the impact of secure messaging between patients and providers

Deliver better healthcare through effective use of secure mobile messaging

 

 

 

Secure messaging between patients and healthcare providers through Internet websites, commonly known as “patient portals,” allows patients and providers to communicate with each other via electronic messages outside of office visits.The use of secure messaging is becoming more and more widespread among healthcare institutions. Secure patient-provider messaging is frequently used between office visits to manage chronic conditions such as type 2 diabetes.

 

Secure Messaging and Diabetes Care

Internet-based messaging was initially established to improve patient access to clinicians without the added burden of time and cost of traveling to the clinicians' office. Clinician access is further facilitated by the nature of Internet-based messaging because the clinician and patient do not need to be available at the same moment in time to send or respond to the message. Instead, patients may send a message at a time of their choosing, and clinicians may respond when their schedule allows.

According to Sukyung Chung, PhD, from the Palo Alto Medical Foundation in California, secure patient-provider messaging improves patient satisfaction significantly and has a positive impact on the overall experience of care. In addition, secure messaging may help alleviate the time pressure that clinicians often experience. “Physicians have a limited amount of time to see patients in the office and to answer telephone calls,” Dr Chung said in an interview with Endocrinology Advisor. The asynchronous nature of secure messaging may allow clinicians to communicate with patients in a way that fits into their schedule.

Secure patient-provider messaging may also increase patient engagement and self-management. “Brief, intermittent office visits with physicians are not well designed for coaching patients to self-manage their own condition, which really requires more ongoing engagement between visits,” James Ralston, MD, MPH, from Kaiser Permanente Washington Health Research Institute in Washington, told Endocrinology Advisor. “Secure messaging presents a great opportunity for patients and healthcare providers to collaborate on self-management issues like glycemic control, diet, and exercise.”

However, responding to patient messages outside of visits can be time-consuming for providers. In addition, time spent interacting with patients via secure messaging is often not reimbursed in the traditional fee for service model. “If secure messaging takes over a significant portion of the day, and you can't get reimbursed for that time, it's hard to support secure messaging to engage with patients.

Source

top 5 findings from 2017 Healthcare Data Breach Report

Enable secure text messaging from any healthcare interface

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017.

While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data.

As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.”

Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the percentage has increased to 15%.

While it is not possible to eliminate the risk of healthcare employees improperly accessing patient records, it is straightforward to ensure that when incidents occur they are detected quickly. As the Protenus Breach Barometer reports clearly show, many healthcare employees have been discovered to have been improperly accessing patient health data for months or even years before the unauthorized access is detected. As Beazley points out in the report, the failure to detect insider incidents promptly and take action increases the risk of regulatory action.

Phishing and social engineering attacks also increased significantly in 2017. There has been a 9-fold increase in social engineering scams in 2017. Beazley reports that two types of social engineering attacks in particular have increased in 2017 – Fraudulent instruction incidents and W-2 Form phishing scams.

Fraudulent instruction incidents are a type of Business Email Compromise (BEC) scam where the attacker pretends to be a company executive and sends a request to make a bank transfer. W-2 Form phishing scams similarly involve the spoofing of a company email address. In this case a request is made to send the W-2 forms of all employees that have worked in the previous fiscal year. The information is then used to submit fraudulent tax returns. Healthcare organizations can reduce risk by teaching employees how to recognize these types of email scams.

Along with an increase in data breaches, there has also been an increase in HIPAA enforcement actions by the Department of Health and Human Services’ Office for Civil Rights (OCR). The report notes that there have been nine settlements announced so far in 2017 on top of 13 HIPAA settlements in 2016. In 2014 and 2015 there were 13 settlements.

There has also been a notable increase in settlement amounts. In 2014/2015, the average settlement amount was around $1,000,000. In 2016/2017, the average settlement was $1.8 million.

As Beazley explained in the report, experiencing a breach opens the door to OCR investigators. Part of the OCR breach investigation involves a review of basic HIPAA compliance. When noncompliance is discovered, financial penalties may be deemed appropriate.

