Health Information Privacy is constantly evolving. This means that many behavioral health professionals have questions about what actually is protected information, who has access to it and what forms of communication are HIPAA compliant. These questions are especially poignant as our methods for communication continue to transform and expand. As a medical billing company that provides revenue cycle and account management services to a variety of healthcare professionals, we here at ABCS RCM are sometimes asked this question. In order to clarify what is considered private, it is best to go to the source. Here is a brief summary of what HIPAA compliance actually is, and is not.
The Health Insurance Portability and Accountability Act (HIPAA) was first enacted on August 21, 1996. There are sections of the act that require the Secretary of Health & Human Services (HHS) to publicize standards for the electronic exchange, privacy and security of health information. According to the U.S. Department of Health & Human Services, the central principle of this privacy rule is “to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities.” As a reminder, covered entities include: (1) health plans, (2) health care clearinghouses and (3) healthcare providers who electronically transmit any health information.
The Department of Health & Human Services continues by stating that “a covered entity may not use or disclose protected health information, except either: (1) As the Privacy Rule permits or requires. (2) As the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.” So, when are individuals and organizations allowed to disclose or share a patient’s health information without the consent of that patient? According to the HHS, a covered entity is permitted to use and disclose protected health information without an individual authorization for the following reasons:
(1) To the Individual (unless required for access or accounting of disclosures).
(2) Treatment, Payment, and Health Care Operations.
(3) Opportunity to Agree or Object.
(4) Incident to an otherwise permitted use and disclosure.
(5) Public Interest and Benefit Activities.
(6) Limited Data Set for the purposes of research, public health or health care operations.
In 1996 when HIPAA was first enacted, the internet and email were seen as a technological curiosity. The vast majority of Americans did not even have email accounts. In a short period of time, the use of electronic-based communication has quickly expanded among the US population. The rapid expansion of smartphone use has made the sending of information almost second nature. But, if a behavioral health provider or staff member sends patient health information (PHI) through instant messaging, standard email or SMS text services – they are violating HIPAA requirements!
Instant messaging, text and email are convenient ways to communicate with patient and colleagues, but these forms of communication are not HIPAA compliant. All health professionals must maintain their PHI’s integrity, accessibility and confidentiality. Typing any information creates a written record which should be included in a patient’s health information. This is especially true if a medical decision is decided upon, but it is not saved in a patient’s medical record. If this decision is not in a patient’s record, future healthcare providers will not know about this decision. In order to remedy this problem, some EHRs or EMRs are adding secure messaging features into their systems. This does not mean that mental health or addiction treatment providers should never text their patients. Texting in order to schedule or verify a meeting is helpful and HIPAA compliant. But, health professionals should not discuss a patient’s medical status or treatments while using text messaging. Conversations like this need to occur over the phone or using another secure HIPAA compliant method.
This does not mean that mental health or addiction treatment providers should never text their patients. Texting in order to schedule or verify a meeting is helpful and HIPAA compliant. But, health professionals should not discuss a patient’s medical status or treatments while using text messaging. Conversations like this need to occur over the phone or using another secure HIPAA compliant method.
Naturally, many behavioral health providers run a “lean” operation and simply do not have the financial resources to purchase a private, secure messaging software. Here is a list of three online services that provide HIPAA compliant communication and storage solutions for healthcare practitioners.
- Dropbox: Dropbox now offers a HIPAA Business Associate Agreement that includes their various cloud-based services. Dropbox is one of the most popular and well-developed cloud storage services.
- Google Cloud Storage: Google has a HIPAA Business Associate Agreement that covers Gmail, Google Drive, Google Calendar and Google Vault. If the file sharing feature is configured properly in Google Drive, it is a good option for HIPAA compliant cloud storage.
- One Drive – Microsoft 365 Office: Microsoft will sign a HIPAA Business Associate Agreement for email, file storage, calendars and other aspects of Microsoft Online. While they are sometimes more complex to use than Google’s G Suite, Microsoft offers data loss prevention tools that can help to keep you safer.
Every behavioral health practice or substance abuse treatment facility needs to have clear HIPAA compliant communication policies in place. Once these policies are established, they should monitor communication methods and ensure that all members are actually following these policies.
HIPAA Compliant, Behavioral Health
For more information please refer to the following links:
Questions about this topic? CONTACT US