Texting and E-mail in Medical Offices

Your To-Do List
•Find out what you are doing already with texting –ask and then verify!
•Discover what should be protected (and may not have been)
•Implement secure texting for the office using the free apps (Signal, Telegram, WickrMe)
•Get permission to contact cell phones for healthcare and payment purposes and follow-up communications
•Provide secure alternatives for patient communications and allow choosing a non-secure process if they prefer
•Look into other communication platforms to integrate texting, triage, and documentation
•Identify your issues and plan their mitigation

-Jim Sheldon-Dean

Triwest Health Net Registration

Dear Midwives and Birth Center Providers,

If you bill Triwest, which is now Triwest HN, please complete the attach forms and send to your biller for submission.  Claims will not be processed unless you are added to their system. Thank you

Midwives (complete regardless of license)

https://www.tricare-west.com/content/dam/hnfs/tw/prov/resources/pdf/nnw-applications/indvdl-app-midwife.pdf

Birth Center

https://www.tricare-west.com/content/dam/hnfs/tw/prov/resources/pdf/nnw-applications/instit-app-birth.pdf

Texting and E-mail in Medical Offices

Security and Incident Policy Help
•The SANS Security Policy Project
–A Short Primer For Developing Security Policies, samples, guidance
–Available at: http://www.sans.org/resources/policies/
•New York University HIPAA security policies
–A good level of detail; many of the concepts are directly transferable
–http://www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/hipaa-policies.html
•NIST Guide for CybersecurityEvent RecoverySP 800-184, an excellent overall guide that now incorporates incident handling and contingency planning:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf
•NIST Computer Security Incident Handling GuideSP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
•In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf

Texting and E-mail in Medical Offices

Patient Communication Policies
•Define the usual, preferred, secure means of communication, and the preferred insecure alternatives
–Consider what you are “reasonably able” to do
•Require patient to request using insecure communication methods, and indicate preferred method to be used
•If an insecure method is requested, consider it according to §164.522(b)(2) and §164.524(c) and guidance
•If an insecure alternative method is granted:
–Explain the risks to the patient
–Obtain consent (with signature if appropriate)
–Inform those who communicate of the preference
•Document the request and consent or denial

-Jim Sheldon-Dean

Texting and E-mail in Medical Offices

Beware the TCPA
•Telephone Consumer Protection Act of 1991
•Be cautious, especially for any calls or texts relating to billing or financial matters
•Get consent up front to call the number provided for healthcare and financial purposes, including reminders and follow-up
•If you don’t get consent, watch out!
–Penalties for, without consent, calling a cell phone or leaving a payment related message (voice or text)
–Penalties for, without consent, calling a cell phone or leaving a healthcare related message more than one minute (voice) or 160 characters (text) long; no more than one per day or three per week

-Jim Sheldon-Dean

Texting and E-mail in Medical Offices

If PHI Is Involved, Must Secure, Except…
•Do you need to secure e-mail and text messages?
–Required HIPAA Risk Analysis shows risks of using insecure communications such as plain e-mail and texting
–Organizations that discover they have used insecure communications report insecure communications of PHI as a breach
–Enforcement settlements have been based in part on the use of insecure communications for professional purposes with PHI
•So, if PHI is involved, encryption is required
•Except! When the patient requests the use of an insecure process
–Must be at the patient’s request or as an expressed preference
–Must explain risks to the individual and obtain consent for insecure communications involving PHI
–Entity is not liable for a breach if PHI is compromised

-Jim Sheldon-Dean