SlideShare a Scribd company logo

Skillacquire - Marketing to Patients via Texting and E-mail Hipaa, TCPA and can-spam consideration

Download as PPTX, PDF
Skillacquire
Skillacquire

This slide is all about marketing in healthcare and its limitations while considering HIPAA, TCPA and CAN-SPAM.

Healthcare
1 of 55
Marketing to Patients via Texting and E-mail: HIPAA, TCPA, and CAN-SPAM Considerations Presented By: Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC 1 Live Webinar On
Agenda • What is marketing in health care and how is it different from health care communications? • Identify HIPAA marketing limitations • Discuss how E-mail and Texting can work under HIPAA • Identify guidance from HHS for patient communications • Look at limitations under TCPA and CAN-SPAM • Show the process that must be used in the event of breach • Learn about being prepared for enforcement and auditing • Learn how to approach compliance • Q&A session 2
My Background • Disclaimer: I am an engineer and not a lawyer. This is not legal advice – I am only providing information and resources • BSCE (Civil Engineering) from UVM, MST (Transportation) from MIT • 36 years in consulting, information systems, software development, and security • Process, problem-solving oriented • 8 years as Vermont EMT, crew chief • 18 years specializing in HIPAA and health information privacy and security regulatory compliance • See www.lewiscreeksystems.com for more details, resources, information security compliance news, etc. 3
HIPAA Privacy & Security Rules • Privacy Rule – 45 CFR §164.5xx; Enforceable since 2003 – Establishes Rights of Individuals – Controls on Uses and Disclosures – Access of PHI is a hot button issue for HHS • Security Rule – 45 CFR §164.3xx; Enforceable since 2005 – Applies to all electronic PHI – Flexible, customizable approach to health information security – Uses Risk Analysis to identify and plan the mitigation of security risks 4
HIPAA Breach Notification Rule • Breach Notification Rule – 45 CFR §164.4xx; Enforceable since February 2010 – Requires reporting of all PHI breaches to HHS and individuals – Extensive/expensive obligations – Provides examples of what not to do on the HHS “Wall of Shame”: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf • 2013 Omnibus Update Rule, with Preamble, available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013- 01073.pdf • Combined Rules as of March 2013 published by HHS OCR, available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined /index.html 5
Marketing and HIPAA • §164.501 Definitions – Marketing: to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service • Marketing Does Not Include: – Refill Reminders (unless 3rd party payments to do so exceed costs) – And, unless there is financial remuneration for doing so: • Information on Treatment; Case Management; Care Coordination; and Alternative Treatments, Therapies, Providers or Settings of Care • Health-related product or service provided by the entity or related to a plan of benefits of the entity • Contact for Case Management or Coordination of Care about treatment alternatives that do not fall within the definition of treatment 6
Communications for Healthcare Purposes • These are allowed without a HIPAA Authorization • Annual check-up reminders • Refill Reminders about a drug or biologic currently prescribed – Also includes communications on adherence, administration – Does not include reminders that are remunerated above costs by a third party • New treatments, therapies, coordination of care related to a condition the individual has been treated for by the entity • Also communications to promote an entity’s product or service not related to the condition treated 7
Communications for Marketing Purposes • §164.508(a)(3): Must have a HIPAA Authorization from the individual to market to them using any PHI, except for: – Face-to-face communications – Promotional gift of nominal value • If there is remuneration by a third party for conducting the marketing activity, the Authorization must state so • Authorization not required for general informational marketing, non-targeted, such as newsletters, or fundraising activities 8
Sale of PHI May Also Be Marketing • Providing PHI for another entity to use for their own marketing purposes requires a HIPAA Authorization • No exceptions if Sale is for Marketing purposes • If there is remuneration, the Authorization must say so • (Sale does not include disclosure for payment, to the individual, as assets of the sale of a practice, for research purposes – a few common sense exceptions for the definition) 9
Not Marketing (1) • Communications to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: – The entities participating in a health care provider network or health plan network; Replacement of, or enhancements to, a health plan; and – Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits • Permits communications by a covered entity about its own products or services. For example, it is not “marketing” when: – A hospital uses its patient list to announce a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication – A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form 10
Not Marketing (2) • A communication is not “marketing” if it is made for treatment of the individual, for example: – A pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so. (But remuneration above costs requires a HIPAA Authorization stating that there is remuneration received) – A primary care physician refers an individual to a specialist for a follow-up test or provides free samples of a prescription drug to a patient 11
