HIPAA Compliance: Facts vs Myths
*Please remember that this is not to be construed as legal advice about HIPAA.
1) Is it true we are eligible for a Federal incentive check as part of Meaningful Use Stage II for using HIPAA compliant email?
A major component of Meaningful Use Stage II is "patient engagement." That means 5% of your patient population has to be registered for and communicating with your office electronically. While much of this will end up being routine requests for medical records, appointment questions, Rx requests and follow up questions - much of this can be automated or handled by mid-level staff through a mobile-based secure messaging system. We say mobile because we have seen desktop based system will most often fail to achieve patient participation rates that are significant enough for MUS2.
Unfortunately, most existing patient portals have failed to achieve the 5% meaningful use number quite simply because current patient portal technology was developed in the nineties and early 2000's, "long before" much of the American population had smart mobile devices and tablets. Because legacy patient portals lack the ability to handle SMS-based texts or mobile-device based emails, patients have simply not adopted them. So patients have continued to carry on with the pattern they know best - to call the office to book an in-office visit, even for tasks as routine as a prescription refill request.
Having a HIPAA compliant email system must incorporate both text messaging from doctors to patients, email from mobile devices and the ability to support the attachment of images from mobile device cameras and .pdf files from desktop computers. This would not only meet the criteria and allow for attestation of this component of Meaningful Use Stage II, but would complete what many argue is the most difficult to achieve component of receiving the Meaningful Use Stage II incentive payments for HIPAA compliance.
2) Can I achieve Meaningful Use Stage II with my current patient portal?
Statistically it is not likely that a medical provider organization with more than 2,000 covered and eligible patients could attest to the 5% meaningful use figure with a legacy desktop-based patient portal.
3) Email is secure for HIPAA compliance. Or email is not secure for HIPAA compliance.
While most email is not inherently encrypted, even encrypting the emails your office sends does not mean the receiving party can read it without installing the same software on their mobile device or desktop computer. Imagine your encrypted email recipient getting the following first message -
"You have received an encrypted message from HIPAA Compliance Hero LLC - the leaders of secure medical messaging. Download this app - trust us, there's no virus."
One can encrypt email for HIPAA compliance all they want, but it's unlikely the other party will read it. So in essence, they're useless even though they're encrypted.
4) Free email services meet standards for HIPAA compliance.
Most free email services are not HIPAA Omnibus compliant because they scan the contents of the email and match them with advertisements. The new HIPAA Compliance Omnibus Rule 2013 is different from the prior HIPAA regulations in that it accounts for the rise of free email services. While it seems petty and a major annoyance for medical practices, with the ubiquity of Internet-connected mobile devices this update to the HIPAA compliance rules protect patients. It was very smart of the committee to incorporate this component, here's an example why this is relevant -
Patient Randal sends an email to his Dr. Lee about something he feels may be a sexually transmitted disease and includes a picture from his smartphone. Either Patient Randal or Dr. Lee mentions the word "genital herpes" in one of their email messages and suddenly, wherever Patient Randal goes online, he seems to see advertisements for Valtrex. Which seems odd to his wife who uses a shared tablet device and she suddenly sees herpes treatment ads when she's on Zappos.com looking for shoes. Because advertising matching algorithms (this particular technique is called "retargeting") have become so accurate, scanning our medical emails in a free email service have the potential to violate HIPAA with alarming frequency and to the great embarrassment of our patients.
5) Texting patients is secure enough for HIPAA compliance. Texting patients is not secure enough for HIPAA compliance.
Texting patients was never secure, can't ever be secure. The rise of "Secure Text Messaging Apps" do not make texting secure. They simply mimic texting through an app to app service - that both the initiating and receiving party must download - but it is not text messaging. This has the same inherent problems as encrypted email services - the other party must download the same app. Again, in essence secure text messaging is not text and though it may be secure, practically speaking they're largely ignored by patients.
6) I need an attorney or consultant to get our practice to meet HIPAA compliance standards.
It's true that any business should have good legal counsel. There are also HIPAA expert consultants who can help guide medium-sized and larger organizations through the HIPAA Omnibus update. It's not as costly or annoying as one would think, but, while it may be prudent to retain the services of a HIPAA Omnibus attorney or expert, the reality is that most small practices are under such financial pressure that they will likely rather risk penalties than make the upfront investment. For such practices that want to take the bare minimum to protect themselves, we recommend -
i) Signup and use the free version of DoctorBase PANDA 6. It's secure, mobile (works on phones and tablets as well as desktop computers) will help you achieve the 5% portion of meaningful Use Stage II. And it's free.
ii) Complete a HIPAA Compliance Checklist. The firm Nixon Peabody has an example checklist for your practice and Business Associates.
* This is in no way meant to be a complete list or legal advice. And yes, our attorneys make us write sentences like this.
7) Can we charge patients for email access?
Yes. There is a CPT code and HHS and CMS have indicated they plan on reimbursing providers for digital communications when done using a certified and HIPAA compliant system that can produce activity reports.
The following are the CPT codes for Email and Phone by time blocks for physician phone consults and digital consults:
CPT Code 99441 for Phone Consult for Physicians of 5 to 10 minutes.
CPT Code 99442 for Phone Consult for Physicians of 11 to 20 minutes.
CPT Code 99443 for Phone Consult for Physicians of 21 to 31 minutes.
CPT Code 99444 for Digital Consults (Secure Email or Messaging) for Physicians.
8) Can mid-levels and other non-physician staff manage phone consults and emails?
It is very important to note that while many physicians have fears that their personal time will be deluged with phone calls and emails in an "open office," mid-levels can be reimbursed for phone and email triage and can turn this into a positive revenue generating process within the practice or group.
The following are the CPT codes for Email and Phone for Nurse, Nurse Practitioner or Physician Assistant phone consults and digital consults:
CPT Code 98966 Phone Consult for Nurses, Nurse Practitioners and Physicians Assistants of 5 to 10 minutes.
CPT Code 98967 Phone Consult for Nurses, Nurse Practitioners and Physicians Assistants of 11 to 20 minutes.
CPT Code 98968 Phone Consult for Nurses, Nurse Practitioners and Physicians Assistants of 21 to 31 minutes.
CPT Code 98969 for Digital Consults for Nurses, Nurse Practitioners and Physicians Assistants.
9) Other than the law, why use secure forms of messaging?
In the 3 years that DoctorBase has been tracking consumer patient behavior on mobile devices, we have seen an increasing correlation with 4 - 5 star ratings of medical providers on social media sites be directly correlated to the acceptance of email as a form of communication. A study by Patty and Nathan Sakunkoo at Stanford University show how consumers making even "important" choices are swayed by star ratings of a minority online.
Even by our own internal metrics, we have seen a one star rise in ratings for a doctor equal approximately a 14.3% increase in online appointments (as measured across 5 specialties within CA and TX over a period of 37 months). A two star increase resulted in a 41.1% increase in online appointments, further reinforcing some of the findings in the Stanford study which indicated that more reviews leads to even more reviews. Or as P.T. Barnum once stated, "a crowd draws a crowd."
Caveat Emptor: P.T. Barnum also stated that, "there's a sucker born every minute." But that never seemed to stop people from coming to the circus.
You get the point - reviews will have an economic impact on your business and hence, accepting patient email will positively affect your ratings in social media. The HIPAA Omnibus rule update can actually be a revenue generator for your practice when executed and adopted correctly.