Ensuring HIPAA Compliance When Transmitting

PHI via Patient Portals, Email and TextingProtecting Patient Privacy, Complying With State and Federal Regulations,

Meeting Meaningful Use Standards

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, MAY 16, 2018

Presenting a live 90-minute webinar with interactive Q&A

Ryan P. Blaney, Member, Cozen O’Connor, Washington, D.C.

Kim C. Stanger, Partner, Holland & Hart, Boise, Idaho

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-927-5568 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or Cozen O’Connor or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP and Cozen O’Connor. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.

6

Overview of Presentation

1. Regulatory Overview – HIPAA Privacy

and Security and Patient Portals

2. Business Associates and Vendor

Contracting

3. Breaches and Enforcement

4. Design & Contracting

5. Pitfalls to Avoid and Best Practices

6. Don’t Forget About TCPA

7

Patient Interaction & Partnership

• 99% - think social networks are useful in

healthcare delivery. (2018 NEJM Catalyst Insights Council

Patient Engagement Survey).

• 84% of US consumers with smart

phones/home computers – want access to

electronic medical records

• 41% willing to switch doctors over issue

• 70% of consumers believe it’s important to be

able to consult their providers via email.– See Kaveh Safavi, M.D., J.D., Accenture Consumer

Survey on Patient Engagement, Sept. 2013.

8

What is a Patient Portal?

• A secure online

website that gives

you 24-hour access

to your personal

health information

and medical records

The LawStatutes, Regulations and Government Guidance …

10

Outcomes-Based Healthcare

• Affordable Care Act

• Payment Models (e.g., MSSPs)

• Data-Driven Care Delivery

– Enabling interoperability and meaningful

use of health IT.

11

Meaningful Use Measures

• Patient portals are a way to meet the

meaningful use requirements (“measures”)• Core measures - i.e., providing patients with an electronic

copy of their health information; providing clinical summaries

for each office visit

• Menu measures – i.e., providing patients with timely

electronic access to their health information; patient-specific

education resources

Regulatory Responsibilities

Health Insurance Portability and Accountability Act (HIPAA) Privacy - April 14, 2003

Health Insurance Portability and Accountability Act – (HIPAA) Security – April 21, 2005

Health Information Technology for Economic and Clinical Health Interim Act (HITECH) – February 17, 2009

Omnibus Final Rule – March 26, 2013

General Data Protection Regulations (GDPR) May 25, 2018

12

13

What did HITECH do for Portals?

• In 2009, the HITECH Act – accelerates

the changing healthcare landscape.

– To qualify for payments from Medicare &

Medicaid EHR Incentive Program, health

care providers have accelerated the

implementation of EHR.

14

HIPAA

• “Treatment purposes”: 45 C.F.R. Section

164.506

• Business Associate Agreement (BAA)

• Third-Party Access to data

• Minimum Necessary Requirement

• Consent

15

Minimum Necessary Rule

• Covered Entities must make reasonable

efforts not to use or disclose more than

the minimum amount of health

information necessary to accomplish the

intended purpose of the disclosure

• With limited exceptions, the standard

generally applies to all uses and

disclosures of health information45 CFR § 164.502(b)

Don’t Forget About State Laws

Highlights:

◦ Most states have laws mandating the protection and disposal of personal information by corporations

◦ Companies are generally required to implement and maintain reasonable security procedures to protect information

Connecticut

Illinois

California

The DefinitionsPHI, Health Information, Individually Identifiable

18

What is PHI?

• Protected Health Information (PHI) is

individually identifiable health

information that is in all forms – paper,

oral, or electronic.

• PHI excludes employment records held

by an employer in it role as an employer

(e.g., physician's note)

19

What is Health Information?

