Beware the TCPA
•Telephone Consumer Protection Act of 1991
•Be cautious, especially for any calls or texts relating to billing or financial matters
•Get consent up front to call the number provided for healthcare and financial purposes, including reminders and follow-up
•If you don’t get consent, watch out!
–Penalties for, without consent, calling a cell phone or leaving a payment related message (voice or text)
–Penalties for, without consent, calling a cell phone or leaving a healthcare related message more than one minute (voice) or 160 characters (text) long; no more than one per day or three per week
If PHI Is Involved, Must Secure, Except…
•Do you need to secure e-mail and text messages?
–Required HIPAA Risk Analysis shows risks of using insecure communications such as plain e-mail and texting
–Organizations that discover they have used insecure communications report insecure communications of PHI as a breach
–Enforcement settlements have been based in part on the use of insecure communications for professional purposes with PHI
•So, if PHI is involved, encryption is required
•Except! When the patient requests the use of an insecure process
–Must be at the patient’s request or as an expressed preference
–Must explain risks to the individual and obtain consent for insecure communications involving PHI
–Entity is not liable for a breach if PHI is compromised
Who Knows… maybe they can fix. We shall see!
•HIPAA Security Rule §164.312(e) requires consideration of encryptionof communications as an Addressable Implementation Specification
–Risk Analysis shows regular texting is NOT secure
–Using regular texting with PHI may be considered a breach
•HIPAA Privacy Rule §164.522 and §164.524 give patients rights of communication preferences and access of information (even if it is not secure)
–Making Patients happy
–Making HHS happy
Aetna’s medical director states that medical records were never reviewed when considering approval or denial for care
•The big question: “Can I text or e-mail Appointment reminders to my patients?”
•The big answer: “That depends…”
–Do you have consent under TCPA?
–Details of the message
–Context of the message
–What can you leave out?
•What if they request using plain e-mail or plain texting and don’t want to use another app or portal?
–Can you manage the communications?
–Can you document the communications?
–Issue of Response, Triage, and Medical Records
•For Professional purposes:
–Formal communication between staff or providers in other offices, involving PHI, including information or decisions about care
•Secure communications for PHI are required
•Communications must be documented, authenticated for treatment purposes
•Need more than one of the free secure texting apps