Not Marketing (3) • A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual, for example: – An endocrinologist shares a patient’s medical record with several behavior management programs to determine which program best suits the ongoing needs of the individual patient – A hospital social worker shares medical record information with various nursing homes in the course of recommending that the patient be transferred from a hospital bed to a nursing home 12
No Authorization Required, Even If Marketing, for… • A communication does not require an authorization, even if it is marketing: – If it is in the form of a face-to-face communication made by a covered entity to an individual; – Or a promotional gift of nominal value provided by the covered entity, for example: • A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward • An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well 13
Be careful with patient testimonials! • Must have a HIPAA Authorization for using any PHI for patient testimonials, etc. • Penalties have been levied for use of PHI for marketing without Authorization – $25,000 fine for posting patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations – https://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/agreements/complete-pt/index.html 14
What are the HIPAA considerations for communications and Security? • HIPAA Security Rule §164.312(e) requires consideration of encryption of communications of PHI as an Addressable Implementation Specification • HIPAA Privacy Rule §164.522 and §164.524 give patients rights of communication preferences and access of information • Making Patients happy • Making HHS happy 15
Professional Communications with PHI MUST be Protected • Required HIPAA Risk Analysis shows risks of using insecure communications such as plain e-mail and texting • Organizations that discover they have used insecure communications report insecure communications as a breach • Enforcement settlements have been based in part on the use of insecure e-mail for professional communications http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/examples/phoenix-cardiac- surgery/index.html 16
Many Prefer E-mail to Telephone • Scheduling • Reporting of status • Inquiries about issues, treatments • Requesting copies of records • Communication of test results • Can be more accurate than the phone • Provides a documented record of communication 17
Texting is Very Useful • Fast way to communicate short messages – Useful for Updates, Schedule Changes – Easy to communicate if running late, etc. – Quick communication of results, comments • More appropriate than an e-mail or phone call – Can be more discreet and private than a phone conversation – Can be quicker than a phone call for short messages – Can provide accurate information not dependent on voice • Many communications used to go by Pager – Many paging operations moving to texting now – Texting is more interactive than paging 18
E-mail, Texting, and Security • E-mail and texting are inherently insecure – communications are not secured by default and may be retained or exposed by unknown parties • Secure e-mail solutions for general use are often cumbersome • An individual’s e-mail could be accessed by a third party if a weak or easy-to-guess password is used for the e-mail account • Secure communications are essentially required as good practice for professional communications • Consumer-grade Yahoo mail, g-mail, texting, etc., are all insecure means of communication and their use for professional purposes may be considered a breach • Technologies for securing communications are readily available today 19
Managing Patient Communications • It’s a Privacy thing: Patients may not appreciate the risks of loss of privacy through the use of plain e-mail or texting – HIPAA requires you to do your best to meet patient communication preferences – Use Risk Analysis to evaluate and explain risks – Texting is a new technology and people will not understand the risks long term • It’s a Medical Records thing: Texting or unmanaged e-mail does not readily provide a paper trail of conversations and contacts – If it’s part of patient care, it needs to be documented properly, and that requires more than plain texting • It’s a patient safety thing: Triage of incoming messages is essential – Regular texting doesn’t automatically route to the most appropriate individual – E-mail requires establishing auto response and routing capabilities – Messages may arrive at all hours, 24/7 and may include a variety of information and situations, including emergencies – Messages must be managed to protect patients and provide appropriate service 20
If your Marketing includes PHI, you must protect it • If you are reaching out to patients with messages that include their personal details, – you need to send those securely, – unless the patient would prefer to receive them insecurely, – or has signed an authorization for you to send the information insecurely 21
TCPA and Communicating to Cell Phones • Telephone Consumer Protection Act of 1991 limits calls and messages to cell phones without consent • Limits Robo-calling (including reminder calls) • Be cautious, especially for any calls or texts relating to billing • Get consent up front to call or text the number provided for healthcare and financial purposes, including reminders and follow-up 22
TCPA and Communicating to Cell Phones • Penalties for, without consent, calling a cell phone or leaving a payment related message (voice or text) • Penalties for, without consent, calling a cell phone or leaving a healthcare related message more than one minute (voice) or 160 characters (text) long; no more than one per day or three per week – This would include healthcare reminders, appointment reminders, etc. 23
