 21 by MentorHealth, a leading provider of professional training for all the areas of healthcare, will explain how Covered Entities can protect themselves from HIPAA and TCPA violations by following the simple three-step safeguard to communicate with patients using unencrypted email and text messages.

Paul Hales, an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules, will be the expert at this webinar. Please visit Mentorhealth to take part in this learning experience.

—————————————————————————————————————

At this webinar, Paul will help the participants get an understanding of out how to use and document the three-step safeguard to protect their organization when communicating with patients by regular email and text message. He will explain how noncompliance with the “Safe Harbor” will lead to HIPAA and TCPA liability.

The expert will explain the new HIPAA Rules and the CMS directive to offer an understanding of when emails and text messages containing PHI must be encrypted.

—————————————————————————————————————

About the speaker: Paul R. Hales is an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules with a national HIPAA consulting practice based in St. Louis. He is the author of all content in The HIPAA E-Tool, an Internet-based, Software as a Service product for health care providers and Business Associates.

 

Complementing MACRA and MIPS with HIPAA brings about better patient engagement

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) is a federal Act that regulates the manner in which physicians have to be paid when they treat patients who come to them under Medicare. It modifies and supersedes the earlier legislation on this topic, namely the Balanced Budget Act, which was in force from 1997.

From the time the Balanced Budget Act linked physician payments to budget cuts and economic growth; it has reduced physician payments by over a fifth. In contrast, MACRA introduces Merit based Incentive Payment System (MIPS) and Advanced Alternative Payment Models (APM’s), which are “pay-for-performance” programs and are independent of the macroeconomic factors, upon which the earlier physician payments system was based.

Bringing about patient engagement is the basic purpose of MACRA

MACRA brings about patient engagement in a big way. This is one of the quintessential features of this legislation. MACRA uses advancing technologies to foster patient engagement tools that have become so essential a feature of the smart devices that the healthcare sector uses. Certified Electronic Health Record Technology (CEHRT) has enabled features such as availability of secure patient portals and encrypted text message and email products.

Because of this, patient engagement tools sent electronically by regular (unencrypted) email and text messaging include features such as appointment reminders, healthcare instructions, patient satisfaction surveys, and health and wellness newsletters and recall reminders. Since these are part of the regular use of technology in healthcare; HIPAA has enacted rules by which Protected Health Information (PHI) can be sent by unencrypted electronic transmission. This explains the clear and strong link between MACRA, MIPS and HIPAA.

The first set of HIPAA rules came into effect when the HIPAA Omnibus Rule was passed in September 2013. Guidances from the U. S. Department of Health and Human Services in 2014 and 2016 followed these rules.

Pervasive violations

Despite the good intentions with which these HIPAA Rules and guidances have been enacted; Providers and Covered Entities, and their Business Associates have been violating the HIPAA Rules for communicating with patients by unencrypted email and text message. Lack of knowledge of the rules among them is attributed as the main reason for this. It is noticed that most providers and Covered Entities and Business Associates have very little knowledge of what a PHI as defined by HIPAA really is.

The antidote to this problem is provided by HIPAA itself, in the form of HIPAA Rules and HHS/OCR guidance. This guidance provides a simple and easy-to-use, three-step Safe Harbor for using unencrypted email and text messaging to engage patients. The highlight of this three-step HIPAA Safe Harbor is that it precludes Covered Entities and Business Associates from any responsibility or liability for unauthorized access to Protected Health Information (PHI) in unencrypted emails and text messages during transmission and after receipt by the patient.

Clear learning about the three-step Safe Harbor

Understanding what this Safe Harbor is, and knowing how to apply it is very important for Covered Entities, Business Associates and providers. It is the only real means for them to stay compliant with the requirements set out in HIPAA and avoid causing violations to the HIPAA rules on communicating with patients by unencrypted email and text message.

This is the learning a webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry, will be offering. The speaker at this session is Paul R. Hales, an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules with a national HIPAA consulting practice based in St. Louis and the author of all content in The HIPAA E-Tool, an Internet-based, Software as a Service product for health care providers and Business Associates. Please register for this webinar.

Putting the HIPAA Safe Harbor in proper perspective

An explanation of the three-step HIPAA Safe Harbor is the core of this learning session. Paul will break down the steps, which is the basis to making the process easy to follow.

He will cover the following areas in this this webinar for HIPAA Covered Entities and Business Associates:

• MACRA-MIPS – Patient Engagement – the Required Objective: Protecting Patient Health Information and Measure: HIPAA Risk Analysis
• A clear explanation of the simple 3 Step HIPAA Safe Harbor that protects Covered Entities (and Business Associates acting on their behalf) from liability related to Patient Engagement by unencrypted email and text messaging
• HIPAA Law that covers unencrypted email and text messages – What emails and text messages are subject to HIPAA Law
• What Protected Health Information (PHI) really is – according to HIPAA – a clear explanation of how HIPAA defines PHI – it’s not just information about, for example, a diagnosis, disease, surgery or prescribed treatment
• How a 2015 Federal Communications Commission Order about health care text messages added to confusion and what it really means – the 3 Step HIPAA Safe Harbor is the only text message Safe Harbor for Covered Entities and Business Associates
• The absolute ban on unencrypted text messaging of PHI by Joint Commission in collaboration with the Centers for Medicare & Medicaid Services (CMS)
• The interconnected liability of Covered Entities and Business Associates that provide unencrypted electronic patient engagement services like appointment reminders – and how both can protect themselves
• Responsibility – and liability of Senior Management and Boards of Trustees.

Making use of portable technologies in healthcare comes with challenges

Portable technologies have gone on to take center stage in many industries. Healthcare is one of the prime areas that use portable technologies, the notable examples of which are smartphones and other PDA’s. They are remarkably useful to this industry for not only the ease and comfort of access they offer, but also for the lightning speed with which they facilitate the flow of information, something that is of critical importance to healthcare.

One breach, and everything goes awry

All the benefits portable technologies bring into the healthcare sector notwithstanding; these technologies, like any other science based development, have their set of drawbacks. These shortcomings are real and not something that can be wished away or done away with easily. Many a time, they have the potential to neutralize the advantages accruing out of such technologies.

What are these drawbacks of portable technologies? Healthcare organizations that use these technologies are highly susceptible to data breaches, something that can send the whole data system into a tailspin. Data breaches carry not only a huge financial cost; they come with an even more expensive tag: The healthcare organization’s loss of name. This is why making sure that health data is secure and has integrity is crucial for healthcare organizations. In addition, guaranteeing data security is also a regulatory requirement, because it is set out in HIPAA.

Get a thorough understanding of how to prevent and deal with data breaches

A proper understanding of the ways by which healthcare organizations can protect their data from breaches and deliver the best in accordance with regulatory requirements as set out in a number of regulations is thus of paramount importance to healthcare organizations. It is exactly this learning that a seminar from MentorHealth, a reputable provider of professional trainings for the healthcare industry, will deliver.

Dr. Sheldon Dean, Director of Compliance Services, Lewis Creek Systems, LLC will be the Director of this seminar. Dr. Sheldon, as the old saying goes, needs no introduction to the world of healthcare informatics. At this two-day seminar, he will focus on the sensitivities and issues that healthcare organizations have to be aware of and take into consideration in order to prevent data breach and data loss. Apart from exploring the describing the compliance issues associated with the use of handheld devices, especially in relation to email and texting, he will also look into how to manage BYOD.

Just log on to http://bit.ly/1Uoh4J6  to enroll for this valuable learning session.