the impact of secure messaging between patients and providers

Deliver better healthcare through effective use of secure mobile messaging

 

 

 

Secure messaging between patients and healthcare providers through Internet websites, commonly known as “patient portals,” allows patients and providers to communicate with each other via electronic messages outside of office visits.The use of secure messaging is becoming more and more widespread among healthcare institutions. Secure patient-provider messaging is frequently used between office visits to manage chronic conditions such as type 2 diabetes.

 

Secure Messaging and Diabetes Care

Internet-based messaging was initially established to improve patient access to clinicians without the added burden of time and cost of traveling to the clinicians' office. Clinician access is further facilitated by the nature of Internet-based messaging because the clinician and patient do not need to be available at the same moment in time to send or respond to the message. Instead, patients may send a message at a time of their choosing, and clinicians may respond when their schedule allows.

According to Sukyung Chung, PhD, from the Palo Alto Medical Foundation in California, secure patient-provider messaging improves patient satisfaction significantly and has a positive impact on the overall experience of care. In addition, secure messaging may help alleviate the time pressure that clinicians often experience. “Physicians have a limited amount of time to see patients in the office and to answer telephone calls,” Dr Chung said in an interview with Endocrinology Advisor. The asynchronous nature of secure messaging may allow clinicians to communicate with patients in a way that fits into their schedule.

Secure patient-provider messaging may also increase patient engagement and self-management. “Brief, intermittent office visits with physicians are not well designed for coaching patients to self-manage their own condition, which really requires more ongoing engagement between visits,” James Ralston, MD, MPH, from Kaiser Permanente Washington Health Research Institute in Washington, told Endocrinology Advisor. “Secure messaging presents a great opportunity for patients and healthcare providers to collaborate on self-management issues like glycemic control, diet, and exercise.”

However, responding to patient messages outside of visits can be time-consuming for providers. In addition, time spent interacting with patients via secure messaging is often not reimbursed in the traditional fee for service model. “If secure messaging takes over a significant portion of the day, and you can't get reimbursed for that time, it's hard to support secure messaging to engage with patients.

Source

top 5 findings from 2017 Healthcare Data Breach Report

Enable secure text messaging from any healthcare interface

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017.

While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data.

As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.”

Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the percentage has increased to 15%.

While it is not possible to eliminate the risk of healthcare employees improperly accessing patient records, it is straightforward to ensure that when incidents occur they are detected quickly. As the Protenus Breach Barometer reports clearly show, many healthcare employees have been discovered to have been improperly accessing patient health data for months or even years before the unauthorized access is detected. As Beazley points out in the report, the failure to detect insider incidents promptly and take action increases the risk of regulatory action.

Phishing and social engineering attacks also increased significantly in 2017. There has been a 9-fold increase in social engineering scams in 2017. Beazley reports that two types of social engineering attacks in particular have increased in 2017 – Fraudulent instruction incidents and W-2 Form phishing scams.

Fraudulent instruction incidents are a type of Business Email Compromise (BEC) scam where the attacker pretends to be a company executive and sends a request to make a bank transfer. W-2 Form phishing scams similarly involve the spoofing of a company email address. In this case a request is made to send the W-2 forms of all employees that have worked in the previous fiscal year. The information is then used to submit fraudulent tax returns. Healthcare organizations can reduce risk by teaching employees how to recognize these types of email scams.

Along with an increase in data breaches, there has also been an increase in HIPAA enforcement actions by the Department of Health and Human Services’ Office for Civil Rights (OCR). The report notes that there have been nine settlements announced so far in 2017 on top of 13 HIPAA settlements in 2016. In 2014 and 2015 there were 13 settlements.

There has also been a notable increase in settlement amounts. In 2014/2015, the average settlement amount was around $1,000,000. In 2016/2017, the average settlement was $1.8 million.

As Beazley explained in the report, experiencing a breach opens the door to OCR investigators. Part of the OCR breach investigation involves a review of basic HIPAA compliance. When noncompliance is discovered, financial penalties may be deemed appropriate.

Beazley explains there are two main reasons for the increase in settlements for noncompliance with HIPAA Rules: OCR’s growing frustration with covered entities that are still failing to comply with the HIPAA Privacy and Security Rules, and more available resources to devote to pursuing settlements.

Source

provisions of hipaa privacy rule during public health emergency

HIPAA compliant HL7 Messaging

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations for hospitals in Texas and Louisiana in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).\
• The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration. The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed. 

Source

how sms can be used to to increase dental appointments

While you may think your dental practice is following all HIPAA rules, is it really? Check these seven rules from an attorney who has represented dental practices who have missed something regarding HIPAA, and paid for it. 

SEAMLESS INTEGRATION OF HEALTHCARE MESSAGING

 

If you’re a dentist, you know about HIPAA. You know that HIPAA creates rules and restrictions on the way you keep, use, and disclose patient information. However, many dentists don’t realize that HIPAA also restricts the way they and their staff can use email and text messages to communicate with patients and other providers about patients.

HIPAA applies to emails and text messages

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening.

HIPAA doesn’t completely prohibit using emails and texts to communicate with patients or other providers about patients. But HIPAA does require dentists to use security measures when doing so, such as encryption or secure messaging platforms. Alternatively, dentists need to obtain consent from patients to send protected information via unsecured email or text. Sending protected information over unsecured emails or texts without a patient’s consent can violate HIPAA.

Why should dentists care about this?

