New HIPAA Rules for Communicating with Patients by Unencrypted Email and Text Messages

 Email and text message are subject to the HIPAA Security Rule transmission standard. Changes in the Omnibus Rule in 2013 further clarified the importance of proper usage of email and text message, examples of electronic transmission media. Oftentimes used as a method to transmit PHI, electronic transmission media is an area that covered entities need to develop and implement policies and procedures to ensure HIPAA compliance. HHS states:

• Covered entities have a "Duty to Warn" individuals of the risk of unencrypted transmission and that warning is a necessary step in protecting their PHI
• Unencrypted email and text messages may be sent only if the individual consents to receive them after being warned
• Documentation of consent is required

         Through real-world examples, Paul will delve into the ways to engage patients through email and text messages, teach you how to safeguard PHI throughout electronic transmission media, and set you on the path to HIPAA compliance.

         Email and text message continue to grow with popularity amongst patients and amongst covered entities. And email and text message continue to be examples of a Breach! These methods of electronic communication are used to discuss treatment, to market and to engage the patient. And yet these methods of communication can be extremely unsafe. Interceptions, hackers, misdialed numbers can all result in stolen protected health information (PHI) and in HIPAA violations- all resulting in the loss of a patient’s privacy, maybe even identity theft and in loss of funds for the covered entity. Today health records are more valuable than credit card numbers or social security numbers on the black market. As a health care provider or covered entity, it is your responsibility to safeguard PHI. It was once understood that email and text message were deemed appropriate if the email or text message were received from the patient. Since the Omnibus Rule, this has changed. Covered entities are responsible for HIPAA requirements for all PHI in every email and text message. The email or text message address alone are PHI as defined by HIPAA - regardless of the content. HIPAA requires that every covered entity has a “duty to warn” and has the responsibility of acquiring consent and keeping proper documentation. And yet this is not being done in a compliant way. There is a HIPAA "safe harbor" or “get out of jail free” card that frees you from:

• Responsibility for unauthorized access of a patient's PHI during transmission
• Responsibility for safeguarding PHI delivered to the patient

        Don’t be the Provider or Business Associate that finds itself in serious trouble simply because you didn’t follow the HIPAA Rules for unencrypted electronic communication with patients!

• Patient Attraction Tips: Protect Patients’ Privacy and PHI, Build the Relationship
• Why is Email or Text so significant in HIPAA: Electronic Transmission Media
• Protecting PHI and ePHI in the Electronic World: Omnibus Rule
• TPCA & HIPAA: Misinterpretations and Misunderstandings
• When and when not to Email or Text: Implement Policies and Procedures
• Duty to Warn, Consent & Documentation: HIPAA Compliance
• Real World Examples: Are you Compliant or has there been a Breach?