Beazley explains there are two main reasons for the increase in settlements for noncompliance with HIPAA Rules: OCR’s growing frustration with covered entities that are still failing to comply with the HIPAA Privacy and Security Rules, and more available resources to devote to pursuing settlements.

Source

provisions of hipaa privacy rule during public health emergency

HIPAA compliant HL7 Messaging

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations for hospitals in Texas and Louisiana in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).\
• The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration. The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed. 

Source

how sms can be used to to increase dental appointments

While you may think your dental practice is following all HIPAA rules, is it really? Check these seven rules from an attorney who has represented dental practices who have missed something regarding HIPAA, and paid for it. 

SEAMLESS INTEGRATION OF HEALTHCARE MESSAGING

 

If you’re a dentist, you know about HIPAA. You know that HIPAA creates rules and restrictions on the way you keep, use, and disclose patient information. However, many dentists don’t realize that HIPAA also restricts the way they and their staff can use email and text messages to communicate with patients and other providers about patients.

HIPAA applies to emails and text messages

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening.

HIPAA doesn’t completely prohibit using emails and texts to communicate with patients or other providers about patients. But HIPAA does require dentists to use security measures when doing so, such as encryption or secure messaging platforms. Alternatively, dentists need to obtain consent from patients to send protected information via unsecured email or text. Sending protected information over unsecured emails or texts without a patient’s consent can violate HIPAA.

Why should dentists care about this?

Failing to comply with HIPAA can have severe consequences. If protected health information is used or disclosed in a way that does not comply with HIPAA, a dentist may need to give notice of the impermissible use to the affected individuals, the federal government, and, if more than 500 individuals are affected, the media. The federal government has stepped up HIPAA enforcement, conducting more compliance audits and seeking more financial penalties from HIPAA violators.

What does this mean?

Dentists and their staff need to know and follow the rules with emails and texts to remain HIPAA compliant. Before getting to the rules, here’s some terminology:

First, HIPAA applies to the storage, use, and disclosure of a patient’s individually identifiable health information, which HIPAA calls protected health information (PHI). PHI is generally defined as any information about a patient,—name, demographic information, past, present, or future physical or mental health condition, treatment, x-rays, pictures, and payment information—that can reasonably be linked to a specific, identifiable individual.

Second, “password protected” is not the same as “secure” or “encrypted.” To understand the difference, think of a padlock and a code. A padlock (like a password) protects against unauthorized access. But once a person unlocks the padlock (gets past the password), the person can see and make sense of everything inside. Encryption, on the other hand, is like a code. The information gets jumbled so it cannot be used or understood by a person who sees unless that person has the “key” to decode the jumble (the “encryption key”).

What are the rules for emails and texts?

1. Emails to others inside the same practice—Most practices have a secure server and network, and emails between people inside the same practice, even if located in different offices, are sent over the secure server and network. If an email is sent to another person inside the same practice over a secure server and network, the email can include a patient’s PHI and does not need to be encrypted. However, if the in-practice email is not being sent over a secure server (e.g., if the practice uses Gmail or another web-based email service), the email should not include information about a patient that can be linked to a specific, identifiable individual.

2. Emails to persons outside the practice (other than the patient)—Emails to people outside the practice other than the patient should not include a patient’s PHI unless the email is encrypted or sent via a secure messaging system. This generally means that dentists should not use emails to communicate with other providers about an identifiable patient unless special security measures are taken.

3. Emails to personal email accounts—Emails from a work email account to a personal email account should not include PHI or attach patient records or other documents with PHI. If work needs to get done from home, consider using a secure remote connection (such as GoToMyPC) to connect from home, or take the minimal amount of needed information home on an encrypted flash drive.

4. Text messages to persons other than the patient—Unless a provider or practice has a secure text messaging platform, text messages are not secure or encrypted. They are easily intercepted, often sent to an incorrect number, and usually stored indefinitely on third-party devices, such as the wireless carrier’s servers. Thus, text messages should not include a patient’s PHI. This is true even for texts to staff or other providers inside the same practice; these should not include identifiable patient information.