• Health information includes any

information created by a health care

provider, health plan, employer, school

or university

– And that relates to past, present, or future

physical or mental health or condition of the

individual,

– The provision of health care to the

individual, or

– The past, present, or future payment for

health care to the individual

20

What makes Health Information

“Individually Identifiable”?• Names

• Medical Record Numbers

• Social Security Numbers

• Account Numbers

• License/Certification numbers

• Vehicle Identifiers/Serial numbers/License plate numbers

• Internet protocol addresses

• Health plan numbers

• Full face photographic images and any comparable images

• Web universal resource locaters

(URLs)

• Any dates related to any individual

(date of birth)

• Telephone numbers

• Fax numbers

• Email addresses

• Biometric identifiers including finger

and voice prints

• Any other unique identifying number,

characteristic or code

Business Associates

and

Vendor Contracting

22

23

What is a Business Associate

(“BA”)?• Definition:

– A person who (i) performs for or on behalf of a covered entity, or assists a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity

• Includes anyone with health information from your health plans, providers and covered entities (could include attorneys, consultants, third party administrators, auditors, computer software service companies)

24

What are the Business Associate

Rules?

25

Contracting

• Don’t just sign the standard contract

placed in front of you!

• Pay attention to clauses/provisions:

– Who owns the data?

– Term and renewal

– Indemnification

– Limitations on Liability

– Reporting requirements and breaches

– Termination and data (discussed later)

26

Tips for Drafting &

Negotiating BAAs• Reporting requirements and timing (the

parties can and should agree on shorter

periods)

• Review the underlying services agreement

and modify services agreement and BAA to

be consistent

• Agency and subcontractor provisions

• Indemnification clauses

• Breach notification costs and responsibilities

• Termination and destruction of PHI

OCR Sample BAA Terms

28

BAA: Pro-Covered Entity Terms

• Covered entities may want to add these terms:

– Business associate must report or act within x days.

– Business associate must implement policies.

– Business associate must encrypt or implement other safeguards.

– Business associate must carry data breach insurance.

– Business associate notifies individuals of breaches and/or reimburses covered

entity for costs of the notice.

– Business associate defends and indemnifies for losses, claims, etc.

– Business associate is an independent contractor, not agent.

– Business associate assumes liability for subcontractors.

– Allow termination of underlying agreement.

– Must have consent to operate outside the United States.

– Covered entity has right to inspect and audit.

– Cooperate in HIPAA investigations or actions.

* Business associate may want these in subcoracts.28

29

BAA: Pro-BA Terms• Business associates and subs probably want to add these:

– Covered entity will not disclose PHI unless necessary.

– Covered entity will not request action that violates HIPAA.

– Covered entity has obtained necessary authorizations.

– Covered entity will not agree to restrictions on PHI that will adversely affect

business associate.

– Covered entity will notify business associate of all such restrictions.

– Covered entity will reimburse for additional costs.

– Blanket reporting for security incidents.

– Specify business associate does not maintain designated record set.

– Reserve the right to terminate based on restrictions or other change that

adversely affects business associate.

– Subcontractors are independent contractors, not agents.

– Mutual indemnification.

– Limitation or cap on damages.

29

30

Business Associates

• Covered entity is liable for acts of business associate if:

– Knew or should know that business associate is

violating HIPAA and covered entity fails to act; or

– Business associate is the covered entity’s agent.

• Make sure business associate is an independent

contractor, not an agent.

– Business associate agreement should confirm same.

– Make sure you do not control method and manner of

business associate’s functions.

30

31

Business Associates

OCR targeting business associate issues, e.g.:

• Group paid $750K for no BAA after BA lost films.

• Hospital paid $1.55M for no BAA after BA lost laptop.

• Hospital system paid $400K for failing to update BAA to

include Omnibus Rule terms.

Make sure you have current,

updated BAAs in place with

your business associates!

31

32

HIPAA Audits

“HIPAA Compliance is like middle school math – youmust show your work”

– Leon Rodriguez, Former Director OCR

•HIPAA related recordkeeping is essential.

•Audit: Leverage OCR’s HIPAA Privacy, Security and Breach Audit Protocol available online.

•Assessments: analysis of vulnerabilities, data criticality, remediation strategies and process for determining and accepting risks in the organization.

