I get asked all the time if we are “HIPAA Compliant” and honestly I have no idea! OK, I’m only kidding. Of course I know if we are HIPAA compliant, and we ARE, but most people probably either don’t know what HIPAA compliance is or don’t know how it relates to sending automated appointment reminders.
HIPAA stands for The Health Insurance Portability and Accountability Act of 1996. This act was passed by congress in 1996 and basically does the following:
· Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
· Reduces health care fraud and abuse
· Mandates industry-wide standards for health care information on electronic billing and other processes
· Requires the protection and confidential handling of protected health information
The most important one of these bullet points and what most people are concerned about is probably the last one “the protection and confidential handling of protected health information”. This is very important to know if you are in any type of business that handles PHI (Protected Health Information). The fines and repercussions of mishandling PHI can be devastating to a company, especially a small business.
So get to the point! Are appointment reminders HIPAA Compliant? The short answer is “Yes”. According to the US Department of Health and Human Services…
“…appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization.” (http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses)
The long answer is a bit more complicated. The HIPAA Safeguards Principle states the following:
“Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.” (http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf)
I take this to more or less mean “use common sense when handling PHI”. The safeguards document cited above makes the following statements regarding email transmissions to patients:
“…certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail.”
So if we translate that into “use common sense when sending appointment reminders”, some of the important considerations are as follows:
· Only include basic information in the reminder such as appointment date and time and maybe the doctor’s name. Don’t ever include information such as diagnoses, test results, or reason for the appointment”. In many cases, especially mental health you should never say the type of appointment such as “…you have a mental health therapy appointment on…”
· Send the reminders in the patient’s preferred outreach method: call, text message, or email.
· Allow the patient to easily opt-out of the reminders.
· Ensure your data integrity in regard to names, phone numbers, and email addresses.
Before launching my own online appointment reminder service, I worked for a well-known health care provider for ten years as the Sr. IVR Programmer. Over that time period I collaborated on many different IVR, email, and SMS outreach projects with many different departments such as prevention, mental health, cardiology, cancer screening, research studies, and appointment reminders. The question of HIPAA would inevitably come up almost every time. The compliance department would be notified and questions would be asked. Although each case was a little different, the answer would usually boil down to taking reasonable precautions and using common sense.
Jon Langer: An attorney who specializes in business law, with an emphasis on representing physicians in private practice makes the following statement regarding appointment reminders and HIPAA
“Guidance issued by the Department of Health and Human Services makes it clear that physicians aren’t required to get a patient authorization for an otherwise HIPAA compliant use of appointment reminders, since it considers them a part of patient treatment.”
Businesses that deal with PHI can safely incorporate automated appointment reminders into their practice without the concern of violating HIPAA as long as they follow the simple guidelines that I mentioned above.
For more info on HIPAA you can visit the U.S. Department of Health and Human Services – Understanding HIPAA here.
This sponsored post was written by Jonah Langer of AppointmentReminders.com, LLC