5. Emails and texts to patients—More patients want their dentists to communicate with them by email or text. Dentists who want to do so must do one of two things. Option one is to use an email or text messaging system that encrypts messages or requires patient login, such as a patient portal. If a secure messaging system is used, messages sent to a patient can include PHI.

Option two is to obtain the patient’s consent for using unencrypted email or text messages to communicate with the patient. This is after advising the patient of the risks of doing so, including the risk that the message could be read by a third-party. A good way to do this is by giving the patient a well-written consent form as part of his or her new patient paperwork, or to existing patients at their next visit. If a patient consents to the use of unsecured emails and texts after being properly warned, a dentist may communicate protected PHI to the patient in that way.

6. Emails and texts from patients—The above rules do not apply to emails or texts sent by a patient. HIPAA applies to health-care providers (and other “covered entities”), not patients. Patients can use unencrypted emails and texts to communicate with providers.

If a patient initiates an unsecure email or text and sends it to his or her health-care provider, the Health and Human Services Office of Civil Rights (OCR), which enforces HIPAA, explains that the provider may assume that using unsecure emails or texts are acceptable to the patient, unless the patient has explicitly stated otherwise. However, OCR has also advised that if the provider believes the patient might not understand the risks of using unencrypted email or texts or if the provider has concerns about potential liability, the provider may want to alert the patient of those risks and let him or her decide whether to continue with unencrypted email and text communications. So, if a dentist doesn’t have a signed consent and preference form from the patient, the dentist may want to get one before replying via unsecured email or text.

7. Email confidentiality notices and disclaimers—There’s a myth that including a confidentiality notice or disclaimer in an email makes the email compliant with HIPAA and allows a dentist to send PHI via unencrypted or unsecure email. The myth is false. Even the best-worded notice or disclaimer will not make an unencrypted email comply with HIPAA. The rules here still apply.

Best practice: Get consent and preference forms from all patients

All dental offices, even those that use encryption or secure messaging systems, should consider having all patients complete an email and text message consent and preference form that confirms their preferences about emails and texts. Doing so would allow dentists to communicate with their patients consistent with their desires. It would also give patients a chance to consent to the use of unencrypted emails or texts.

Consent forms would also help dentists with another significant hazard that comes with calling or texting a patient’s cell phone—the Telephone Consumer Protection Act (TCPA). TCPA is the federal law that protects consumers from unwanted telephone calls and faxes. TCPA prohibits making auto-dialed and pre-recorded calls and texts to cell phones (e.g., auto-generated appointment reminders) without the prior express consent of the called or texted party. Sanctions for violating the TCPA can be huge—$500 per violation (per call or text message).

For all of these reasons, having every patient review and sign a well-written consent and preference form, and then following the patient’s preferences, is a good idea that will keep your dental practice HIPAA compliant.

Source

how telemedicine is changing mobile healthcare delivery

A new survey from Reach Health unearthed the pros and cons of making use of a telehealth program.

Approximately 436 healthcare professionals, executives, nurses and physicians took part in the survey, which was conducted in January 2017. Four percent of total participants were customers of Reach Health, a telemedicine software company based in Atlanta, Georgia.

Nearly one-quarter of respondents (21 percent) indicated telemedicine is one of their organization’s top priorities. Thirty percent said it’s a high priority, and 36 percent said it’s a medium priority. Only 13 percent consider telehealth a low priority at their organization.

Despite the majority of participants agreeing about it being a key issue, they expressed a variety of different reasons for implementing a telemedicine program.

Deliver better healthcare through effective use of secure mobile messaging

According to the survey, the ten most common telemedicine program objectives are:

• Improving patient outcomes
• Increasing patient engagement and satisfaction
• Improving patient convenience
• Providing remote and rural patients with access to care
• Improving leverage of limited physician resources
• Reducing cost of care delivery
• Reducing hospital readmissions
• Improving specialist efficiency
• Providing access to new specialties
• Providing 24/7 access to specialists

Other objectives included reducing emergency department overcrowding, increasing revenue and supporting research or clinical trials.

The majority of participants (59 percent) said their organization’s telehealth platform is primarily provided by a vendor. Forty-three percent noted their platform is primarily assembled internally using specialized components.