When Trouble

Comes Knocking

Breaches

34

Breaches

The Omnibus Rule made significant changes to the interim final breach notification rule by:

•Adding a presumption that any unauthorized use or disclosure of unsecured PHI is a breach

•Removing the prior “risk of harm“ standard.

•Requires Covered Entities to evaluate and demonstrate that “low probability” PHI has been “compromised” otherwise notification to patients required

*

35

Breaches / Enforcemtn

2017 Data – According to HHS

36

OCR Largest Breaches from 2009 - 2018

HIPAA Breaches range from:

$1.7 Million – $ 5.5 million in fines

With new breaches reported daily, as recent as April 9, 2018.

37

OCR – Breach Enforcement

38

Breaches / Enforcement - FTC

• “Consumerization” of Healthcare – FTC’s jurisdiction.

• The FTC has been the chief federal agency on privacy policy and enforcement since the1970s, when it began enforcing one of the first federal privacy laws – the Fair Credit Reporting Act.

• Section 5 of the FTC Act

• Enforcing Privacy Promises: https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises

39

FTC Privacy & Security

Enforcement

40

FTC Enforcement Continued

41

FTC’s Action Against LifeLock

42

State AG Enforcement

Leading States

New York Attorney General and

Department of Financial

Services

Massachusetts Attorney General

California Attorney General

Illinois Biometric Information

Privacy Act

In 2011, OCR provided technical assistance and training on enforcement of HIPAA for State Attorneys General.

43

44

What cyber criminals have

already taken…• Intellectual Property – Loss varies on nature of

industry

• State Secrets – Destabilizing American infrastructure

• Medical Records – Average Black Market Value = $60

> cc

• Credit Cards – PCI violations range from $10K -

$100K

• Identity Theft – Companies pay approx. $180 per

compromised customer

• Corporate Espionage – Loss of contracts = loss of

revenue

45

Costs of Data Breaches

• $145/record, avg. of > 28k records

(Ponemon Institute Survey)

• $159 when caused by malicious attacks

(Ponemon Institute Survey)

• Average financial impact to surveyed

companies with for one or more

incidents = $3.5 million

Patient Portal Risk Areas

• Security

• “User error”

– By patients

– By staff

46

Designing Patient Portals

Designing Portal

• Keep it simple and user friendly.

– Portal is no good if patients or staff can’t or won’t use it.

– May lead to non- or miscommunication and frustration.

• Ease of use > Complex functionality48

Determine Functionality

• Communicate via e-mail

• Appointment reminders

• Schedule non-urgent appointments

• Request prescription refills

• Check benefits and coverage

• Update contact info

• Make payments

• Download and complete forms

• Access records

– Which records?

Fun

ctio

na

lity

49

Limit Access to Some Records

• Portal Access < Patient’s Right of Access

• Under HIPAA, may limit access to PHI if:

– Not part of designated record set

– Psychotherapy notes

– Obtained under a promise of confidentiality

– Access may cause substantial harm to patient or other

person.

(45 CFR 164.524(a))

• May limit access to additional records in portal.

• Create a process to flag or limit access to certain

records.50

Limit Access to Some Records

• Check other laws for additional limits.

– State laws

• HIV/STDs

• Mental health

• Substance abuse

• Genetic tests

– Federally funded drug and alcohol programs have

additional limits (see 42 CFR part 2)

– Others?

51

Access by Others

• Parents or personal representatives

• Third parties

52

Access by Personal Reps

• Under HIPAA, personal representative has the right

to access patient info.

– Personal Rep = Patient

• “Personal representative” = person with authority

under state law to make decisions concerning the

patient’s health care.

– Parent of unemancipated minor

– Legal guardian or surrogate of incompetent patient

– Others per state law(45 CFR 164.502(g))

53

Access by Personal Reps

• May (should) deny personal rep access if:

– Minor reaches age of majority.

– Patient may consent to their own care under state law,

e.g., minor seeks care for:

• Sexually transmitted disease

• Drug or alcohol treatment

• Mental health

• Reproductive health

– Parent or guardian agrees to confidentiality.

