The 21st Century represents a generation that’s savvy and highly reliant on technology. In this digital health era, mobile apps, text messages, and e-mail have become a part of the health sector. The era has brought with it opportunities for better patient engagement and communication with the covered entities (CEs). CEs include healthcare providers, health plans, and healthcare clearinghouses.
Despite the potential benefits, the health providers risk contravening the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule concerning the sending of electronic Protected Health Information (ePHI) through these channels. A breach of the Privacy Rule entails unauthorized access, acquisition, use, and disclosure of PHI. It compromises the privacy and the security of the patient health information.
Breaking down the HIPAA Privacy Rule
Under the HIPAA security rule, covered entities (CE) have to establish 3 types of safeguards to secure electronic patient health information (ePHI);
Administrative – these are actions, policies, and procedures adopted by the administration that define how a covered entity (CE) implements the security measures.
Physical – these are safeguards that restrict access to the workstations for unauthorized individuals to maintain the integrity of the ePHI and ensure zero breaches.
Patient – CEs have to incorporate specific technology measures or safeguards aimed at securing the ePHI. They include the access control whereby each user has a unique ID. Besides, these safeguards seek to ensure that the technology in use protects the sanctity of the information relayed from unauthorized alteration or even destruction.
Organizations Requirements beyond HIPAA Privacy Rule Safeguards
Aside from the safeguards spelled out in the Privacy Rule, it defines additional requirements for CEs. They must;
- Institute reasonable and reliable policies and procedures that show their willingness to obey the security rule
- Keep all the records safely in writing concerning actions, assessments, and activities per the privacy rule
- Establish business associate agreements
- Maintain all the documents for a duration not less than 6 months
Email, Text Messages and Mobile Apps in Patient Engagement
ePHI is rather sensitive. In the light of that, HIPAA Privacy Rules requires that the organizations and the various entities have to establish the advantages and risks before adopting the various communication mediums. After that, they have to design tactics to mitigate the risks associated with each channel of engagement.
HIPAA Security Rule Doesn’t Prohibit CEs from Transmitting Unencrypted ePHI
Under HIPAA, there are no outright regulations that prohibit CEs from sending unencrypted ePHI. However, by encrypting the electronic health information, the CEs are immune from the sanctions by HIPAA in the event of a breach. Where the CE sends unencrypted PHI the form of text messages or e-mail, he/she has to ensure that the necessary ‘reasonable and appropriate’ safeguards are in place and acknowledge in a document, of the adoption of an ‘alternative measure.’
Health and Human Services Has Offered Limited Guidance on Alternative Measures
One problem that CEs face is that the Human and Health services has failed to offer sufficient support. They’ve not provided or advised on the ideal safeguards when transmitting ePHI using the ‘equivalent alternative measures’ such as e-mails, text messages, and mobile apps. The only guidance is the one that was issued prior to the 2013 HIPAA Security Rule. It states that a CE will not be in violation of the privacy rule if he/she advises the individuals of the security risks involved before sending ePHI via email.
1. Mobile Apps
However, mobile apps also feature some downsides, the key being low or zero adoption by non-smartphone users. What’s more, the CEs have to conduct their due diligence to establish how well the app vendors understand the HIPAA privacy rules.
Email presents several advantages when it comes to the transmission of ePHI. It’s easy to implement since all that the patient needs is an email account. Besides, the CEs will find email simple to upload the information to the electronic health records (EHRs). What’s more, email allows the various organizations to encrypt the content before the transmission.
In case the CEs decide to encrypt, the patients or the plan members have to have a specific program to decode the messages. Where the message is unencrypted, the patient does not require any programs to read the messages.
While it’s possible to encrypt the message, using email doesn’t come without risks. Since emails copies are contained in services, there are still possibilities, however minute, for the contents to get compromised. What’s more, a malicious party can change or even divert the email thereby putting to question the integrity of the information. Even more, where the organization insists on encrypting the contents of the email, the chances are that not many recipients will adopt as it requires installing a program first.