Regardless of which side of the build vs. buy debate they’re on, participants seemed to value a number of similar features in a telemedicine platform.

A few of the most crucial features are integrated audio and video for live patient engagement; the ability to produce documentation from each encounter; support for standard services; and the ability for clinicians to communicate through HIPAA-compliant messaging.

But the journey to a successful telemedicine program isn’t a piece of cake. Respondents also addressed the difficulties they face.

Top challenges include reimbursement (from Medicare, Medicaid and private payers) and inadequate telemedicine parity laws. Survey participants also said determining ROI, physician compensation and lack of EHR integration are problems.

Looking ahead, participants were asked how they expect a potential repeal or replacement of the Affordable Care Act to impact their telehealth programs.

Thirty-three percent said such an action would increase the significance of telemedicine in their organization, and only 3 percent noted it would decrease how much of a priority telemedicine is. Another 38 percent felt the importance of telehealth would stay about the same, and 26 percent said they can’t predict how it will change.

Source

how secure electronic messaging helps to communicate with patients

Deliver better healthcare through effective use of secure mobile messaging

Secure electronic messaging can help patients be better informed about their healthcare and improve access to healthcare providers, but the authors of a new study say more education is needed to improve the quality and efficiency of secure communication.

Researchers analyzed 1,000 threads – defined as strings of related messages – from two Department of Veterans Affairs (VA) facilities. Patients initiated an overwhelming majority of threads (90.4%), while caregivers began 4.1% of threads on behalf of a patient. Primary care team members initiated 5.5% of threads.

Patients and clinicians also used secure electronic messaging for different purposes.

Patients most often initiated messages to ask for a medication renewal or refill (47.2%). Patients also used secure messaging for scheduling requests (17.6%), medication issues (12.9%) and health issues (12.7%).

The majority of clinician-initiated threads (32.7%) were sent to report test results, followed by medication issues (21.8%), scheduling issues (18.2%) and medication renewals (16.4%).

Although some providers have expressed concern that patients would use secure electronic messaging for urgent medical issues, the researchers found that only 0.7% of patient-initiated messages contained content deemed clinically urgent.

Overall, patients viewed the use of secure messaging as an alternative to unnecessary in-person visits. It was also convenient and enabled easy, round-the-clock access to clinicians. Secure messaging also enabled patients to discuss potentially embarrassing topics.

The authors of the study, which was published in the Journal of the American Medical Informatics Association, concluded that both patients and clinicians could benefit from further education and training on the uses of secure electronics messaging. Most current guidelines for secure messaging focus on the technical and administrative areas, and not the potential use cases.

Source

healthcare tops highest data breach lawsuits across industry

Mobile Healthcare Messaging from Vectramind

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach class action lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low.

 According to the recent HIPPA journal report on   data  breach litigation across industry conducted by Bryan Cave  show that  the healthcare industry topped lawsuits filed by victims of data security breaches in 2016. The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficulty by  plaintiffs to establish that an injury has been caused.

Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years. In total, 76 class actions were filed in 2016 as a result of data breaches.

 Out of those 76 lawsuits, there were 27 unique defendants. The report confirms that the healthcare industry reported the most data breaches of any industry – 70% of the total – yet only 34% of class action lawsuits name healthcare organizations as the defendants. 

Healthcare was the leading industry for class action data breach lawsuits (26 complaints), closely followed by email providers with 33%. The figures for email service providers was heavily influenced by the disclosure of two massive data breaches by Yahoo! Restaurants were in third place with 11% of the total followed by the retail industry with 7%.

Healthcare data breach lawsuits fell slightly year over year. Lawsuits are most commonly filed following the exposure or theft of sensitive information such as Social Security numbers, medical data, health insurance information, and security Q&As – 89% of class action lawsuits resulted from data breaches where these types of information were exposed or stolen. 65% of the lawsuits alleged negligence as the primary theory. Data breach lawsuits are most commonly filed in the Northern District of California (32%), followed by the Middle District of Florida (11%), the District of Arizona (11%), and the Western District of Pennsylvania (7%).