– Provider determines that allowing personal rep to

access may endanger patient or not in patient’s interest.(45 CFR 164.502(g))

Check state law

54

Access by Personal Reps

• Build in limits to portal access by personal reps, e.g.:

– Patient age 0-12: parents may access all records

– Patient age 12-17: hold back or restrict parental access to

certain sensitive records, e.g.,

• Women’s health

• Psychiatry

• Substance abuse

• Others for which patient may consent on their own

– Age 18 and over: terminate parental right to access unless:

• Patient did not object and relevant to parent’s involvement.

• Patient authorization or consent.

• Check state law!55

Access by Third Parties

• Warn patient against allowing third parties to use password.

• As practical matter, patient may allow anyone to access.

– Provider may disclose to family members and others involved

in care if patient does not object. (45 CFR 164.510)

• Provider may not knowingly allow third parties to access

unless HIPAA exception applies, e.g.,

– HIPAA-compliant authorization. (45 CFR 164.508)

– Patient directs that PHI sent to third party. (45 CFR 164.524)

– Family members and others involved in care so long as

patient has not objected. (45 CFR 164.510)

– Personal representative. (45 CFR 164.502)

– Other?56

Access by Third Parties

• Options:

– Allow third party to use patient’s user name and

password.

• Perhaps problems with Security Rule requiring unique user ID.

– Give third party their own user name and password if

patient agrees.

• HIPAA authorization. (45 CFR 164.508)

• Patient request to disclose. (45 CFR 164.524)

– Set up separate account with different parameters, e.g.,

allow proxy to view but not change any fields.

57

Security of Portal

• Ensure portal complies with HIPAA Security Rule if

transmitting PHI.

58

Security of Portal

• See security rule requirements, especially those related to

access controls.

• Unique user ID

• Automatic logoff

• Integrity

• Authentication

• Transmission security

• Encryption and decryption

(45 CFR 164.312)

• Use software that is certified as compliant by the Office of

the National Coordinator for Health Info Technology.

59

Security of Portal• Encryption is an addressable standard:

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to [ePHI] that is being transmitted over an electronic communications network.

(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

(45 CFR 164.312)

• ePHI that is properly encrypted is “secured”.

– Not subject to breach reporting per 45 CFR 164.400.

• OCR presumes that loss of unencrypted data, laptop, USB, mobile device is reportable breach.

60

https://www.healthit.gov/

61

https://www.healthit.gov/

62

Security of Portal

• Initial authentication

– In-person: check identity and set up portal access in

person during appointment.

– Online or remote: check identity through asking

questions (e.g., nature of last bill, last four digits of SSN,

etc.)

• Log-in authentication

– User name + password.

– Multi-factor authentication, e.g., password and sending

code to cell phone.

– Consider giving patient option.63

Security of Portal

• Manage passwords

– Consider strength of password required.

– Establish response to consecutive failed login attempts.

– Establish rules for password resets.

– Prohibit sharing of passwords.

64

Security of Portal

• Test portal frequently.

– Penetration testing.

• Audit usage.

• Include portal in regular risk assessment.

– Risk of intercept during transmission.

– Risk of unauthorized access through portal.

65

https://www.healthit.gov/

66

Communicating by E-mail or Text

• Rules differ between communication with patients

or other providers, third parties.67

Texting or E-mailing PatientsSecurity Rule

• “[A covered entity must] implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” (45 CFR 164.312(e))

Privacy Rule

• “A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.” (45 CFR 164.522(b))

vs.

68

Texting and E-mailing Patients:

Privacy Rule“Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

“Answer: Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so…. For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of ePHI is in compliance with the HIPAA Security Rule.”

(www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html)

69

Texting and E-mailing Patients:

Security Rule

“Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?

“Answer: The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR §164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”(www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html)

70

Texting and E-mailing Patients• “[C]overed entities are permitted to send individuals unencrypted

emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn’’ individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request.”