Text and E-mail based Marketing to Patients • Marketing is encouraging the sale or use of a product or service • HIPAA Prohibits Marketing without an Authorization • Marketing does NOT include communications for healthcare operations or treatment options • BUT! Communication for healthcare operations or treatment options paid for above costs by a third party IS Marketing and requires a HIPAA Authorization 24
Texting and Marketing to Patients • Using Texting for Marketing purposes requires Authorization and must meet TCPA requirements • Using Texting for healthcare operations or treatment option communications does not require Authorization but must meet TCPA requirements • Using Texting for healthcare operations or treatment option communications must meet TCPA requirements and requires Authorization if there is 3rd party remuneration 25
E-mail Marketing and CAN-SPAM • Covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service” • Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $40,654 • https://www.ftc.gov/tips-advice/business- center/guidance/can-spam-act-compliance-guide-business 26
E-mail Marketing and CAN-SPAM 1.Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify who initiated the message. 2.Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message. 3.Identify the message as an ad. You must disclose clearly and conspicuously that your message is an advertisement. 4.Tell recipients where you’re located. Your message must include your valid physical postal address: current street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency. 27
5.Tell recipients how to opt out of receiving future email from you via a return email address or other easy Internet-based way. You may allow a recipient to opt out of certain types of messages, but you must include the option to stop all ads. Make sure your spam filter doesn’t block opt- out requests. 6.Honor opt-out requests promptly, for at least 30 days after you send your message, and honor it within 10 business days. You can’t charge a fee, require the recipient to give you personally identifying information beyond an email address, or make the recipient do more than sending a reply email or visiting a single page on an Internet website as a condition. Once opted out, you can’t sell or transfer their email addresses. You may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act. 7.Monitor what others are doing on your behalf. If you hire another company to handle your email marketing, both you and the company that actually sends the message may be held legally responsible. E-mail Marketing and CAN-SPAM 28
Potential Mobile Device Issues • Information provided to the wrong individual through poor authentication and access control, leading to a “small” breach and a healthcare threat • Patient loses control of device exposing their data or allowing impersonation (their problem) and potentially exposing additional data or providing faulty data (whose problem?) • Provider loses control of device potentially allowing impersonation or exposing extensive data (big problem) and potentially providing access to provider systems (bigger problem) • Data travels through insecure channels and may remain, accessible, on systems 29
Individual Access of PHI • Must have a process for individual to request access for free, with copies for a reasonable cost-based fee • Must have a process for managing denials of access • Must provide the entire record in the Designated Record Set if requested: – Medical and billing records used in whole or in part to make decisions related to health care – Exceptions for Psychotherapy notes, information for civil, criminal, or administrative proceedings, if harm may result, other specific exceptions – Information kept electronically must be available electronically if requested – Lab results now may be accessed by the individual, effective April 7, 2014 • 30-day extension for offsite data no longer allowed • Access of PHI by individuals is a HOT BUTTON issue for HHS 30
Patient Rights • Discussed in the Guidance on Individual Access of Information from HHS, initially published in January of 2016 and updated since then • Privacy Rule §164.522(b)(1) Standard: Confidential Communications Requirements – (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. • Privacy Rule §164.524(c) Provision of Access – (2) Form of access requested. (i) The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual. – (ii) If PHI is electronic, individual may request electronic copy. 31
Communication with Patients requires flexibility • Provide a variety of means of communication that you understand and manage • Provide and encourage using secure solutions for communications • Be prepared to respond to requests to do other than your preferences • Need to have policies and processes for such decisions, and documentation 32
Secure Texting Solutions • Secure Texting for Business Use with PHI (encrypted with no documentation capability) – Telegram – WickrMe – Signal • Secure Texting for official Business Use (incl. documentation & reporting) – Cortext by Imprivata – http://www.imprivata.com/secure-messaging – TigerText – http://www.tigertext.com/messaging-for-healthcare/ – DocHalo – http://www.dochalo.com/secure-texting.html • Secure Texting as part of an Integrated Communications Solution – pingMD – https://www.pingmd.com – OhMD – http://www.ohmd.com • Free App, easy to sign up and authenticate on-line • Office implementation integrates with the EHR • Messages from patients go to team for Triage • Fantastic acceptance by individuals and providers 33
