HIPAA – THE TOP SEVEN QUESTIONS

article-image

Introduction

With a strong need for uniformity in the world of healthcare, HIPAA was signed into law by President Clinton in 1996 requiring national standards to be established for electronic health care transactions which included specifications about the security and privacy of information. This whitepaper will discuss the relationship between the automated messaging system Inphonite and the Health Insurance Portability and Accountability Act (HIPAA) and will clarify the level of security and privacy that Inphonite provides users in order to follow the requirements set forth by HIPAA.

 

Below are some of the most common HIPAA related questions regarding Automated Messaging.

 

Questions and Answers

 

1. Is calling to notify or remind a patient of healthcare related issues or appointments considered a disclosure of protected health information under HIPAA?

Under HIPAA regulations protected health information includes information related to the care of a patient. It is recommended that patients be made aware through written consent of the practice of calling and notifying or reminding patients of appointments and other health related information.

 

2. What is required from a patient when a healthcare provider sends appointment reminders and other related information?

A consent form giving the healthcare provider permission to use and disclose protected health information for the purposes of treatment, payment, or health care operations is required. This should already be included as part of your intake paperwork. Under HIPAA the consent form is only applicable for situations involving doctors or other healthcare providers with a direct treatment relationship with a patient.

3. What is required by a healthcare provider when sending appointment reminders and other related information?

Along with a consent form, an alternative means of receiving information must be provided. Individuals must be allowed to opt-out, or specify an alternative means for receiving the information. The health care provider’s privacy notice should also address the practice of notifying or reminding patients, as well as the patient's right to request alternative means of communication. Inphonite will review your database to send or not send messages per patient request. In addition, since Inphonite imports data directly from your management software you’re always using the most up to date information.

4. What about other types of automated messages?

HIPAA does have a marketing provision for communicating products and services that encourage recipients to purchase or use products or services. However, it is not considered marketing for a health care provider to use an individual’s information for personalized health-related communication as long as the communication is made in relation to managing the individual's care or recommending alternative treatment. For example, immunization reminders, annual exams, or prescription refills would not be considered marketing. For marketing related communications a health care provider would need to obtain the individual's authorization. With Inphonite you can create unlimited types of messages, allowing you to easily manage health, marketing, surveys, or even simple birthday greeting communications.

5. Are there any situations where using an automated appointment reminder would not be recommended due to HIPAA?

Due to the sensitivity of psychiatric and mental health treatments, it is sometimes suggested that reminders to these types of patients be communicated directly by mail or phone. However, oftentimes these patients are those that most need the reminders, and it is still permissible with the above requirements.

6. Does Inphonite provide the security checks and balances that HIPAA requires?

Yes, with correct implementation and maintenance Inphonite provides everything you need to stay HIPAA compliant. Inphonite provides built in security restricting access to patient information. With the on-premise edition confidential information is controlled directly by the health care provider, and never transmitted over the Internet. With the SaaS model every precaution has taken place during the development of the product to help ensure encryption and security of protected data. Both versions of Inphonite also import data directly from the health care provider’s management software, preventing inconsistencies in patient information. Patients requesting alternative means of communication, or preferring to opt-out can easily be accommodated and Inphonite even provides communication reports for verification purposes.

7. How do I get started using Inphonite to send appointment reminders and other messages?

In order to configure Inphonite to work with your management software a sample data file must be submitted prior to installation. In compliance with HIPAA it is recommended that the file be sent in an unidentifiable data set format to help ensure that no patient information is disclosed. With Inphonite there are no additional exchanges of information. With our SAAS solution your patient data is managed by you and requires a Business Associate Agreement and/or SaaS contract in order to begin. Whichever route, Inphonite makes it easy to comply with HIPAA because your health information is protected from beginning to end.

 

We hope this answers some of your questions about automated messaging and HIPAA. For more information on HIPAA compliance, see The United States Department of Health & Human Services website at: www.hhs.gov.

Things to mention:

BAAs—what are they, why do they exist, who do they protect/how? (who has time to read them?)

