What you need to know about HIPAA and Mobile Device Security to Avoid a $650,000.00 HIPAA Fine
This advanced and informative webinar begins with the most basic of questions: Does the HIPAA Privacy Rule permit health care providers to use e-mail and texting to discuss health issues and treatment with their patients?
Find out the answer and examine how the privacy rules of HIPAA allow covered entities and health care providers to communicate electronically, such as through e-mail or texting, with their own patients and with other health care practitioners, but only provided those health care practitioners apply reasonable safeguards when doing so that risk vi0lating HIPAA if not followed. This is mandated by federal administrative regulation.
Specifically, certain security precautions need to be taken when using e-mail or texting to avoid unintentional disclosures or otherwise, such as checking the e-mail address for accuracy before sending or sending an e-mail alert or 2-factor authentication to the patient for address confirmation prior to sending the message.
Further, while the HIPAA privacy rules do not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied reasonably to protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. The health care practitioner may include the least amount of protected health information in an unencrypted e-mail.
In addition, covered entities must make sure any transmission electronically of protected health information follows the HIPAA Security Rule requirements of federal law.
Patients have the right under the HIPAA privacy rules to request and have a covered health care provider communicate with them by alternative means or at alternative locations, if reasonable. For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that health care practitioner or provider to communicate with the patient.
However, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated. The patient may also designate a particular e-mail address to use, such as the patient’s personal e-mail and not their work e-mail.
Patients may even initiate communications with a health care practitioner or other provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. This is implied consent and implied usage.
If the health care practitioner or other provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.
Uncertainty exists when faced with strict laws. Erase the fear, uncertainty, and doubt by reviewing how patient consent and communication practices can be updated to allow for specific means of electronic communication.
Further erase the uncertainty, fear, and doubt about what other laws, such as state licensure laws, apply to the confidentiality of patient-protected health information. Review further some examples of specific state licensures laws that apply to electronic communications that may be stricter than even HIPAA itself.
Examine the case in detail of the $650,000.00 HIPAA fine against a non-profit health care entity for confidentiality and security violations involving employee mobile devices.
This webinar is thus an advanced overview of the many rules, both by HIPAA at the federal level and in state licensure laws, that govern e-mailing and texting with patients and with other health care practitioners.
While the very basic provisions of patient privacy for protected health information are well known to health care practitioners, their application in today’s world of electronic and personal communication devices is very complex – such as texting, e-mailing, and using personal devices such as smartphones and tablet computers.
In addition to HIPAA rules, various state licensure laws exist to require confidential information to be kept confidential.
Many security rules regarding protected health information involving how and when protected health information is to be kept confidential and not accessible to others outside of direct patient care.
The ability to text or e-mail health care practitioners and other staff and patients has become a priority for many health care entities and practitioners, especially solo health care practitioners with limited support staff. Maintaining patient privacy and confidentiality is necessary to make sure covered entities meet compliance standards of HIPAA and state licensure laws.
Although e-mailing and texting are convenient for the health care practitioner and patient, these communication methods have security risks and inherent pitfalls. Implementing e-mail and text solutions in the health care setting is a complex issue and several factors must be addressed.
Take an in-depth analysis of the case of the $650,000.00 HIPAA fine and civil money penalty against a non-profit health care entity for confidentiality and patient violations and the wrongful use of mobile devices.
Erase the fear, uncertainty, and doubt about exactly how a health care practitioner may use modern texting and e-mail, both within their own health care organization or facility and to the outside world of patients. Find out how you can avoid a $650,000.00 civil money penalty and HIPAA fine.
Health care attorneys; corporate compliance officers in health care; medical records staff of medical offices and health care entities; hospital attorneys; health care practitioners who are covered entities; law enforcement officers in health care compliance; state boards and agencies with jurisdiction over state licenses to practice a health care profession; facility IT departments.
Mark R. Brengelman, Attorney at Law
Mark worked as the assigned counsel to numerous health professions licensure boards as an Assistant Attorney General for the Commonwealth of Kentucky. Moving to private practice, he now helps private clients in a wide variety of contexts who are professionally licensed.
Mark became interested in the law when he graduated with both Bachelor's and Master's degrees in Philosophy from Emory University in Atlanta. He then earned a Juris Doctorate from the University of Kentucky College of Law. In 1995, Mark became an Assistant Attorney General and focused on the area of administrative and professional law where he represented multiple boards as General Counsel and Prosecuting Attorney.
Mark is a frequent participant in continuing education and has been a presenter for over fifty national and state organizations and private companies, including webinars and in-person seminars. National and state organizations include the Kentucky Bar Association, the Kentucky Office of the Attorney General, and the National Attorneys General Training and Research Institute.
01:00 PM EST 12:00 PM CST 11:00 AM MST 10:00 AM PST