Communications and Access Guidance • HHS Guidance and Preamble discussions in new rules say unencrypted e-mail between providers and patients is permitted if requested, per §164.522, §164.524 • January 2016 Guidance on Access of PHI by Individuals: http://www.hhs.gov/hipaa/for- professionals/privacy/guidance/access/index.html • See HHS Guidance, Question 3, page 3: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/s pecial/healthit/safeguards.pdf • See Preamble to Omnibus Update, page 5634: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf • See Preamble to CLIA/HIPAA Modifications, page 7302: http://www.gpo.gov/fdsys/pkg/FR-2014-02-06/pdf/2014-02280.pdf • Guidance on Access of PHI, particularly re minors, mental health and opioid abuse: http://www.hhs.gov/hipaa/for-professionals/special-topics/mental- health/index.html 34
So, how are we allowed to communicate with patients? • Do what the patient or their representative wants – Meet HIPAA Requirements – Accommodate what you reasonably can • Meet the Patient’s needs – Communication with the office for scheduling, prescription renewals, etc. – Discussion of particular health issues – Access of Medical Records, test results • Do what you can handle properly – For Patient Care – For Medical Records 35
Information Security Management Process • Definition of Information Security – Protecting:  Confidentiality  Integrity  Availability • Definition of a Management Process:  Define and understand what you have  See how well it performs  Watch for problems  Review activities and issues  Make changes based on bang-for-buck 36
Information Security Management Process  Information Inventory and Flow Analysis  Access and Configuration Control  Know who and what’s been going on in your networks and systems  Respond to and learn from Incidents  Audit and review regularly, and when operations or environment change  Make risk-based improvements  Focus: Confidentiality, Integrity, Availability 37
Calculating/Evaluating Risk • Each Risk Issue has an Impact and Likelihood – Impact is how great the damage would be; more information about more people with more detail has a greater Impact – Likelihood is how likely it is that the risk issue would become a reality • Risk = Impact x Likelihood • If risk level appears low, it may be acceptable to both the entity and the individual – An informed risk decision can be made about the importance of mitigating certain risks – Individuals can make an informed risk decision to exert their rights 38
Security Policy Framework • Cover the Administrative, Physical, and Technical Safeguards • Four Basic Policies or Policy Types – Security Management Process – Information Access Controls – Data Management (Contingency-Backup-Retention) – User Policy • Include enabling language in Policy • Define details in Procedures • Documentation, Documentation, Documentation 39
Policy on Using Insecure Communications with Patients • Insecure communications with PHI are prohibited between professionals • Define the usual, preferred, secure means of communication, and the preferred insecure alternatives – Consider what you are “reasonably able” to do • Require patient to request using insecure communication methods, and indicate preferred method to be used • If another method is requested, consider it according to §164.522(b)(2) and §164.524(c) and guidance • If an insecure alternative method is granted: – Explain risks – Obtain consent (with signature if appropriate) – Inform those who communicate of the preference • Document the request and consent or denial 40
Portable Technology Policy • Responsibility to use devices securely – Physical and technical security • Must protect devices and any PHI on them – Good passcodes and encryption • IT approval for access; required settings – Auto-wiping and remote wiping • Security of passwords • Don’t intermingle personal and patient e-mail & texts • Remote Use of PHI is subject to controls • Must inform manager if lost or stolen • Must have device cleared of any PHI prior to trade-in 41
Security & Incident Policy Help • The SANS Security Policy Project – A Short Primer For Developing Security Policies, samples, guidance – Available at: http://www.sans.org/resources/policies/ • New York University HIPAA security policies – A good level of detail; many of the concepts are directly transferable – http://www.nyu.edu/about/policies-guidelines-compliance/policies-and- guidelines/hipaa-policies.html • NIST Guide for Cybersecurity Event Recovery SP 800-184, an excellent overall guide that now incorporates incident handling and contingency planning: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf • NIST Computer Security Incident Handling Guide SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf • In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf 42
When Communications Go Awry • Breach may be any acquisition, access, use, or disclosure of PHI in violation of Privacy Rule, except when: – Unintentional use, in good faith, with no further use; – Inadvertent use within job scope; or, – Information cannot be retained (returned, sealed, unopened) • A Breach but Not Reportable if: – Destroyed, or Secured per HHS guidance • Otherwise, must report unless there is a “low probability of compromise” of the data, based on a risk assessment including: – What was the info (and is its release “adverse to the individual”) – To whom it was disclosed – Was it actually acquired or viewed – The extent of mitigation • If Ransomware is involved, also consider integrity and availability 43
Is It a Reportable Breach? 44
Breach Analysis, Plain e-mail, and Texting • Compromise: loss of control or a violation of security policy that may result in exposure, corruption, or loss of information – What is the information concerned? – How well identified is it? – How clearly is it health information? – What is the context? • What do we know about where plain e-mails and text messages go and who looks at them? Many unknowns! • Mitigation through Disclaimers helps 45
