Why patient communications has become a privacy conundrum
A scenario growing in frequency for physician practices and other healthcare organizations is the desire for patients to communicate with clinicians using the same tools as in everyday life. That translates to a preference for text messaging, WhatsApp, Facebook Messenger, iMessage or any other number of third-party applications that enable quick and efficient communication.
However, the convenience and ease of communication are also factors that give rise to a number of privacy and security concerns.
A first question can be whether such tools are permissible in healthcare. If they’re permissible, how can they be controlled? Where should agreements be created? Who is responsible for managing accounts? A multitude of other questions will cascade from there.
However, a frequent refrain challenging the ability to use more modern communication platforms is that HIPAA prevents or prohibits the use of those platforms. As is so often the case with HIPAA, the real answer is not so clear cut.
From a patient’s perspective, the request being made is simple. So many people rely upon quick text-based communication as opposed to a phone call, fax or email. Also, there is a reluctance or resistance to being forced to use a patient portal or other application built into an electronic medical record. That can lead to requests to receive text messages or communications in other places.
What should a clinician do in the face of such a request? Take reasonable steps to honor it. The text of the Privacy Rule is clear: “A covered healthcare provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered healthcare provider by alternative means or at an alternative location.” 45 CFR § 164.522(b)(1).
There is a similar provision that follows for health plans. If there is any doubt about what alternative means includes, a longstanding FAQ from the Office for Civil Rights states that this includes email (which has been further understood to include electronic communications generally).
Given the right contained in the Privacy Rule and guidance statement, the view from the patient side is clear and unequivocal. Only looking at one side does not end the story though.
While a covered healthcare provider or health plan should reasonably accommodate requests for alternative communications, there is still the obligation to “reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation” of the HIPAA Privacy Rule. 45 CFR § 164.530(c)(2)(i). All of the requirements of the HIPAA Security Rule will also come to bear.
All of this means that the use of any electronic or digital communication must be done thoughtfully and will appropriate protections. Going back to the FAQ, back in 2008 OCR discussed confirming the email address of the recipient, limiting the amount of information included in the email and ensuring transmission comport with the Security Rule. All reasonable statements, but ones that seem to suggest that there is a fair degree of control over the tool being used to send the message to the patient.
Looking at current communication tools, many of those tools are under the full control of a third party. The solution is no longer locally hosted and controlled by the healthcare provider or health plan. If another entity stores the data, then a business associate relationship is likely created. If a business associate relationship is created, then all of the bells and whistles for that form of relationship need to be respected and followed.
This once simple-and-easy request from the patient side of the room has become a bit more complicated and convoluted when viewed from the side of the room required to comply with HIPAA.
The conduit exception is an exception that should be and is interpreted narrowly. As stated often by OCR, a conduit only transmits information or acts a courier. In the pre-digital days, the postal service and equivalents were used as examples. In the digital age, internet service providers that just transmit information are used as the equivalents. In those instances, information is not stored or otherwise held.
Most vendors operating communication tools will end up hosting or copying data, which precludes the ability to be classified as a conduit. While appealing, the conduit exception is unlikely to provide relief.
As is always the case with HIPAA, options exist if the time is taken to understand the intersection of privacy and security obligations with individual rights. The preferred course of action may not be fully available, but that does not stop all activity.