Failing to comply with HIPAA can have severe consequences. If protected health information is used or disclosed in a way that does not comply with HIPAA, a dentist may need to give notice of the impermissible use to the affected individuals, the federal government, and, if more than 500 individuals are affected, the media. The federal government has stepped up HIPAA enforcement, conducting more compliance audits and seeking more financial penalties from HIPAA violators.

What does this mean?

Dentists and their staff need to know and follow the rules with emails and texts to remain HIPAA compliant. Before getting to the rules, here’s some terminology:

First, HIPAA applies to the storage, use, and disclosure of a patient’s individually identifiable health information, which HIPAA calls protected health information (PHI). PHI is generally defined as any information about a patient,—name, demographic information, past, present, or future physical or mental health condition, treatment, x-rays, pictures, and payment information—that can reasonably be linked to a specific, identifiable individual.

Second, “password protected” is not the same as “secure” or “encrypted.” To understand the difference, think of a padlock and a code. A padlock (like a password) protects against unauthorized access. But once a person unlocks the padlock (gets past the password), the person can see and make sense of everything inside. Encryption, on the other hand, is like a code. The information gets jumbled so it cannot be used or understood by a person who sees unless that person has the “key” to decode the jumble (the “encryption key”).

What are the rules for emails and texts?

1. Emails to others inside the same practice—Most practices have a secure server and network, and emails between people inside the same practice, even if located in different offices, are sent over the secure server and network. If an email is sent to another person inside the same practice over a secure server and network, the email can include a patient’s PHI and does not need to be encrypted. However, if the in-practice email is not being sent over a secure server (e.g., if the practice uses Gmail or another web-based email service), the email should not include information about a patient that can be linked to a specific, identifiable individual.

2. Emails to persons outside the practice (other than the patient)—Emails to people outside the practice other than the patient should not include a patient’s PHI unless the email is encrypted or sent via a secure messaging system. This generally means that dentists should not use emails to communicate with other providers about an identifiable patient unless special security measures are taken.

3. Emails to personal email accounts—Emails from a work email account to a personal email account should not include PHI or attach patient records or other documents with PHI. If work needs to get done from home, consider using a secure remote connection (such as GoToMyPC) to connect from home, or take the minimal amount of needed information home on an encrypted flash drive.

4. Text messages to persons other than the patient—Unless a provider or practice has a secure text messaging platform, text messages are not secure or encrypted. They are easily intercepted, often sent to an incorrect number, and usually stored indefinitely on third-party devices, such as the wireless carrier’s servers. Thus, text messages should not include a patient’s PHI. This is true even for texts to staff or other providers inside the same practice; these should not include identifiable patient information.

5. Emails and texts to patients—More patients want their dentists to communicate with them by email or text. Dentists who want to do so must do one of two things. Option one is to use an email or text messaging system that encrypts messages or requires patient login, such as a patient portal. If a secure messaging system is used, messages sent to a patient can include PHI.

Option two is to obtain the patient’s consent for using unencrypted email or text messages to communicate with the patient. This is after advising the patient of the risks of doing so, including the risk that the message could be read by a third-party. A good way to do this is by giving the patient a well-written consent form as part of his or her new patient paperwork, or to existing patients at their next visit. If a patient consents to the use of unsecured emails and texts after being properly warned, a dentist may communicate protected PHI to the patient in that way.

6. Emails and texts from patients—The above rules do not apply to emails or texts sent by a patient. HIPAA applies to health-care providers (and other “covered entities”), not patients. Patients can use unencrypted emails and texts to communicate with providers.

If a patient initiates an unsecure email or text and sends it to his or her health-care provider, the Health and Human Services Office of Civil Rights (OCR), which enforces HIPAA, explains that the provider may assume that using unsecure emails or texts are acceptable to the patient, unless the patient has explicitly stated otherwise. However, OCR has also advised that if the provider believes the patient might not understand the risks of using unencrypted email or texts or if the provider has concerns about potential liability, the provider may want to alert the patient of those risks and let him or her decide whether to continue with unencrypted email and text communications. So, if a dentist doesn’t have a signed consent and preference form from the patient, the dentist may want to get one before replying via unsecured email or text.

7. Email confidentiality notices and disclaimers—There’s a myth that including a confidentiality notice or disclaimer in an email makes the email compliant with HIPAA and allows a dentist to send PHI via unencrypted or unsecure email. The myth is false. Even the best-worded notice or disclaimer will not make an unencrypted email comply with HIPAA. The rules here still apply.

Best practice: Get consent and preference forms from all patients

All dental offices, even those that use encryption or secure messaging systems, should consider having all patients complete an email and text message consent and preference form that confirms their preferences about emails and texts. Doing so would allow dentists to communicate with their patients consistent with their desires. It would also give patients a chance to consent to the use of unencrypted emails or texts.

Consent forms would also help dentists with another significant hazard that comes with calling or texting a patient’s cell phone—the Telephone Consumer Protection Act (TCPA). TCPA is the federal law that protects consumers from unwanted telephone calls and faxes. TCPA prohibits making auto-dialed and pre-recorded calls and texts to cell phones (e.g., auto-generated appointment reminders) without the prior express consent of the called or texted party. Sanctions for violating the TCPA can be huge—$500 per violation (per call or text message).

For all of these reasons, having every patient review and sign a well-written consent and preference form, and then following the patient’s preferences, is a good idea that will keep your dental practice HIPAA compliant.

Source