(78 FR 5634)

71

Texting and E-mailing Patients

“Do individuals have the right under HIPAA to have copies of their PHI transferred or transmitted to them in the manner they request, even if the requested mode of transfer or transmission is unsecure?

“Yes, as long as the PHI is ‘readily producible’ in the manner requested, based on the capabilities of the covered entity and transmission or transfer in such a manner would not present an unacceptable level of security risk to the PHI on the covered entity’s systems… For example, individuals generally have a right to receive copies of their PHI by mail or e-mail, if they request. It is expected that all covered entities have the capability to transmit PHI by mail or e-mail …”

(OCR Guidance on Patient Access, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html) 72

Texting and E-mailing Patients

“Further, while covered entities are required by the Privacy and Security Rules to implement reasonable safeguards to protect PHI while in transit, individuals have a right to receive a copy of their PHI by unencrypted e-mail if the individual requests access in this manner. In such cases, the covered entity must provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted e-mail. If the individual says yes, the covered entity must comply with the request.”(OCR Guidance on Patient Access, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

73

Texting and E-mailing Patients

“Is a covered entity responsible if it complies with an individual’s access request to receive PHI in an unsecure manner (e.g., unencrypted e-mail) and the information is intercepted while in transit?

“No. While covered entities are responsible for adopting reasonable safeguards in implementing the individual’s request (e.g., correctly entering the e-mail address), covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit. Further, covered entities are not responsible for safeguarding the information once delivered to the individual.”(OCR Guidance on Patient Access, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

74

Texting and E-mailing Patients:

Can You Require Unsecure

Messages?• “A covered entity may not require individuals to waive their

rights under [the Privacy or Security Rules] as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. (45 CFR 164.530(h))

• “A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization…” (45 CFR 164.508(b)(4))

• “[A] covered entity is not permitted to require an individual to accept unsecure methods of transmission in order to receive copies of her health information.” (OCR Guidance on Patient Access, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

75

Texting and E-mailing Patients:

Must You Make It Available?

“It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail.”(OCR Guidance on Patient Access, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

76

Texts and E-mails from Patients

• “The Security Rule … does not apply to the patient. A patient may send health information to you using email or texting that is not secure. That health information becomes protected by the HIPAA Rules when you receive it.” (OCR Guide to Patient Access at p.31).

• “Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications. (OCR FAQ, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html).

77

AMA Guidelines for Patient-

Physician E-Mail and Text

Messaging

Texting or E-mailing Others:

Privacy Rule

“Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange … PHI with another provider for treatment purposes?

“Yes. The Privacy Rule allows covered health care providers to share PHI electronically (or in any other form) for treatment purposes, as long as they apply reasonable safeguards when doing so. Thus, for example, a physician may consult with another physician by e-mail about a patient’s condition, or health care providers may electronically exchange PHI to and through a health information organization (HIO) for patient care.” (OCR FAQ dated 12/15/08)

79

Texting or E-mailing Others:

Security Rule

“Can you use texting to communicate health information, even if it is to another provider or professional?

“Answer: It depends. Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages. However, your organization may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.”(www.healthit.gov/providers-professionals/faqs/can-you-use-texting-communicate-health-information-even-if-it-another-p)

80

May Patient Authorize

Use of Unsecure Text or E-mail?Not clear how OCR would respond…

Arguments in Support

• HIPAA is primarily intended to protect patient’s privacy interests.

• Patient has the right to determine what happens to their PHI.

• Patient may require transmission of PHI to third party by unsecure means per 45 CFR 164.524.

• Patient should be able to authorize disclosure by unsecure means per 45 CFR 164.508.

Arguments Against

• Providers are generally required to comply with security rule.

• “A covered entity may not require individuals to waive their rights under [the Privacy or Security Rule] as a condition of the provision of treatment….” (45 CFR 164.530(h))

• For an authorization, “PHI must be sent securely.” (OCR Guidance on Access).

