FAQ: What Medical Practices Need to Know About Communicating with Patients by Phone and Text | Ward and Smith, PA

Every day, doctors, medical managers and administrators are calling their trusted lawyers with a “quick question” about the legality of a new approach aimed at ensuring patients show up for appointments on time.

Part I of this three-part series answers many of the most frequently asked questions.

About leaving messages at home

Q: Can healthcare workers leave messages on patients’ home answering machines or with a family member to remind them of appointments?

A: Basically: Yes.

The HIPAA Privacy Rule allows health care providers to communicate with patients about their health care. This includes communicating with patients in their homes—whether by mail, telephone, or other means. In addition, the Privacy Rule does not prohibit covered entities from leaving messages for patients on their answering machines.

• However, to properly protect an individual’s privacy, a healthcare provider should take care to limit the amount of information disclosed on an answering machine.
• For example, a healthcare provider may consider leaving only their name, phone number, and other information needed to confirm the appointment or ask the person to call you back.

A health care provider may also leave a message for a family member or other person to answer the phone when the patient is not at home. The Privacy Rule allows health care providers to disclose limited information to family members, friends, or others about a person’s care, even when that person is not present.

• However, covered entities should use professional judgment to ensure that such disclosures are in the best interest of the patient and to limit the information disclosed to that which the individual needs to know.

But remember this exception: In situations where a patient has asked a healthcare provider to communicate with them in a confidential manner, such as by alternative means or in an alternative location, the healthcare provider must accommodate that request if reasonable.

• For example, HHS believes that a request to receive communications from a health care provider in a sealed envelope rather than by postcard is reasonable and should be honored.
• Similarly, requests to receive mail from a health care provider at a mailbox rather than at home, or to answer calls at an office rather than at home, are also considered reasonable requests unless there are extenuating circumstances.

About using the mobile phone provider

P: DDoes a healthcare professional’s use of a cell phone to exchange Phi information trigger HIPAA security implications?

A: Yes.

The HIPAA Security Regulations establish national standards designed to protect individuals’ electronic protected health information (“ePHI”) that is “created, received, used, or maintained by a covered entity.” Unauthorized disclosure of PHI poses a risk because mobile devices store data on the device itself in one of two ways: (a) in the computer’s “on-board memory”; or (b) on a SIM card or memory chip. As such, mobile devices used to exchange ePHI store a record of this data on the device.

Using mobile devices to access ePHI poses a number of risks to healthcare providers:

• Authentication – Mobile device users do not tend to enter passwords or provide biometric identification to access information stored on a mobile device. The lack of authentication on mobile devices creates the risk that anyone using the device can access ePHI stored on the device.
• Encryption – Data stored on personal mobile devices is typically not encrypted. Therefore, ePHI stored on a mobile device can be downloaded and accessed by anyone with access to the mobile device.
• Wi-Fi connection – Mobile devices that use public Wi-Fi or unsecured cellular networks to send and receive information expose ePHI to risk. Unless mobile users connect to a secure site to transmit data or connect through a VPN (“virtual private network”) that encrypts data to and from the mobile device, there is a risk that ePHI could be compromised.

The HIPAA Security Rule allows health care providers to communicate electronically with patients, such as via email, but the law requires covered entities to “use reasonable safeguards when doing so.” Importantly, the Security Rule “requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

Administrative security: Administrative safeguards “provide a governance, accountability, and oversight structure for covered entities to ensure that appropriate safeguards, policies, and procedures are in place” to protect ePHI.

Administrative safeguards include, but are not limited to:

• Conducting periodic risk assessments related to the use of mobile devices, including assessing whether personally identifiable mobile devices are being used to exchange ePHI and whether appropriate authentication, encryption and physical safeguards are in place to secure ePHI exchanges;
• Establishing an electronic process that ensures ePHI is not destroyed or altered by an unauthorized third party;
• Establishing processes and procedures to appropriately protect ePHI in the mobile device environment, including establishing encryption and breach protocols for mobile devices, among other things; and
• Train physicians on the processes and procedures to follow when using mobile devices to access ePHI and educate physicians on the risks of data breaches, HIPAA violations, and monetary penalties.

Physical security: It is important to ensure physical security safeguards are in place to protect ePHI stored and exchanged via mobile devices.

Typical steps healthcare providers take to secure mobile devices include:

• Maintaining a record of personal mobile devices used by healthcare professionals to access and transmit ePHI;
• Storing mobile devices in locked offices or cabinets;
• Installing radio frequency identification (“RFID”) tags on mobile devices to facilitate the location of a lost or stolen mobile device; and
• Using remote device shutdown tools to prevent data breaches by remotely locking mobile devices.

Technical security: Technical security measures are “automated processes for protecting data and controlling access to data.”

Examples of technical security measures for mobile devices include:

• Installing and regularly updating antivirus software (also known as malware) on mobile devices;
• Installing firewalls where appropriate;
• Applying encryption to ePHI and metadata;
• Installing IT backup capabilities, such as off-site data centers and/or private clouds, to provide redundancy and access to electronic health information;
• Implementing biometric authentication tools to verify that the person using the mobile device is authorized to access ePHI; and
• Ensuring that mobile devices use the secure, encrypted Hypertext Transfer Protocol Secure (“HTTP”), similar to the protocols used in banking and financial transactions, to provide encrypted communications and secure web server identification.

Parts 2 and 3 of this series will answer frequently asked questions about communicating with patients by phone and text messaging.

This is part of our July series: “Rights, Obligations and Regulations”. For more information, click here.