Learning from Past Breaches • Breaches are caused by hackers, loss of PHI, theft of PHI, malicious insiders, and user errors • Breaches are prevented by good processes, good security methods, and good people who know how to do the right thing carefully • Breaches can lead to enforcement penalties in the millions of dollars https://www.hhs.gov/hipaa/for- professionals/compliance- enforcement/agreements/index.html 46
Trends in Breaches • Hacking impact is way UP • Laptops and Portable Electronic Devices still the leading preventable cause of breaches • Malicious Insiders still a threat • Increasing new threats from new technologies, like insecure e-mail, texting, and social media • Most small breaches affect one or two individuals – paper handling mistakes • http://www.hhs.gov/hipaa/for- professionals/breach-notification/reports- congress/index.html 47
Tiered Penalty Structure • Tier 1: Did not know and, with reasonable diligence, would not have known – $100 - $50,000 per violation (may use an Affirmative Defense if no willful neglect) • Tier 2: Violation due to reasonable cause and not willful neglect – $1000 - $50,000 per violation (may get a Waiver if no willful neglect) • Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated • Willful Neglect complaints must be investigated, and ignorance is no excuse • Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence – $10,000 - $50,000 per violation (no Waiver or Affirmative Defense available) • Tier 4: Violation due to willful neglect and NOT corrected within 30 days of when known or should have been known with reasonable diligence – $50,000 per violation (no Waiver or Affirmative Defense available) • $1.5 million maximum for all violations of a similar type in a calendar year 48
Enforcement and Communications • Almost too many laptop, portable device and lack of security process settlements to count! – $100K settlement with a physician’s office: using insecure e-mail & calendar, no risk analysis or security policies – $3.2 million Civil Money Penalty for Children’s Medical Center of Dallas for knowing they had risks of insecure portable devices and doing nothing about it • Texting has been recognized as an under-reported breach issue • Ignoring Texting in your Risk Analysis may be seen as Willful Negligence 49
What is a HIPAA Audit? • HITECH §13411 requires HHS to conduct periodic audits; initial program in 2012, second round initiated in 2016 • If you haven’t been notified, you will not get an audit this round • Be able to show you have in place the policies and procedures required by the HIPAA Privacy, Security, and Breach Notification Rules • Show you have been using them – e.g., Show access policy, access requests, and approvals or denials – e.g., Show risk analysis and risk management policy and reports/documentation • 2 week notice! – You must be prepared in advance or it’s too late! • http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/audit/index.html 50
2012 HIPAA Audit Program Highlights • Overall – Small covered entities (30% of the sample) had 66% of the deficiencies – Health care providers (50% of the sample) had 81% of the deficiencies – Security findings were 2/3 of the issues • Security issues – User activity monitoring – Contingency planning – Authentication/integrity – Media reuse and destruction – Risk assessment – Granting and modifying user access • Privacy Issues – Review process for denials of patient access to records – Failure to provide appropriate patient access to records – Lack of policies and procedures – Uses and disclosures of decedent information – Disclosures to personal representatives – Business associate contracts 51
Change in Focus for 2016 Audit Program • Not a general, soup-to-nuts review like in 2012 • 166 Desk Audits, specific to particular problem areas revealed in prior Audits, Breaches, and Enforcement Actions – Privacy Rule • Notice of Privacy Practices & Content Requirements §164.520(a)(1), (b)(1) • Provision of Notice - Electronic Notice §164.520(c)(3) • Right to Access §164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3) – Breach Notification Rule • Timeliness of Notification §164.404(b) • Content of Notification §164.404(c)(1) – Security Rule • Security Management Process – Risk Analysis §164.308(a)(1)(ii)(A) • Security Management Process – Risk Management §164.308(a)(1)(ii)(B) • 41 Business Associates audited beginning November 2016 • On-site Audits for 2017 CANCELLED 52
What might I be asked in an Audit or Enforcement Investigation? • 42 questions asked in first OIG HIPAA Security audit in March 2007: http://tinyurl.com/meupq8t • CMS OESS 2008 Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews: http://tinyurl.com/27eakjz • Questions asked of a small provider after a data breach involving theft of a laptop and server: http://tinyurl.com/3jpoa4p • Questions asked in the first round of 2012 HIPAA random audits (still a good framework of questions): http://tinyurl.com/jdoz47z • The 2016 HIPAA Audit Protocol, at: http://www.hhs.gov/hipaa/for- professionals/compliance-enforcement/audit/protocol- current/index.html 53
Your To-Do List • Don’t be in denial – willful neglect costs more than compliance • Evaluate your marketing plans and define healthcare communications • Review and update your policies and procedures regarding marketing and communications • Establish your processes for Risk Analysis and Documentation • Review your compliance with HIPAA, TCPA, and CAN-SPAM • Conduct drills in audit and breach response • Make corrections based on results • Always have a plan for moving forward, and follow it! 54
Thank you! Any Questions? For additional information, please contact: Jim Sheldon-Dean Lewis Creek Systems, LLC Charlotte, VT 05445 jim@lewiscreeksystems.com www.lewiscreeksystems.com 55

