Appointment Reminders

/in /by

Reminding patients of their scheduled appointments with your practice is critical to ensuring appropriate follow up care for the patient as well as limiting missed appointment times that are costly to a practice in many ways.

Appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization. However, a practice must include a statement in its Notice of Privacy Practices if it intends to provide appointment reminders.

Notice of Privacy Practices – We recommend adding a simple statement in your Notice of Privacy Practices, such as “we will contact you by phone or other means to remind you of appointments”.

It is also recommended that you have the patient identify a “preferred method of communication” for such information as appointment reminders.  This can be accomplished on a demographic form where the patient can fill in a phone number, cell number, or email address that you can use to call, text, or email them.  The patient should be able to fill in their preferred contact information (they write their number or email address) and indicate the method of communication (phone call, text message, email).  Your form should also provide a checkbox for the patient to opt out of electronic communications.

We are often asked whether postcard appointment reminders are permitted, and they are. However, if a patient submits a request to receive appointment reminders in a closed envelope instead of a postcard, or through some other means altogether, their request should be accommodated.

Placing a statement in your Notice of Privacy Practices and also having the patient write down their preferred method of communication will provide your practice with a clear understanding of how to best communicate with the patient.

Note that your practice should limit information in appointment reminders to confirming the date and time of an appointment, and, if necessary, the location.  More sensitive information such as reason for the appointment, diagnosis or other treatment related information should be communicated in a more secure manner (i.e., use of a secure patient portal system).

Posting Patient Photos

/in /by

In 2014, the Office for Civil Rights addressed the issue of posting patient photos in a medical or dental practice (most commonly of pediatric and orthodontic patients). In an article dated August 9, 2014, the New York Times quoted Rachel Seeger, from the Office for Civil Rights of the Department of Health and Human Services, as saying “A patient’s photograph that identifies him/her cannot be posted in public areas” unless there is “specific authorization from the patient or personal representative.” Under HIPAA’s Privacy Rule, sharing identifiable information without an authorization from the patient (or the patient’s parent, in the case of a minor) is a violation.

Rarely, if ever, does a parent know to include an authorization with a photo submission. It seemed to make perfect sense that submission of a patient photo was, by default, an authorization for its posting. However, since the OCR has specifically addressed the issue, we don’t recommend posting photos without a proper authorization form in place.

If your practice does not have the time or resources to track down authorizations for photos sent in by families, you are permitted to post photos in a private staff area, as workforce members are permitted to view patient information, and are responsible to hold it confidential under HIPAA regulations. Other practices may choose to circulate photos among staff before filing them in a patient chart or shredding them. However, if it has become an important custom in your practice to share patient photos, such as by posting them in the waiting area, you may use the following language and required elements to develop an appropriate authorization form.

  1. Include a space for the patient or personal representative to record the patient name, and an identifier, such as date of birth.
  2. Include the name of the practice, under a heading “Entity Requested to Release Information.”
  3. Purpose of Request/Entity Authorized to Receive Information – I authorize the entity identified above to disclose the protected health information described below to the following individual(s):

    • Patients and visitors to the practice.”
  4. Description of Information to Be Disclosed – I authorize the practice to disclose the following protected health information to the entity, person or persons identified above.

    • Images of myself, my children, and/or other family members as provided by myself, or my personal representative.
  5. Purpose of Disclosure:

    • By submitting these images, I hereby grant full permission to the practice to use them in print publications, video and multimedia presentations, websites and/or for any purpose which may include, but not be limited to display, public relations, marketing or designs.
  6. Required Statements:

    Include an expiration date or meaningful event when the authorization will expire, a statement regarding the patient/personal representative’s right to terminate the authorization, a non-conditioning statement, a re-disclosure statement, and a statement of the patient/personal representative’s right to receive a copy of the authorization upon request. All of these statements are required on any HIPAA authorization form. Simply copy the required statements from your practice’s other authorization forms.

  7. Include a signature and date line.
Subscribers to the HIPAA Compliance System may access a photo release authorization form (Form 7.31 Limited Patient Authorization for Disclosure of PHI/Photo Release) in the Member Services area of our website (on the HIPAA Compliance System materials page, under the HIPAA Forms heading). The form is in a word processing format so that it can be easily customized to the needs of your practice.

