I’m often taken aback by some of the marketing material I receive from privacy and security training vendors. This is clearly a “buyer beware” moment. The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in any privacy and security training session you’re looking to enroll in. The training risk comes when someone doesn’t have a good grasp of the material, because they may well be being fed outdated information or worse, partial truths about HIPAA.
I may be a little sensitive because of the type of privacy and security training that we and some of our partners provide. Timely, current event-relevant, regulation-sensitive training. But in this instance, we received a vendor mailing focused on email integration and texting in the healthcare communications environment. Sounds entirely reasonable, right? Unfortunately, the marketing copy reflected outdated or even misleading information.
Marketing hype or regulatory reality?
The vendor’s privacy and security training marketing materials included these topics and observations, presented as facts:
- Email and texting are in the early adoption stages in healthcare settings. Texting is becoming the preferred engagement, overtaking paging.
- Mobile phone use for texts or calls relating to payment, to provide critical healthcare information or other official purposes is a no-no for providers and violates HIPAA.
- Risk evaluation and management related to business communication that may or may not contain PHI is under scrutiny. Improper exposure may be considered an official breach.
- Violation enforcement can include fines up to $50,000 per day and more.
- Impacts of the Telephone Consumer Protection Act (TCPA) limit the use of cell phones for payment and healthcare purposes unless consent is obtained.
Let’s take it from the top. First of all, texts and emails are common in today’s healthcare environment. While the topic is worth addressing as part of ongoing training (and hopefully touches on serious email threats like phishing), it’s not a new issue.
Secondly, clarification is in order when it comes to texts. HIPAA doesn’t require covered entities to obtain consent before, say, sending an appointment reminder via text message. I do, however, think it’s a courtesy that should be extended because not everyone is comfortable with anything to do with their health being texted to them.
Now to take it a step further, if the email or the text message is encrypted, there are really no HIPAA consent requirements. If the individual requests texts and emails be sent unencrypted, covered entities do need to document that the individual making the request has been informed of the dangers associated with unencrypted transmission of PHI. That’s not the same as obtaining consent.
When it comes to risk evaluation and risk management, yes those are hot items. And while I do wonder what an “unofficial” breach is, I agree the improper exposure of PHI may result in a reportable breach. Please keep in mind that if the exposure is unintentional, like a misdirected email, it may or may not be a reportable breach. That’s where the HIPAA Breach Notification Rule’s four factor risk assessment comes into play.
Here’s where I seriously part ways with the material: the violation enforcement information and the penalties.
If you’re doing the right thing, discover a breach, follow the required investigation and notification process and you timely report the breach to OCR, you likely won’t be fined by OCR. Now, if there is a breach and OCR finds you haven’t conducted a risk analysis, haven’t adopted current and enforceable policies, haven’t trained your staff and so on, then yes, chances are higher that you’ll be paying in the form of a penalty or monetary settlement.
As far as the $50,000 per day, OCR can levy penalties up to $50,000 for a single violation up to a maximum of $1.5 million per calendar year. There’s no reference in any OCR guidance that violations are counted in days. They could in fact be counted as the number of records breached. If, as an example, 1,000 patients’ PHI was breached, OCR could count that as $50,000 X 1,000 (if you’re found guilty of willful neglect). Because the penalty amount calculated this way would exceed $1.5 million, the maximum penalty amount would be levied unless a lower amount was negotiated between OCR and the breaching entity.
Finally, the TCPA. I need to point out that the TCPA was enacted in 1991 – pre-HIPAA – and addressed robocalls. It had nothing specifically to do with text messages and healthcare.
The bottom line on healthcare privacy and security training.
Emails and texting to communicate healthcare information has been going on for years. Keep in mind that yes guidance from OCR (“Right to Access”) emphasizes the need for covered entities to communicate effectively with patients there is no reference to text messaging or emailing other than to state that patients can request communications be made using unencrypted email as long as the risks associated with it are clearly communicated. There is zero reference to text messaging in the guidance or in HIPAA itself.
I wholeheartedly agree that you need to regularly conduct privacy and information security training with your workforce. I also agree that you need up-to-date privacy and security training documentation.
I’m concerned that there are entities not up on the risks and how those risks are associated with patient communication. The first edict from HHS that applies to the use of email to communicate with patients dates back to January 2013 (the Omnibus Rule) and February 2014 (the HIPAA CLIA Rule) respectively.
Training vendors need to be vetted. If you or your staff are going to take your valuable time to attend any vendor-offered training, you need to know that it has more real-world application to privacy and security risks, engages employees on how they can protect ePHI, and accurately reflects regulatory requirements. More HIPAA realities, less marketing myth.