HHS Implements Strict Encryption Requirements for Email and Text Message Communication
•
0 gefällt mir•296 views
HHS and CMS have confirmed the requirement that all Emails and Text Messages containing Protected Health Information (PHI) must be encrypted. There is only one exception. Patients have the absolute right to communicate with Covered Entities by unencrypted email and text message – if the patients have been informed there is some level of risk and prefer using unencrypted electronic transmissions. The key takeaway is how Covered Entities can protect themselves fully from HIPAA violations and comply with the patient’s right to receive unencrypted Emails and Texts containing PHI. Just a simple 3-Step Safeguard is all that is needed. Areas Covered Overview – Key Takeaways When You Must Encrypt Emails and Text Messages with PHI – Exception Why is this so important? Temptations HIPAA Rules for Email & Text Messaging Key Definitions 3-Step Safeguard – Patient Emails & Text Messages TCPA and the Effect of April 1, 2021, Supreme Court Decision When and Why You Must Encrypt Tips for Enterprise-wide Compliance Register, https://conferencepanel.com/conference/hhs-mandatory-email-and-text-message-encryption-rules-with-only-one-exception-for-informed-patients
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie HHS Implements Strict Encryption Requirements for Email and Text Message Communication
Ähnlich wie HHS Implements Strict Encryption Requirements for Email and Text Message Communication (20)
Mehr von Conference Panel
Mehr von Conference Panel (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
HHS Implements Strict Encryption Requirements for Email and Text Message Communication
- 1. PRESENTED BY PAUL R. HALES, J.D. HHS MANDATORY EMAIL & TEXT MESSAGE ENCRYPTION RULES WITH ONLY ONE EXCEPTION FOR INFORMED PATIENTS EDUCATIONAL WEBINAR 1 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC
- 2. Health Information – HIPAA Protecting Patient Privacy is Our Job® Legal Education – Not Legal Advice AttorneyHales.com @hipaaetool 314-534-3534 PaulHales@AttorneyHales.com Email & Text Message – HIPAA Compliance PAUL R. HALES ATTORNEY AT LAW 2 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC
- 3. Identifying Information Health Care The 18 “Identifiers” 3 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC 5. Fax number 6. Email address 7. Social Security Number 8. Medical record number 9. Health Plan beneficiary number 10. Account Number 11. Certificate/license number 12. Vehicle Identifiers and serial numbers, including license plate numbers 13. Device Identifiers and serial numbers 1. Name 2. Address 3. Dates directly related to an Individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicating an Individual’s age, except elements indicating age 90 or older may be combined into a single category – age 90 or older 4. Telephone number 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address number 16. Biometric Identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code capable of identifying the Individual and not used for any other purpose Email & Text Message – HIPAA Compliance 45 CFR §164.514(b)(2)
- 4. Email & Text Message – HIPAA Compliance 4 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC Unencrypted Emails – Text Messages – Electronic Transmission https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf 1. Protected Health Information Protected health information (PHI) is information, including demographic information, which relates to: • the individual‘s past, present, or future physical or mental health or condition, • the provision of health care to the individual, or • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. 45 CFR § 160.103
- 5. Email & Text Message – HIPAA Compliance Health Care Provider: Hi Paul, your appointment on March 27, 2023 is at 2:00 PM. Reply RS to reschedule – OK to confirm. Thu, 8:00 am From: Health Care Provider Sent: Thurs. Mar. 23, 2023 8:00 AM To: Paul Hales Subject: Appointment Hi Paul, Your appointment on March 27, 2023 is at 2:00 PM. If you need to cancel or postpone, please notify us before 5:00 PM on March 24 or you will be charged a No-Show Fee of $25. Thank you, Health Care Provider Internet “Guidance” Examples • Don’t put PHI in Email Subject Line • Don’t put PHI in Email or Text • Put only Minimum Necessary PHI in Email or Text • Patient providing cell number is consent to receive PHI Texts “TCPA – HIPAA Compliant” Myths! 5 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC Unencrypted Emails – Text Messages – Electronic Transmission
