Physician Communications: Considerations for Using Text Messages and Social Media

doctors textingBy: Jackie Bain

It is becoming easier and easier for physicians to communicate with each other and their patients.  And although open communication is generally thought of as positive, the medical profession should proceed with caution.  Patients and consulting physicians rely heavily on their communications with their treating physicians.  Thus, communications which do not require the thought of focus that a physician would otherwise give to a situation may result in disaster. While there are many potential ways a physician might use text messaging and social media both professionally and personally, we will focus generally on physician interactions with other physicians, and physician interactions with patients.

To start, physicians should be aware that, in 2011, the American Medical Association issued guidelines in its Code of Ethics for physicians who use social media: Continue reading

HIPAA Omnibus Final Rules and Penalties

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year

(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

$100-$50,0001,000-50,000

10,000-50,000

50,000

$1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.

Portal not “Port-All”

doorBy: David Hirshfeld

Whether as a means of satisfying the Stage 2 “meaningful use” requirements of the HITECH Act, or in an effort simply to enhance the efficiency of their practices, many of our clients have been implementing electronic medical records software that includes patient portals.  A “patient portal” is an electronic doorway between patient and practice.  Portals often allow patients to check and download their own treatment records, and to use digital messages as a means of communicating with clinicians.  Portals can be awesome tools with which to enhance your practice, but they need to be implemented thoughtfully.

A portal is often an excellent way in which to add operational efficiencies that reduce costs, increase patient satisfaction, and increase positive outcomes; BUT, if not carefully monitored, they can become inadvertent points of entry for information, the meaning of which can only be appreciated when delivered in a face-to-face office visit, where other aspects of the patient’s condition would be evident (e.g. pallor, swelling, confusion).

Portals should be limited to more benign encounters, such as: patient registration, financial clearance, medical history, appointment scheduling / confirmation, specialty referrals, notification of test results, online bill payment, non-narcotic prescription renewals, follow-up of specific conditions for which there has been a course of in-person treatment that included an agreement as to the use of the portal for follow-up.

I recommend that practitioners train their patients how and to what extent they should use the portal by presenting patients with a “Terms of Use” agreement (that they must sign); and by reminding patients of the Terms of Use if and when they use the portal for an encounter that should have been handled by an in-office visit.

A good “Terms of Use” agreement ought to convey the following information to patients before they use the portal:

  • Identify the proper subject matter to be communicated through the portal and, just as important, the types of communications that should NOT be made through the portal.
  • In addition to communication, what other functions the portal will make available to the patient (e.g. what records can patients view, can they download, can they transmit to other providers, refill prescriptions, help practice to monitor an ongoing condition, etc.).
  • The portal is highly secure, more secure than conventional email, and should be the only way that patients should convey information to the practice other than in-person or, perhaps, on the telephone.
  • Everything conveyed to the practice through the portal will become part of the patient’s medical record.
  • Not only the physician, but other clinicians and practice staff may read communications made through the portal.
  • How quickly, and in what format, will the practice respond to patient communications made through the portal.
  • Whether and on what terms the practice will allow access to records of its minor patients.
  • How modifications to the “Terms of Use” and portal functionality will be conveyed to patients.
  • A primer, as simple as possible, on how to effectively use your practice’s portal.

Portals can be awesome tools with which to enhance your practice; but they need to be implemented thoughtfully, and in conjunction with patient training.

 

Final Privacy Rule Affects Clinical Research Organizations

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

Final Privacy Rule Affects Clinical Research Organizations

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

FTC Interim Final Red Flags Rule a Reprieve for Health Care Providers

By:  Rodger Hochman, Board Certified in Health Law

On November 30, 2012, the Federal Trade Commission (FTC) issued its interim final “Red Flags Rule” which narrowed the definition of “creditor” in such a way that essentially confirms that most health care service providers are not subject to its requirements.

The Red Flags Rule was originally promulgated in reaction to the perceived risk of identity theft in various transactions involving financial institutions and creditors, and it required them to develop and implement a written identify theft program to combat these risks, including internal processes for identifying “red flags” of identity theft.  The application of the Red Flags Rule to health care service providers was controversial since it advanced a counterintuitive notion that a provider who engaged in ordinary course business activities, such as rendering health care services where insurance or other payment would be received later, was a “creditor” by definition, thus was equated with the business of financial institutions and subject to standards more applicable to the relationship between commercial creditors or lenders and their customers.

Under the original rule, any “creditor” was required to establish an identity theft program.  The definition included “any person who regularly extends, renews, or continues credit…”  The FTC interpreted this expansively to include physicians and other providers who accept insurance as payment or who permit payment plans, where payment in full was not received at the time of service.  Thus, if a physician or hospital were to accept a patient’s insurance coverage or bill the balance not covered by insurance to the patient, that was viewed as an extension of credit to the patient which triggered regulatory compliance obligations by the provider.  Although the FTC later clarified its position in saying that it applied only to creditors that regularly and in the ordinary course of business advance funds, there was still some ambiguity.

The interim final rule now makes clear that advancing funds does not include what is routine health care services billing and collection activities (such as deferring payment of fees in connection with providing services) and that most service providers are not subject to the rule.  Nevertheless, while the interim final rule confirms that most providers are not subject to the Red Flags Rule, entities that collect consumer data should still carefully consider how they collect and use such data.   To the extent that they use or provide patient information in connection with credit reporting services, the Red Flags Rule would apply.  Further, health care providers remain subject to the HIPAA/HITECH privacy and security rules with respect to all patient identifying information regardless of whether they are subject to the Red Flags Rule.

ACOwatch: Kathleen Sebelius: Keynote Speech From 2nd Annual ACO Summit

6/28/2011: ACOwatch.com 
Remarks as prepared for delivery by Secretary Sebelius on June 27th, 2011, Washington, DC.

“Improving care is clearly the best approach to addressing rising costs – especially compared to recent proposals that would simply cut Medicare and Medicaid, without doing anything to address underlying growth in health care spending.  But it’s also clear that we are not improving fast enough.  So our challenge is to speed it up.”

Read more here: http://acowatch.com/