Most people interact with HIPPA during their first visit to the doctor when they sign a release for the new year. Yet, this comprehensive series of laws affect everyone involved in the health care delivery process. HIPPA also has a say on what you can and cannot do when marketing and communicating with these patients.
What exactly is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. It contains five parts, known as titles, and was designed with two objectives: to ensure everyone would maintain health insurance between jobs and create guidelines for secure handling of Protected Health Information, also known as PHI.
Title Two contains The HIPAA Privacy Rule. This regulates the use and disclosure of Protected Health Information (PHI). PHI is any information held by a “covered entity” that documents a specific individual’s health status, provision of health care, or coverage for health care that can be linked to a specific person. These include medical service providers, health insurers, employer health plans, and healthcare clearinghouses.
What are the HIPAA marketing requirements?
While there are specific privacy guidelines around the use of PHI for marketing purposes, it is acceptable for healthcare providers to this information when sending broad based communications about their own products and services.
An example is that a healthcare provider can use its patient list to announce a new piece of equipment or service. It is fine for a healthcare provider to send a flyer about its new weight loss program to all clients defined as obese, even if the treatment they received was not for obesity. Wellness programs generally do not fall under the HIPAA guidelines and are not subject to the same regulations. It’s not okay to sell that same patient information or share it with a different marketing organization.
The most critical part of the HIPAA guidelines as they relate to direct mail is data security.
If you ‘are going to use your PHI for a direct mail campaign, you likely can do so; you need to work with a HIPAA-compliant direct mail printer to ensure your data will not be compromised. Your vendor should undergo a rigorous third-party audit of their systems, data security measures and general plan and processes.
Complying with the HIPAA regulations is an ongoing process that requires a strong commitment from your suppliers.
Why are Email and Text Messaging Not HIPAA compliant?
Both patients and health care professionals falsely believe that traditional email and texting of private health information is HIPAA compliant. This is totally false. Any health care team member who is currently doing so is putting their organization at risk.
HIPAA regulations require that all private health information (PHI) be private and accessible by authorized personnel. There are two criteria to meet when transmitting PHI in any form. First, the PHI needs to be securely encrypted during transmission. This step ensures that PHI stays private, especially when transmitted over a public network such as Internet. Second, PHI should only be accessable to the intended recipient. The method of sending should have no access.
A HIPAA compliant method for delivering PHI directly is using the US Postal Service. When a patient receives a letter containing PHI, both criteria are fulfilled. The letter is delivered in a sealed envelope and the addressee will only break the seal. No one along the transmission route, including the postal service, can access the PHI.
Now that we understand this let’s see why texting and email are not HIPAA compliant. When an email is sent, let’s look behind the technology to see what is actually happening. A physician with the email address firstname.lastname@example.org sends an email to a patient with the email address email@example.com. Two seperate email servers involved with the transmission of this email, one at the community hospital and one at Gmail. When Dr. Sillars sends the email, his email client on his computer or smartphone connects with his email server at the local med center and transmits the server’s email message. Next, the local med center server finds where the Gmail server is located on the Internet. It transmits the email to the Gmail server using the standard protocol called simple mail transfer protocol, or SMTP. SMTP is the standard protocol used to transmit information between email servers over the Internet. However, it is not encrypted. As a result, messages sent via email are not secure and therefore not HIPAA compliant.
A comparison to this would be like mailing a letter without using an envelope: anyone handling the letter could easily read the content.
What happens if someone at the local med center sends an email to someone else there? Is that HIPAA compliant? It all depends on the setup of the community hospital mail server. If the server only accepts encrypted connections and never accepts connections from mail clients that are not encrypted, then this transmission can be determined to be HIPAA compliant since the local med center email server does not communicate with an outside server, and the communication is only internal. Even in this situation it is important to note that anyone with a localmedcenter.com email account (or any communication coming from or going to anyone without a localmedcenter.com email address) is not HIPAA compliant.
Is texting HIPAA compliant? This depends on which of the two types of text messages used. The first one is the most common means of texting: simple message service or SMS messages. Cell phone carriers handle these messages but will not be encrypted in transport and can also be accessed by personnel at the carriers themselves. As a result, they are not HIPAA compliant. The second type of text message is sent using a specific message app. While the app may encrypt the message in transport, this information is not handled in a HIPAA compliant manner, which runs the servers. It is for this reason that these companies should clearly state that their products are not HIPAA compliant.
Sponsor: Printing Company Michigan