HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. It provides privacy standards that protect patients' protected health information (PHI). The standard requires covered entities (doctors, dentists, labs, hospitals and other healthcare providers) to establish administrative, physical and technical safeguards to protect this information. Keep in mind that these requirements are intended to be scaleable and flexible. "One size doesn't fit all" is a good way to look at the scaleability of HIPAA. Implement technology and safeguards appropriate to your situation. Consider the size of the practice, the cost of implementation and the potential risk to ePHI among other things. The flexibility allows facilities to adapt to new or emerging technologies, but they must be addressed in your policies and procedures. Email and texting aren't new technologies, but more and more healthcare providers are using this form of communication on a regular basis. These messages are often sent and received on mobile devices like smart phones and tablets.
Let's look at electronic communications in general and identify some of the potential risks and how these need to be addressed in your risk assessment and policies.
- Sending ePHI to an unauthorized or incorrect email or cellular address
- Theft or loss of a mobile device
- Unauthorized interception of a transmission of ePHI
- Improper disposal of the device
- Limited availability to ePHI, other than the mobile device user
In consideration of these risks, your HIPAA policies and procedures should include the following components:
- Requiring a signed patient consent form authorizing you to communicate with them via email or text messaging.
- Secure sign-in process for all mobile device that create, send, receive or store ePHI.
- Identify and limit what information can be shared through text or email.
- Protocol for documenting any ePHI received by text or email in patient's medical record.
- Setting a retention period or requiring immediate deletion of text, emails and/or attachments after communication is complete.
- Policy for encryption consideration - Type of information being sent, mobile devices etc.
- Inventory and serial number documentation on all mobile devices.
- Disposal policy for mobile devices.
- Conduct HIPAA training on mobile device use and security.
In addition to policies and HIPAA training, it's important to get consent and a documented email or address for communications. This is our Acknowledgment of Receipt and Use/Disclosure Form and it's used to document communication consent. This form is included with both of our HIPAA systems and should be signed by all of your patients. It allows them the option of designating a preferred method of electronic communication or "opt-out" all together. It also serves as documentation in case there is a dispute over what address or phone number was authorized for the release.
If you're texting or using email as a form of communication with other providers or patients, you are required to have policies that address the methods and the safeguards that are in place to protect ePHI.
Our 2018 HIPAA Security Manual has policies that address all the required and addressable components of the HIPAA regulations. Password management, backup procedures, email and texting policy and breach notification just to name a few. Why wait any longer to get into compliance with the HIPAA Security Rule?