81

May Patient Authorize Providers to

Text or E-mail Others via Unsecure

Network

• “A covered entity is permitted to use or disclose PHI … pursuant

to and in compliance with a valid authorization under

§164.508.” (45 CFR 164.502(a)(1)(iv))

• “If an individual's request for access directs the covered entity

to transmit the copy of PHI directly to another person

designated by the individual, the covered entity must provide

the copy to the person designated by the individual. The

individual's request must be in writing, signed by the individual,

and clearly identify the designated person and where to send

the copy of PHI.” (45 CFR 164.524(c)(3)(ii))

82

May Patient Authorize Providers to

Text or E-mail Others via Unsecure

Network“If requested by an individual, a covered entity must transmit an individual’s PHI directly to another person or entity designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI…. [T]he individual can designate the form and format of the PHI and how the PHI is to be sent to the third party…

“[For example,] a patient requests in writing that the hospital where she recently underwent a surgical procedure use its Certified EHR Technology (CEHRT) to send her discharge summary to her primary care physician….”(OCR Guidance on Patient’s Access, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

83

May Patient Authorize Providers to

Text or E-mail Others via Unsecure

Network• “[C]overed entities must safeguard the information in transit,

and … may be liable for impermissible disclosures of PHI that occur in transit. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.

(OCR Guidance on Patient’s Access, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

84

Limits on Texting Orders in

Facilities

May Not Require Patients to

Use Portal

• Patients generally have right to access PHI in

reasonable manner. (45 CFR 164.524)

• Provider may not require an individual to use web

portal to request or access records. (OCR Guidance

on Patient’s Right to Access PHI).

86

Integrate Portal

Communications

• Ensure portal communications are incorporated

into the medical record.

– Relays information to providers who review record.

– Documents communications with patients to protect

providers.

– Supports reimbursement.

87

Educate Patients

• Functionality and limits of portal.

– Information that should/should not be shared through portal.

• Risks associated with portal.

88

Educate PatientsAppropriate Topics for E-mail Inappropriate Topics for E-mail

• Appointment reminders.• Requests for prescription

refills.• Data used for chronic disease

management such as vital signs.

• Short questions that may be answered briefly.

• Short, patient-initiated updates about non-urgent clinical treatment matters (e.g., “started the medication; no side effects).

• Urgent or time-sensitive information.

• Sensitive and highly confidential subjects (e.g., HIV, psychiatric symptoms, etc.).

• Complex concerns or matters requiring extended exchange.

89

Educate Patients

• Disclaimers or warnings:

– Cannot create patient-physician relationship through e-

mail.

– No internet-based diagnosis

– Do not use portal for urgent messages.

• In emergency, contact emergency room directly.

– May be delay in response to e-mail.

– Info provided through portal may be seen by others, e.g.,

• Those who access the patient’s device.

• Those to whom the patient shares access.

• Info submitted that becomes part of the medical record.

90

Educate Patients

• Disclaimers or warnings:

– Protect passwords and do not share with others.

– E-mails and texts outside portal may not be secure.

– Notify provider of improper access or use.

– Provider not responsible for third party content, e.g.,

educational material provided from others.

– No warranty concerning any product.

– User assumes risk related to viewing info on user’s computer

via a third-party network.

– Prohibit reproduction or personal use of info protected by

copyright, trademark, etc.

91

Portal Documentation

• Registration form

– Sufficient info to identify patient and link to record.

• Access agreement

– Terms and conditions of portal use.

– Instructions for portal use.

– Disclaimers and warnings.

– Reserve right to terminate for misuse.

– Acknowledgment, agreement and signature

• Proxy agreement

– Sufficient info to identify patient and proxy.

– Define scope and warn patient of proxy rights.

– Signed by patient.92

Train Staff

• Flag or exclude records that should not be accessed via portal.

• Review portal communications in timely manner.

• Consider sending unsecure e-mail advising patient of

message that is waiting for them.

• Do not rely on portals to communicate important info.

– Patients may not pick it up.

– Communicate separately by:

• Phone or letter.