Fortunately, the various entities can combat the risks involved by obtaining consent for the encryption of the messages, confirming the IDs if the individuals and educating them about the risks involved before. Besides, CEs can limit the amount of information shared via email. For instance, the subject lines should never contain the names, initials or the medical records of the patient.
3. Text Messages
As an alternative measure, text messaging provides significant convenience when communicating with patients, behavior change and boosted outcomes. Although HIPAA doesn’t prohibit the patients and healthcare providers from texting, the covered entities have to mitigate risks by transmitting the ePHI in the encrypted form and also integrating the necessary privacy measures.
Text messaging offers advantages over mobile apps and email. For instance, the medium makes it possible to reach all the demographics. By this we mean, texting has a high open and response rate since everyone from the millennials to the elderly can access anytime. In fact, research conducted in 2015 by Pew Research Center reveals that 92 percent of the Americans have access to either a cell phone or smartphone.
What’s more, since text messaging is possible on the sophisticated smartphone and the most basic cellphone, it’s guaranteed to reach everyone. Also, texting is more secure since it’s not prone to cyber threats. That’s because the text message can be read on the device assigned the wireless number only. Besides, the organizations can implement security measures just like those used in emails. This is depicted in the image below;
Image Source: Pew Research Center
However, although it renders the patient engagement easier, texting still has its challenges. Under The Telephone Consumer Protection Act, the Federal Communications Commission has regulations about text messaging. The regulations require that the organizations seek the consent of the recipient before transmitting any messages. Besides, the SMS has to be closely related to the purpose for which the recipient gave the number to the CE.
Striking a Balance between the Advantages and the Risks
It’s evident that HIPAA Privacy Rule has complicated the adoption of email, text messages and mobile apps. Fortunately, the advantages trump the difficulties that come with compliance and implementation. The use of alternative measures has boosted the customer engagement, and satisfaction while at the same time cutting the cost of relaying information.
- Health plans and providers who survive the HIPAA strict compliance regulations have three common characteristics;
- Compliant culture
- Clear governance structure
- Excellent ability to handle vendor relationships
Employee Training for Online Platform Usage
Increased patient engagement offers many advantages. When incorporated with comprehensive training for online platform usage related to compliance, and a reliable HIPAA Compliant Medical Transcription Service, healthcare providers can reap significant benefits.
Modern healthcare organizations are aware of the many benefits made possible through savvy online platform usage. Organizations can share information and experiences with the public that can create a more personable image. Social media, for example, can also offer an opportunity to address concerns of patients and other important parties in a way that was not possible before. Ultimately, strategic social media usage on the part of a medical organization can help to expand business in new ways. Of course, there are also very real risks that social media presents, particularly when it comes to potential HIPAA violations. It only takes one slip up to violate regulations, and slip-ups are surprisingly easy when sharing online through social media and medical blogs.
Employees may feel freer to discuss patient information posting online than they would in the workplace. They may assume that if they delete the information that it goes away—which is not necessarily true. They may even find that they have accidentally shared patient information without realizing it. A picture with friends or a picture of a great meal that includes patient documents, even accidentally, can still be considered a HIPAA violation. Most current training regarding HIPAA violations is focused on possible violations in everyday life, like at work, during lunch or in other situations that are quite common. But the current training does not account for new ways of socializing that have become incredibly popular in recent years. For organizations to protect themselves and their employees, it is a necessity to update training to include social media, medical blogs and any other type of online posting. Such training will not necessarily prevent every violation, but it will make them much less likely.
Undoubtedly, the adoption of alternative measures heightens the patient engagement. If CEs are to reap the benefits of email, text messages, mobile apps and online platfrom usage in healthcare, they have to move with technology. The emerging technology holds tremendous opportunities that the health plans and healthcare providers appreciate.