Medical offices have powerful new tools available to them for reaching out to their patients for purposes such as reminders and the announcement of new services, and to describe products and services that patients could be interested in. Texting and e-mail offer new opportunities for communication that patients are coming to expect and providers are eager to use. However, there are limitations on the use of protected health information (PHI) for continuation of care versus marketing purposes, and limitations under other laws such as the Telephone Consumer Protection Act of 1991 (TCPA), the CAN-SPAM Act that limit contacting patients on their cell phones, via texts, or email.
There are times when it is useful and/or important to share health information. However, it is also important to protect the identity of the individuals whose information is involved. Such circumstances call for de-identification of PHI, which is not an easy process. Sometimes, for research purposes, a partially de-identified Limited Data Set may be needed. De-identification must be considered carefully, especially since HIPAA requirements for de-identification do not allow the use of patient initials to “de-identify” information.
HIPAA has been a law for more than twenty years now, and the rules in place call for extensive policies and procedures to ensure compliance with the HIPAA Security Rule. However, not all entities have done the work necessary to conduct an accurate and thorough assessment of the risks to the security of PHI, and to develop and implement their security policies and procedures. Even if they have all the best practices in place, entities must have the supporting policies and procedures to ensure consistency in service and compliance with the law, and they need to be aware of the risks they face and be ready to respond to changes in the risk landscape.
This HIPAA virtual boot camp with HIPAA compliance consultant Jim Sheldon-Dean will focus on these three areas of HIPAA compliance that all healthcare entities must address today or face serious consequences.
Session 1: 2018 HIPAA Issues in Patient Communications: Texting, E-mail, Reminders, and Marketing Done the Right Way
Length: 90 Minutes
There are many ways to go wrong when it comes to patient communications, and marketing using texting and e-mails is full of opportunities for missteps. Therefore, it is important to know what the limitations and requirements are before you start.
This session will focus on reaching out to patients to provide them with information about products and services you provide. You will understand how such communications may be conducted, depending on the relationship and the information.
The session will further explain how to understand which regulations may affect certain communications. It will cover the steps that should be taken to ensure that communications do not run afoul of the many laws limiting such communication, as you explore new ways to communicate with your patients in 2018.
The ways in which patients want to use their e-mail and texting to communicate with providers
The ways in which providers want to use e-mail and texting to reach out to their patients and enable better patient care
The risks of using e-mail and texting: What can go wrong and what can it result in
HIPAA requirements about the use of PHI for marketing purposes
What is marketing and what is providing patient care or treatment alternatives
How the Telephone Consumer Protection Act of 1991 limits how you may reach out to patients' cell phones for various purposes, and how a simple consent can reduce the issues
How the CAN-SPAM Act limits your communications for marketing purposes
How you must respect your patients' desires to not receive unwanted e-mail
The policies and procedures you should have in place for dealing with e-mail and texting, as well as with any new technology
The steps to follow in the event of a breach of PHI
Session 2: 2018 De-Identification of Protected Health Information: Removing Identifiers of PHI is Harder than it Looks
Length: 60 Minutes
Health information is afforded all kinds of protections under HIPAA regulations but once the health information is de-identified, it is no longer protected under HIPAA and can be used or disclosed without limitation. The problem is that de-identification of PHI is harder than it looks.
Truly de-identifying information is not a simple or foolproof process. Oftentimes the context of the information or the uniqueness of information can give away the identity of the patient. If information is not properly de-identified and released inappropriately as a result, it can result in fines and corrective action plans that can reach into millions of dollars. The right process needs to be followed to ensure that data that is shared is shared appropriately. With increasing demands for sharing information in 2018, it is essential to understand how to do so correctly, and within the regulations.
This session will review guidance from the HHS Office for Civil Rights (OCR) and from the National Institute of Standards and Technology (NIST) about how to properly de-identify health information. It will discuss the various needs for de-identified information and typical questions covered in the guidance. It will provide a sound, defensible basis for an organization’s decisions and processes surrounding de-identification of PHI.
This session will explore the concepts and methods of de-identification and many of the typical questions that arise. You will be able to go forward with de-identification with greater confidence, and better sharing of information will be possible in 2018.
De-identification and its rationale
The de-identification standard
Preparation for de-identification
Guidance on satisfying the expert determination method
Who is an expert and how do experts assess the risk of identification of information
What are the approaches by which an expert assesses the risk that health information can be identified
What are the approaches by which an expert mitigates the risk of identification of an individual in health information
Guidance on satisfying the safe harbor method
Examples of dates that are not permitted according to the safe harbor method
What constitutes "any other unique identifying number, characteristic, or code" with respect to the safe harbor method of the Privacy Rule
What is "actual knowledge that the remaining information could be used either alone or in combination with other information to identify an individual who is a subject of the information” under the Privacy Rule
Session 3: 2018 HIPAA Security Rule Risk Analysis, Policies, and Procedures: Being Prepared and Avoiding Security Incidents
Length: 90 Minutes
The HIPAA Security Rule has some basic requirements for risk analysis and risk management, but also includes numerous physical, technical, and administrative safeguards that must be addressed in policy and procedure. Tackling these requirements individually can result in dozens of new policies.
This session will focus on the conduct of an information security risk analysis, as required under the HIPAA Security Rule, and development and implementation of the necessary policies and procedures for HIPAA Security Rule compliance. It will explore the suggested ways a risk analysis may be conducted, and the tools that may be used.
The session will identify the requirements to have policies and procedures. The session will identify typical policy language for 2018, with an emphasis on the need to customize and the right sized polices for each organization. Having policies that are too complex and over-specific can doom compliance just as well as having policies that are too simple and unspecific. In addition, the session will discuss Privacy Rule topics relating to the management of your HIPAA compliance, such as documentation and training.
The session will explore how to simplify your policies and procedures by combining them where it makes sense to, putting similar requirements and activities together, and making it easier for managers and staff to find and use the right policies and procedures. Issues with HIPAA business associates have also been growing; this session will help you be prepared to address issues before they become problems in 2018. Further, it will discuss the requirements and the issues involved with HIPAA security risk analysis, policies, and procedures. It will also define the path entities can follow to bring their compliance up to the level at which it should be today.
What the HIPAA Security Rule requires
What a HIPAA security risk analysis is, how you can conduct one, and what you can learn from it
What a good risk analysis is and what is not
Risk analysis tools and methods
Essential policies and procedures for HIPAA Security Rule compliance
Finding and filling any gaps in your policies and procedures
The difference between policies and procedures, and what belongs in each
The importance of comparing your policies and procedures to your actual practices and making the necessary adjustments to synchronize them
Planning the continuing management of your risks
Planning your next reviews and your information security management process
How to consider new information security risks and what can cause them
Personnel involved in, interested in, or responsible for patient communications, information management, and privacy and security of protected health information under HIPAA, including:
Information systems managers
Chief information officers
Health information managers
Personnel in health information management, information security, and patient relations:
Privacy and security officers
Leadership and staff
Staff in patient intake and front-line patient relations
About Our Speaker
Jim Sheldon-Dean, is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. Jim is a frequent speaker regarding HIPAA, which includes speaking engagements...