Recommended

HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA
HIPAA HIPAA
HIPAA ravelo1212
 
Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using newOnlineAudio Training
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus ruleDusaElraha
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitychwiso8418
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 

Recommended

HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA
HIPAA HIPAA
HIPAA ravelo1212
 
Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using newOnlineAudio Training
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus ruleDusaElraha
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitychwiso8418
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...M2SYS Technology
 
Dustin HIPAA
Dustin HIPAADustin HIPAA
Dustin HIPAADustin Kinzinger
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.pptchwiso8418
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3akwei2
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5akwei2
 
Hipaa.ppt4
Hipaa.ppt4Hipaa.ppt4
Hipaa.ppt4akwei2
 
Hipaa.ppt6
Hipaa.ppt6Hipaa.ppt6
Hipaa.ppt6akwei2
 
Hipaa.ppt1
Hipaa.ppt1Hipaa.ppt1
Hipaa.ppt1akwei2
 
Hipaa.ppt2
Hipaa.ppt2Hipaa.ppt2
Hipaa.ppt2akwei2
 
HIPAA Compliant Social Media for Professionals
HIPAA Compliant Social Media for ProfessionalsHIPAA Compliant Social Media for Professionals
HIPAA Compliant Social Media for ProfessionalsMarlene Maheu
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI Risk Services
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13University of North Alabama - Academic Affairs
 
Privacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesPrivacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesZakCooper1
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality trainingsdavis49
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009rogersons
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Patiala Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 

More Related Content

Similar to Skillacquire - Marketing to Patients via Texting and E-mail Hipaa, TCPA and can-spam consideration

Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...M2SYS Technology
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.pptchwiso8418
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3akwei2
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5akwei2
 
Hipaa.ppt4
Hipaa.ppt4Hipaa.ppt4
Hipaa.ppt4akwei2
 
Hipaa.ppt6
Hipaa.ppt6Hipaa.ppt6
Hipaa.ppt6akwei2
 
Hipaa.ppt1
Hipaa.ppt1Hipaa.ppt1
Hipaa.ppt1akwei2
 
Hipaa.ppt2
Hipaa.ppt2Hipaa.ppt2
Hipaa.ppt2akwei2
 
HIPAA Compliant Social Media for Professionals
HIPAA Compliant Social Media for ProfessionalsHIPAA Compliant Social Media for Professionals
HIPAA Compliant Social Media for ProfessionalsMarlene Maheu
 
Privacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesPrivacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesZakCooper1
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality trainingsdavis49
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009rogersons
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 

Similar to Skillacquire - Marketing to Patients via Texting and E-mail Hipaa, TCPA and can-spam consideration (20)

Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
 
Dustin HIPAA
Dustin HIPAADustin HIPAA
Dustin HIPAA
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.ppt
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5
 
Hipaa.ppt4
Hipaa.ppt4Hipaa.ppt4
Hipaa.ppt4
 
Hipaa.ppt6
Hipaa.ppt6Hipaa.ppt6
Hipaa.ppt6
 
Hipaa.ppt1
Hipaa.ppt1Hipaa.ppt1
Hipaa.ppt1
 
Hipaa.ppt2
Hipaa.ppt2Hipaa.ppt2
Hipaa.ppt2
 
HIPAA Compliant Social Media for Professionals
HIPAA Compliant Social Media for ProfessionalsHIPAA Compliant Social Media for Professionals
HIPAA Compliant Social Media for Professionals
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13
 
Privacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesPrivacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slides
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality training
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
HIPAA
HIPAAHIPAA
HIPAA
 

Recently uploaded

Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Patiala Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
VIP Call Girl Sector 32 Noida Just Book Me 9711199171
VIP Call Girl Sector 32 Noida Just Book Me 9711199171VIP Call Girl Sector 32 Noida Just Book Me 9711199171
VIP Call Girl Sector 32 Noida Just Book Me 9711199171Call Girls Service Gurgaon
 
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅gragmanisha42
 
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetErnakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Chandigarh
 
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...Sheetaleventcompany
 
Muzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Muzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetMuzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Muzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...Ahmedabad Call Girls
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.ktanvi103
 
Call Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in Anantapur
Call Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in AnantapurCall Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in Anantapur
Call Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in Anantapurgragmanisha42
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipurgragmanisha42
 
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591adityaroy0215
 
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...russian goa call girl and escorts service
 
Mangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetMangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...Gfnyt.com
 
VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171Call Girls Service Gurgaon
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...indiancallgirl4rent
 

Recently uploaded (20)

Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Patiala Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Patiala Just Call 9907093804 Top Class Call Girl Service Available
 
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
ooty Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
VIP Call Girl Sector 32 Noida Just Book Me 9711199171
VIP Call Girl Sector 32 Noida Just Book Me 9711199171VIP Call Girl Sector 32 Noida Just Book Me 9711199171
VIP Call Girl Sector 32 Noida Just Book Me 9711199171
 
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
 
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetErnakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
 
Muzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Muzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetMuzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Muzaffarpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
 
Call Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in Anantapur
Call Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in AnantapurCall Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in Anantapur
Call Girls Service Anantapur 📲 6297143586 Book Now VIP Call Girls in Anantapur
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
 
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
 
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
 
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
 
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
 
Mangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetMangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mangalore Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
 
9316020077📞Goa Call Girls Numbers, Call Girls Whatsapp Numbers Goa
9316020077📞Goa Call Girls Numbers, Call Girls Whatsapp Numbers Goa9316020077📞Goa Call Girls Numbers, Call Girls Whatsapp Numbers Goa
9316020077📞Goa Call Girls Numbers, Call Girls Whatsapp Numbers Goa
 
VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
 

Skillacquire - Marketing to Patients via Texting and E-mail Hipaa, TCPA and can-spam consideration

  • 1. Marketing to Patients via Texting and E-mail: HIPAA, TCPA, and CAN-SPAM Considerations Presented By: Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC 1 Live Webinar On
  • 2. Agenda • What is marketing in health care and how is it different from health care communications? • Identify HIPAA marketing limitations • Discuss how E-mail and Texting can work under HIPAA • Identify guidance from HHS for patient communications • Look at limitations under TCPA and CAN-SPAM • Show the process that must be used in the event of breach • Learn about being prepared for enforcement and auditing • Learn how to approach compliance • Q&A session 2
  • 3. My Background • Disclaimer: I am an engineer and not a lawyer. This is not legal advice – I am only providing information and resources • BSCE (Civil Engineering) from UVM, MST (Transportation) from MIT • 36 years in consulting, information systems, software development, and security • Process, problem-solving oriented • 8 years as Vermont EMT, crew chief • 18 years specializing in HIPAA and health information privacy and security regulatory compliance • See www.lewiscreeksystems.com for more details, resources, information security compliance news, etc. 3
  • 4. HIPAA Privacy & Security Rules • Privacy Rule – 45 CFR §164.5xx; Enforceable since 2003 – Establishes Rights of Individuals – Controls on Uses and Disclosures – Access of PHI is a hot button issue for HHS • Security Rule – 45 CFR §164.3xx; Enforceable since 2005 – Applies to all electronic PHI – Flexible, customizable approach to health information security – Uses Risk Analysis to identify and plan the mitigation of security risks 4
  • 5. HIPAA Breach Notification Rule • Breach Notification Rule – 45 CFR §164.4xx; Enforceable since February 2010 – Requires reporting of all PHI breaches to HHS and individuals – Extensive/expensive obligations – Provides examples of what not to do on the HHS “Wall of Shame”: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf • 2013 Omnibus Update Rule, with Preamble, available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013- 01073.pdf • Combined Rules as of March 2013 published by HHS OCR, available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined /index.html 5
  • 6. Marketing and HIPAA • §164.501 Definitions – Marketing: to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service • Marketing Does Not Include: – Refill Reminders (unless 3rd party payments to do so exceed costs) – And, unless there is financial remuneration for doing so: • Information on Treatment; Case Management; Care Coordination; and Alternative Treatments, Therapies, Providers or Settings of Care • Health-related product or service provided by the entity or related to a plan of benefits of the entity • Contact for Case Management or Coordination of Care about treatment alternatives that do not fall within the definition of treatment 6
  • 7. Communications for Healthcare Purposes • These are allowed without a HIPAA Authorization • Annual check-up reminders • Refill Reminders about a drug or biologic currently prescribed – Also includes communications on adherence, administration – Does not include reminders that are remunerated above costs by a third party • New treatments, therapies, coordination of care related to a condition the individual has been treated for by the entity • Also communications to promote an entity’s product or service not related to the condition treated 7
  • 8. Communications for Marketing Purposes • §164.508(a)(3): Must have a HIPAA Authorization from the individual to market to them using any PHI, except for: – Face-to-face communications – Promotional gift of nominal value • If there is remuneration by a third party for conducting the marketing activity, the Authorization must state so • Authorization not required for general informational marketing, non-targeted, such as newsletters, or fundraising activities 8
  • 9. Sale of PHI May Also Be Marketing • Providing PHI for another entity to use for their own marketing purposes requires a HIPAA Authorization • No exceptions if Sale is for Marketing purposes • If there is remuneration, the Authorization must say so • (Sale does not include disclosure for payment, to the individual, as assets of the sale of a practice, for research purposes – a few common sense exceptions for the definition) 9
  • 10. Not Marketing (1) • Communications to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: – The entities participating in a health care provider network or health plan network; Replacement of, or enhancements to, a health plan; and – Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits • Permits communications by a covered entity about its own products or services. For example, it is not “marketing” when: – A hospital uses its patient list to announce a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication – A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form 10
