Digital patient communication: Tips for reducing your risks
Here’s a list of do’s and don’ts to keep in mind when using texting, email, social media and more to connect with patients.
Consumers have a growing list of expectations when communicating with companies – and healthcare is no exception.
Many patients expect to have easy access to their personal health information at any time and from anywhere. They demand to gain access in a variety of ways, including via text messages, emails, websites, chats and phone calls.
Unfortunately, some patients may not realize that many of the ways they’re used to communicating in their personal lives are unsafe for sharing PHI.
Healthcare organizations need to understand the potential risks of each communication channel as well as their data privacy and security obligations under HIPAA. Here’s a look at key issues for each channel.
Texting
Some 58 percent of consumers say texting is the best way to quickly reach them. Digital health companies are making this easier and more efficient with software platforms that leverage texting as a best practice for patient communication. Although many of these firms have worked hard to design their products to help enable HIPAA compliance, users bear many responsibilities.
While warnings, pop-ups and hard stops built into the software can help remind users how to ensure they are following best practices for HIPAA compliance, users can often override or ignore these safeguards. So it’s important to understand how to effectively and safely use texting with patients.
Texting ‘do’s’
When using texting to communicate with patients, organizations should:
- Develop policies and procedures that set parameters for patient text communications.
- Determine if an application (particularly within electronic health records) accommodates texting through a more secure mechanism and can capture data back into the records.
- Use company-controlled devices. If you allow BYOD (bring your own device), have controls in place that allow device management, such as insight into transmissions. Also, consider enabling capabilities to wipe the device when the employee leaves your organization.
Texting ‘don’ts’
When using texting, avoid:
- Allowing employees to use a personal devices.
- Giving patients personal cell numbers of staff members.
- Assuming patient consent. For example, if your patient communicates via text, don’t assume you can respond with PHI in a text. Be sure to confirm their consent.
- Keeping messages on devices once moved to official systems.
Many public email platforms are not secure enough to meet HIPAA standards. Email is also a target for attackers who use phishing scams to gain credentials, launch malware or initiate other breach methods.
Email ‘do’s’
When using email for patient communication:
- Analyze email-related risks and document the reasons behind your decision to use it for patient communications, understanding the scope of your HIPAA risk analysis and risk threshold.
- Use encryption. Encrypt data at rest as well as devices that could be stolen or lost. Consider full-device encryption.
- Provide patients with suggestions about how to help protect their PHI.
- Establish data protection procedures with business associates.
- Address backup and message retrieval.
- Determine how to conduct audits.
- Use a Designated Record Set.
- Determine the need for business associate agreements.
- Develop and document related policies and procedures.
Email ‘don’ts’
When using email, avoid:
- Sharing accounts;
- Keeping messages on the platform once they are recorded in official systems;
- Using personal accounts for patient communications.
Social media
Unfortunately, many social media platforms don’t have effective privacy controls, and few have HIPAA-compliant security and privacy practices.
Social media ‘do’s’
When using social media for patient communication:
- Keep information limited to details the public needs to know about your practice, such as office location, hours and contacts.
- If a patient reaches out via social media, keep the response professional. Keep in mind obligations to meet HIPAA standards.
- Know what kind of tracking mechanisms the social media platform uses.
Social media ‘don’ts’
When using social media, avoid:
- Responding to social media posts (or Google or Yelp reviews) with PHI;
- Accepting friend requests or other personal social media connections with patients without careful consideration;
- Responding to a patient’s self-disclosure of PHI.
APIs
Many common apps use application programming interfaces for communication pathways and to share data. For example:
- Records held in an EHR can, through an API, be provided to the patient in the health apps of their choosing.
- Provider directories use APIs to provide access to certain Medicaid and CHIP programs.
- APIs can offer access to conditions of participation, for example, through hospital electronic notifications.
API ‘do’s’
When using APIs, be sure to:
- Understand compliance dates and requirements.
- Establish policies and procedures.
- Analyze risks and conduct security tests.
- Monitor third-party app threats.
- Establish business associate agreements with third-party vendors.
API ‘don’ts’
Be sure to avoid API missteps, including:
- Ignoring requirements or assuming the vendor will handle them;
- Forgetting to document decisions regarding establishing and using APIs;
- Delaying staff education.
Telehealth and video conferencing
The coronavirus pandemic has led to an increase in the use of video conferencing tools for telehealth.
HIPAA requires that providers ensure digital data exchanges are secure. The Department of Health and Human Services’ Office for Civil Rights, however, eased some enforcement during the pandemic. As a result, some healthcare providers may have used platforms that are not considered compliant due to the lack of business associate agreements or assurances of the security of the platform.
Although OCR’s enforcement discretion allowed the use of more platforms, it’s best to use HIPAA-compliant digital communication tools. Once the public health emergency ends, organizations must take steps to ensure they move to fully HIPAA-compliant telehealth methods.
Telehealth ‘do’s’
When using telehealth, be sure to takethese steps:
- Enable available encryption and privacy modes.
- Stop using all non-compliant platforms and consider steps to move to compliant tools and implement appropriate policies and procedures.
- Get business associate agreements with vendors.
- Inform patients of privacy risks. If a patient still wants to communicate in an unsecure medium, proceed, but document their preferences and that they were warned about risks.
- Train and educate your staff on compliant practices as well as all policies and expectations
Telehealth ‘don’ts’
- Avoid using public-facing communication products.
Right of access
Ensuring patients have the right to access their records, as HIPAA requires, is a high priority for OCR, as affirmed by the recent announcement of 11 new enforcement actions. But the proliferation of new technologies can complicate communication practices.
Right of access ‘do’s’
When taking steps to comply with upholding the right to access records:
- Formally define in policy all data elements and record systems.
- Ensure all data in your data recovery system is in-scope.
- Consider any record used to make a decision about a patient.
- Identify the location of paper records and medical device output.
Right of access ‘don’ts’
When working on patient access rights issues, don’t:
- Forget about emails and texts that must also be captured.
- Overlook billing and other types of records.
- Delay responding. You must respond within 30 days, with one 30-day extension possible.
As technology evolves and patient expectations change, providers will continue to face risks related to digital patient communications. It’s your responsibility to ensure that whichever communication methods you use are HIPAA compliant and protect your patients’ PHI.
Wes Morris is senior director pf consulting services at Clearwater. Reprinted with permission from a post on Clearwater's website.