Is Texting in violation of HIPAA?   https://www.hipaajournal.com/texting-violation-hipaa/

 

 

END OF THE QUESTIONS------

 

The laws that govern recording phone calls exist because many people and governments label call recording as eavesdropping or wiretapping. It is therefore imperative to know the laws in your area before you decide to record even a single call.

Since these are state laws, the question then becomes, what if you are making a phone call across state borders, because let’s face it, most of us do business out-of-state.

It’s just not always easy to find, nor is it always clear whether Federal or State laws apply regarding call recordings. In most states, the law references the state where the recording device is located. That is a simplified way of looking at it, particularly since these days everything is in the cloud.

Additionally, some state laws indicate that the law of the state where the person is being recorded, should take precedence. Therefore, when recording a call that crosses state borders, it’s best to follow the strictest laws, no matter which state or federal law that could be. In almost all instances, recording a call or conversation, when all parties consent, is considered legal. 

Guides 7Questions Image 1

The USA vs. The World

Recording laws in the USA differ from those around the world. Technology has changed significantly and while in some places around the world, All-Party Consent is the norm, the United States likes to leave these regulations in the hands of the States.

 

The Strictest Recording Laws

We found the strictest laws to be in Canada. While in the USA the laws outline party consent, in Canada it is different. In fact, Canada has specific rules in addition to their Consent laws.

 

Three main rules in Canada are included with All-Party consent. First, you must notify the others on the call that you are going to record the conversation. Second, during that discussion you must outline the purpose for recording the conversation. And third, you need to remind them that it can only be recorded with their agreement.

 

Many group calls or Webinars include people calling in from around the world. These are often recorded, and usually somewhere in the Terms of the Webinar, you will be given the above three-rule notification, where by participating you are giving your express consent to being recorded.

Should We Record Our Calls

It is first important to consider the reason for recording your calls. After that, consider how important those reasons truly are, along with the impact it could have on your business, customers, or person, whether that impact is good or bad.

Reason: Personal, heated discussion (Use Case: Invoice Disputes)

 

Reason: Technical, need to remember specific technical details (Use Case: Webinar)

Impact: Low, generally with a business, though if legally escalated, could be used as evidence

 

Impact: Low, probably not proprietary information, though likely across State lines and with many people

 

 

 

Reason: Dictation, writing it down for later reference, often for legal purposes (Use Case: Therapy or Testimony)

 

Reason: Technical, need to hear phone line noise (Use Case: Automated Messaging)

Impact: Medium, could be medically necessary or per legal mandate, though probably not multiple parties

 

Impact: Medium, may be able to hear from one call, may need to record several

 

 

 

 

Reason: Customer Service, like spying on staff, and sometimes necessary (Use Case: Customer Disputes)

 

Reason: Verification, audible signatures (Use Case: Upgrading Phone Plans/ Credit Cards)

Impact: Large, going this route, you are likely recording all, or almost all calls

 

Impact: Large, if using for this reason, it is usually a large customer base

Rule of Thumb

No matter a State’s Consent laws, the rule of thumb is to always receive consent from all parties on a call, if possible, prior to the call. Following the rules of our neighbors to the North, outlining the reason for the recording and asking for permission, is a common courtesy when it comes to call recording.  

 

Many businesses in the United States already have a message saying, “this call may be recorded for quality assurance and training.” This standard for large companies might be something to consider no matter the size of your business.

 

While recording can be particularly cumbersome if you are having a group discussion or are even just recording a webinar, these laws are always something to consider, whether you are the recorder or recorded party!

 

When hosting Webinars, you should be asking for consent to record, and by participating in Webinars, you are giving your express consent to be recorded.

 

Just remember, if you do decide to press that red button, be prepared. Most of our customers simply add legal language to their standard paperwork indicating the possibility of recording calls for troubleshooting. A general disclaimer for same is considered appropriate and acceptable.

Recording Using Inphonite’s Premium Voice

Reason: Technical & Customer Service / Impact: Medium
Customers can use the Inphonite Premium Voice recording feature to listen for static on their lines, or to prove that NO-SHOWS, actually did in fact receive a message, and may even have Confirmed their appointments. To fully appreciate this feature, please consider your State or Federal Laws and how they relate to you or your own customers or patients.


Continue Reading