Treading the Tricky Road of HIPAA Patient Communication
While patients are increasingly using smart phones and demand information through texting and email, the threat of PHI breaches, violations and high-risk of Ransomware and other cyber risks hang over HIPAA covered entities like a deadly sword. Non-compliance and violations carries a high cost and penalties for willful neglect of the rules begin at $10,000. As the use of new technologies in storing and sharing data become increasingly common, healthcare entities will have to create plans, policies and procedures that are robust and relevant.
In recent years, there has been a dramatic increase in HIPAA enforcements and settlements, and discovery of new and lethal threats to the privacy and security of patient information. HIPAA compliance is more important than ever and violators of willful neglect of the rules may face serious legal consequences with penalties.
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:
- HIPAA Standard164.312 (d): Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.
- Practical Advice: Double-check and triple-check to be positively sure that the email address or phone number is correct before sending. Implement a system to help ensure that the information you receive from the patient is authentic and verified in the first place.
- HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.
- Practical Advice: Do not use the patient’s name, initials, or medical record number in the subject line of an email.
Guidelines on the Message Content
Do not use direct patient identifiers like
- All geographical subdivisions smaller than a state – including street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code may be acceptable, however, if according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- Except for year, all elements of dates directly related to an individual – including birth date, admission date, discharge date, date of death. This also includes all ages over 89 as well as all elements of dates indicative of the patient being over 89 (including year). Such ages and elements of dates may be aggregated into a single category of “age 90 or older.”
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Additional Best Practices
Our fundamental understanding of the HIPAA law, is to always keep the patient first. Once you have achieved this, leveraging technology to enhance patient experience, should be a walk in the park. For more on patient communication and applying the HIPAA law to your healthcare practice, join this year’s biggest HIPAA compliance training event VBC.