Cyber Extortion

/in /by

According to the Office for Civil Rights (OCR), incidents of cyber extortion have risen over the past few years and are projected to be a major source of digital disruption in the future. Cyber extortion is defined as a crime involving an attack or threat of attack, coupled with a demand for money to stop it. In addition to ransomware attacks, where cyber criminals encrypt your data and demand a ransom to restore your access to it, cyber extortion includes threats to make stolen information public, or to delete files altogether.

It is important to realize that even the smallest practices have been a target, due to the fact that patient information is valuable and smaller organizations are sometimes more lax in securing their information systems. Please consider the following recommendations in order to limit your liability exposure:

Security Risk Analysis (SRA) – Ensure that you perform a complete review of your HIPAA Security Rule policies and procedures on an annual basis.  Remember that a SRA involves verifying that you have implemented policies/procedures to limit risk to your electronic protected health information (EPHI).  Current subscribers to Eagle’s HIPAA Compliance System have a complete SRA tool to meet this annual requirement.

Technical Network Assessment (TNA) – A TNA involves a diagnostic evaluation of your information system to look for open unsecured ports, devices missing security patch updates, enabled User IDs that should have been terminated, and more.  Documentation from a TNA works in concert with a SRA, and provides strong evidence of applying reasonable safeguards to limit risks to patient information.

Workforce Privacy and Security Training – Awareness for privacy and security is critical to the front-line defense for your information system.  Eagle provides privacy and security training in the April and May issues of the Advisor® to help with this task.  Eagle also provides  “Compliance Notes” (a monthly one-page article in the Advisor®) to remind staff about privacy and security issues.  Train staff to identify suspicious emails and messaging scams that could lead to malicious software infecting your information system.

Anti-virus or anti-malware systems – Ensure that you have a strong firewall and anti-virus applications that can scan your information system and provide alerts when suspicious activity occurs.  The keys are to implement such applications and monitor the alerts so that immediate corrective actions can be taken.

Data backups – Your data backup procedures should ensure that backup data is encrypted and disconnected from your local server/network (having the data physically taken off site each night or backed up to a secure remote server).  Having the backup data stored off site will be critical to your recovery in the event of a disaster or attacks from ransomware.

Audit Logs – While most EMR and operating systems have robust audit logs, they need to be periodically reviewed for unusual or suspicious activity. Create a schedule of reviewing activity reports on at least a monthly basis.

Threats to your information system and the patient data that you store will not diminish in the future, they will likely intensify.  Take steps now to ensure your EPHI is protected from known threats by completing a security risk analysis and technical network assessment. These evaluations will help you improve the security of your practice’s information system and reduce your liability. 

HIPAA Privacy and the Opioid Crisis

/in /by

The Office for Civil Rights has issued new guidance on when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when the patient may be in crisis and incapacitated, such as during an opioid overdose.

The following information will explain how a practice can share patient information (without patient authorization) with family members or designated friends during certain crisis situations, such as the opioid situation.

  1. Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment for care.  For example, a provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.
  1. Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.  For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.

For patients with decision-making capacity: A health care provider must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care. The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions, and object to sharing the information (generally or with respect to specific people), unless there is a serious and imminent threat of harm to health as described above. 

Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law.  If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information.

For example, a patient who arrives at an emergency room severely intoxicated or unconscious will be unable to meaningfully agree or object to information-sharing upon admission but may have sufficient capacity several hours later. Nurses and doctors may decide whether sharing information is in the patient’s best interest, and how much and what type of health information is appropriate to share with the patient’s family or close personal friends, while the patient is incapacitated so long as the information shared is related to the person’s involvement with the patient’s health care or payment for such care.  If a patient’s capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety as described above.

While HIPAA provides a patient’s personal representative the right to request and obtain any information about the patient that the patient could obtain, and under state law, a personal representative designation generally authorizes the person to make healthcare decisions for the patient, there may be conflict with existing state laws regarding information related to substance abuse treatment.  If a state’s law is more restrictive regarding the communication of patient information (for example, state law might state that substance abuse treatment information can only be shared with treatment personnel involved in treatment), then your practice should rely on the requirements of the more restrictive law (in this example state law).