• Unsecure e-mail or text, if patient has agreed and

comply with HIPAA requirements.

93

Train Staff

• Do not use e-mail to establish a patient-provider

relationship.

• Beware state telemedicine rules.

– Portal may trigger state limits on telemedicine, e.g.,

• Require in-person evaluations to prescribe medication or

engage in certain other actions.

• Require specified consents.

– May cross state lines and result in unauthorized practice

in the other state.

• Ensure you comply with applicable standard of care.

• See AMA Guidelines for e-communication.

94

Train Staff• Portal may increase patient’s exercise of HIPAA rights:

– Request to access records.

• See OCR Guidance re patient’s right to access information at

https://www.hhs.gov/hipaa/for-

professionals/privacy/guidance/access/.

• Must provide records in requested format if reasonable.

– Request amendment of records.

– Accounting of disclosures.

• HITECH allows patient to get a report of certain disclosures.

• Proposed rule would allow patient to get a report of access for

treatment, payment and operations.

• Watch for final rule.

(45 CFR 164.522 to .528)95

96

The TCPA in the Health Care

Context

97

Telephone Consumer Protection Act of 1991 (TCPA)

•Enacted by Congress in 1991 to protect consumers by placing limitations on telemarketing “calls”

• Distinction between: residential vs. wireless calls

• Also applies to all text messaging

•FCC issues Declaratory Rulings (DR) that sheds light on the TCPA

• July 10, 2015 DR responds to 21 requests to seek clarification under the TCPA

98

Residential Lines & Consent•Residential Lines

• Restriction on use of artificial/prerecorded voice to deliver message

• Unless prior express written consent

• Exemption from consent:

• Emergencies

• Noncommericial purpose

• Commercial purpose but not telemarketing (no advertisement)

• Delivery of a health care message by/on behalf of a CE or BA

• Message by/on behalf of tax-exempt NFP

99

Wireless Numbers & Consent

•Contacting Wireless Numbers

• More restrictive than residential lines

• Wireless (e.g., cellphone; any service that charges a party for a call)

• Prohibitions:

• On use of an automatic telephone dialing system/artificial or prerecorded voice to initiate calls:

• Advertisements and Telemarketing

• Express, written consent required

• Express consent oral or written if not for advertising or telemarketing

100

July 10, 2015 DR

•TCPA applies to calls and all forms of text messages

•Text messaging - not more similar to emailing

•Phone-to-Phone texting similar to Internet-to-Phone text messaging

•TCPA and the CAN-SPAM Act both apply to unsolicited messages

•Limited exception for healthcare calls (calls that are subject to HIPAA)

101

TCPA’s Healthcare Call

Exception•Prior Express Consent is achieved by

• Giving a health care provide your number

• Only “health care” messages from a provider

• Health care as defined under HIPAA

• Use - “within the scope of the consent given”

• Closely related to purpose for which the number was provided

• Providers should consider:

• Does the call meet HIPAA’s definition of health care?

• Is the call within the scope of the consent?

102

TCPA’s HealthCare Call

Exception•Express Consent (Period of Incapacity)

• Exception applies if a person is incapacitated and a third party provides prior express consent for health care calls

•Non-Telemarketing Healthcare Calls Exemption

• No charge to consumer for text messages, exempted from prior express consent

• Calls must be exigent and have a health care treatment purpose (e.g., appointments)

• Applies to calls subject to HIPAA (Privacy Rule)

103

TCPA’s Healthcare Call

Exception• Several Conditions for the non-telemarketing healthcare

calls exemption include:

• Voice calls/text message - only to a patient who provides wireless number

• Voice calls/text messages – include name/contact info. of provider

• Voice calls/text messages - limited in purpose

• No telemarketing, solicitation, advertising or financial purpose (billing, debt collection, accounting)

• Must comply with HIPAA

• Opting-out must be available and be honored

104

Kim C. Stanger

kcstanger@hollandhart.com

(208) 383-3913

Ryan P. Blaney

rblaney@cozen.com

(202) 463-2528