- 6. Email & Text Message – HIPAA Compliance 3 STEP SAFEGUARD – PATIENT EMAILS & TEXT MESSAGES Standard (Unencrypted) Emails & Text Messages 1. Notify “Duty to Warn” Some level of risk information in an Unencrypted Email or Text Message can be read by someone else 2. Let the Patient Decide If the Patient prefers Unencrypted Email or Text Message the Patient has the right to receive them 3. Document in Writing Your Warning and Patient’s Decision to receive Unencrypted Email or Text Message 6 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC
- 7. Email & Text Message – HIPAA Compliance 3 STEP SAFEGUARD – PATIENT EMAILS & TEXT MESSAGES Standard (Unencrypted) Emails & Text Messages – Background 2013 Privacy Rule – effective September 23, 2013 “Duty to Warn” January 25, 2013 – 78 FR 5634 2014 Security Rule – Encryption Reasonable & Appropriate Safeguard Unencrypted Email permitted if Individual warned of risks prefers Unencrypted Email February 6, 2014 – 79 FR 7302 2020 Privacy Rule Access Guidance – Updated https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html https://www.hhs.gov/hipaa/court-order-right-of-access/index.html October 20, 2020 – updating 2016 guidance 2018 Text Message “Duty to Warn” Confirmation OCR Director Roger Severino – HIMSS Annual Conference March 6, 2018 7 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC
- 8. Email & Text Message – HIPAA Compliance 3 STEP SAFEGUARD – PATIENT EMAILS & TEXT MESSAGES Standard (Unencrypted) Emails & Text Messages – Background 2018 Text Message “Duty to Warn” Confirmation Recorded exchange between attendee and OCR Director Q.Do OCR guidelines for Unencrypted Email apply to Unencrypted Text Messages – if a patient is educated and agrees to the risk and doesn’t want to use secure texting? A. “I don’t see a difference.” – between an Unencrypted Email and an Unencrypted Text Message Q. “I guess I have to avoid the secure texting vendors who may want to shoot me now.” 8 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC
- 9. Email & Text Message – HIPAA Compliance 3 STEP SAFEGUARD – PATIENT EMAILS & TEXT MESSAGES 3 Step Safeguard if Patient says “No” 1. Do Not Send Unencrypted Email or Text Message 2. Take Action to Prevent Sending • Implement Measures to Block • Notify everyone responsible for sending Unencrypted Email and Text Message (Workforce or BA) of Individual’s Restriction 3. Document in Writing Your Warning – Individual’s Response – Your Action and – Notice of Restriction to Business Associate Vendor 9 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC
- 10. Email & Text Message – HIPAA Compliance 10 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC 3 STEP SAFEGUARD – PATIENT EMAILS & TEXT MESSAGES Summary – HIPAA Requirement for (Unencrypted) Emails & Text Messages Beware and Be Very Careful whenever you see or hear “HIPAA Compliant” from Vendors or “Experts” on the Internet
- 11. Email & Text Message – HIPAA Compliance Telephone Consumer Protection Act of 1991 Health Insurance Portability and Accountability Act of 1996 1991 TCPA Subject: Telecommunications Sent by Automatic Telephone Dialing System – ATDS Landline Telephone – Fax – Cell phone – Text Messages Purpose:Protect Consumers from Nuisance & Invasion of Privacy Exception – “Safe Harbor” – Consumer’s Prior Express Consent Enforcement: FCC, State Attorneys General, Civil Fines, Private Lawsuits HIPAA Rules (authorized by 1996 Act) Subject: Health Information Purpose:Protect Individually Identifiable Health Information Enforcement: Government Agencies, Civil Money and Criminal Penalties No Private Right to Sue 11 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC
- 12. Email & Text Message – HIPAA Compliance 12 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC Telephone Consumer Protection Act of 1991 Health Insurance Portability and Accountability Act of 1996 2015 FCC TCPA Order “Healthcare Text Message Exemption” Key Special Condition Text Messages by or on behalf of Healthcare Provider “must comply with HIPAA privacy rules” FCC 15-72 Declaratory Ruling and Order July 15, 2015, Paragraph 147(3) @ Page 72 HIPAA Privacy Rules Compliance 3 Step Safeguard “Duty to Warn”
- 13. Email & Text Message – HIPAA Compliance 13 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC Concluding Discussion, Questions, Comments It’s Your Turn Questions, Comments, Suggestions
- 14. Email & Text Message – HIPAA Compliance Thank You Paul Hales, J. D. PaulHales@AttorneyHales.com 314-534-3534 14 www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC Register Now