HIPAA and Students

/in /by

Professional Students

Many practices participate with programs or schools that provide training for students that are in the process of becoming healthcare professionals.  This can range from residents, interns, nurses, medical and dental assistants to numerous other titles that will eventually result in an official or graduated title in the healthcare field.  Many programs require a certain number of hours to be completed in job shadowing or clinical field observations.

General Students

Some practices also provide an opportunity for non-healthcare students (i.e., not being registered in an official healthcare training program) to come in and observe what happens in a practice to see if they would like to pursue a healthcare profession.  Quite often, this type of observer is a late middle or high school student.  Making general observations would involve watching staff activities without direct patient involvement (i.e., not being in exam or treatment rooms or other areas where patient treatment and conversations are occurring).

Job Shadowing

This may involve direct or indirect exposure to patient information (PHI) (verbal, printed, or electronic) and possibly direct diagnosis and treatment of a patient.

Note that the Privacy Rule allows a Covered Entity (such as a practice and its providers) to use or disclose PHI, without patient authorization if the use or disclosure is for the purpose of treatment, payment, or healthcare operations. The Privacy Rule defines healthcare operations, and includes “conducting training programs in which students, trainees, or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers, training as non-healthcare professionals, accreditation, certification, licensing, or credentialing activities.”

Additionally, professional students are also defined as a member of the practice’s workforce.  Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of a Covered Entity, whether or not they are paid by the Covered Entity.  We do recommend having professional students sign a visitor confidentiality agreement.  Because they are considered workforce members, they would also need to receive your new hire HIPAA training.

Because general students are not considered to be a member of the practice’s workforce and they are not enrolled in an official healthcare training program, they would not qualify as a professional student conducting job shadowing. Note that the general student could not be considered a Business Associate of the practice because they are not providing a service for the practice and do not fit the Privacy Rule’s definition of a Business Associate. If a general student were to be exposed to PHI and/or involved in direct diagnosis and treatment of a patient, the practice would need a signed authorization from each patient that the general student would have involvement with during their observation.

Courtesy Note

The practice should make it a policy to explain to patients who the student is (professional or general), the purpose of their involvement, and ask the patient if there are any objections.  The student should leave the room if the patient objects to the involvement.

Secure Text Messaging

/in /by

Due to the speed and convenience of texting, many physicians use this form of communication to consult with other providers, exchange lab test results, and other patient information. If text messaging is used to transmit or receive electronic protected health information (EPHI), it must be evaluated as part of the covered entity’s Security Risk Analysis. As with all transmissions of EPHI, safeguards must be in place to ensure the integrity and confidentiality of the data.

There are several secure messaging vendors in the marketplace that offer encrypted mobile applications that will secure messages sent to the provider’s phone, responses sent back, as well as data at rest. Data that is properly encrypted is considered “secure” by Security Rule standards.  This means that the data has been rendered unusable, unreadable or indecipherable to unauthorized persons or entities.

In addition to the threat of malware or interception of text messages, the risks posed by the theft or loss of a smartphone must also be considered.  If the EPHI stored on the device is not properly secured, the theft or loss could result in a privacy breach that would not only require notification of affected patients and the Department of Health and Human Services, but also the media if the breach were large enough.

All text messages containing EPHI, whether encrypted or not, should be managed with the following minimum safeguards:

  • Information that individually identifies a patient or a patient’s specific condition should be limited to the minimum necessary.
  • Immediate reporting of a lost or stolen device must be encouraged so that actions can be taken to secure the device remotely, and/or to provide notice to patients if the EPHI was unsecured.
  • Any EPHI that is received via text, that is used to inform a decision regarding a patient’s care, must be annotated in the patient’s medical record.
  • Text messages should be deleted on a regular basis in order to limit the amount of information stored on a device. If the information is no longer needed, storing it only increases the risk of a large privacy breach, etc.
  • A Business Associate Agreement is necessary with any vendor that stores text messages (containing EPHI), such as wireless carriers or telecommunication vendors.

The covered entity’s Security Officer should maintain a list of all mobile devices that are used to send/receive text messages containing patient information so that he/she can ensure that the information is properly removed from the devices prior to re-use, donation or disposal.