  • 11. Not Marketing (2) • A communication is not “marketing” if it is made for treatment of the individual, for example: – A pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so. (But remuneration above costs requires a HIPAA Authorization stating that there is remuneration received) – A primary care physician refers an individual to a specialist for a follow-up test or provides free samples of a prescription drug to a patient 11
  • 12. Not Marketing (3) • A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual, for example: – An endocrinologist shares a patient’s medical record with several behavior management programs to determine which program best suits the ongoing needs of the individual patient – A hospital social worker shares medical record information with various nursing homes in the course of recommending that the patient be transferred from a hospital bed to a nursing home 12
  • 13. No Authorization Required, Even If Marketing, for… • A communication does not require an authorization, even if it is marketing: – If it is in the form of a face-to-face communication made by a covered entity to an individual; – Or a promotional gift of nominal value provided by the covered entity, for example: • A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward • An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well 13
  • 14. Be careful with patient testimonials! • Must have a HIPAA Authorization for using any PHI for patient testimonials, etc. • Penalties have been levied for use of PHI for marketing without Authorization – $25,000 fine for posting patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations – https://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/agreements/complete-pt/index.html 14
  • 15. What are the HIPAA considerations for communications and Security? • HIPAA Security Rule §164.312(e) requires consideration of encryption of communications of PHI as an Addressable Implementation Specification • HIPAA Privacy Rule §164.522 and §164.524 give patients rights of communication preferences and access of information • Making Patients happy • Making HHS happy 15
  • 16. Professional Communications with PHI MUST be Protected • Required HIPAA Risk Analysis shows risks of using insecure communications such as plain e-mail and texting • Organizations that discover they have used insecure communications report insecure communications as a breach • Enforcement settlements have been based in part on the use of insecure e-mail for professional communications http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/examples/phoenix-cardiac- surgery/index.html 16
  • 17. Many Prefer E-mail to Telephone • Scheduling • Reporting of status • Inquiries about issues, treatments • Requesting copies of records • Communication of test results • Can be more accurate than the phone • Provides a documented record of communication 17
  • 18. Texting is Very Useful • Fast way to communicate short messages – Useful for Updates, Schedule Changes – Easy to communicate if running late, etc. – Quick communication of results, comments • More appropriate than an e-mail or phone call – Can be more discreet and private than a phone conversation – Can be quicker than a phone call for short messages – Can provide accurate information not dependent on voice • Many communications used to go by Pager – Many paging operations moving to texting now – Texting is more interactive than paging 18
  • 19. E-mail, Texting, and Security • E-mail and texting are inherently insecure – communications are not secured by default and may be retained or exposed by unknown parties • Secure e-mail solutions for general use are often cumbersome • An individual’s e-mail could be accessed by a third party if a weak or easy-to-guess password is used for the e-mail account • Secure communications are essentially required as good practice for professional communications • Consumer-grade Yahoo mail, g-mail, texting, etc., are all insecure means of communication and their use for professional purposes may be considered a breach • Technologies for securing communications are readily available today 19
  • 20. Managing Patient Communications • It’s a Privacy thing: Patients may not appreciate the risks of loss of privacy through the use of plain e-mail or texting – HIPAA requires you to do your best to meet patient communication preferences – Use Risk Analysis to evaluate and explain risks – Texting is a new technology and people will not understand the risks long term • It’s a Medical Records thing: Texting or unmanaged e-mail does not readily provide a paper trail of conversations and contacts – If it’s part of patient care, it needs to be documented properly, and that requires more than plain texting • It’s a patient safety thing: Triage of incoming messages is essential – Regular texting doesn’t automatically route to the most appropriate individual – E-mail requires establishing auto response and routing capabilities – Messages may arrive at all hours, 24/7 and may include a variety of information and situations, including emergencies – Messages must be managed to protect patients and provide appropriate service 20
  • 21. If your Marketing includes PHI, you must protect it • If you are reaching out to patients with messages that include their personal details, – you need to send those securely, – unless the patient would prefer to receive them insecurely, – or has signed an authorization for you to send the information insecurely 21
  • 22. TCPA and Communicating to Cell Phones • Telephone Consumer Protection Act of 1991 limits calls and messages to cell phones without consent • Limits Robo-calling (including reminder calls) • Be cautious, especially for any calls or texts relating to billing • Get consent up front to call or text the number provided for healthcare and financial purposes, including reminders and follow-up 22
  • 23. TCPA and Communicating to Cell Phones • Penalties for, without consent, calling a cell phone or leaving a payment related message (voice or text) • Penalties for, without consent, calling a cell phone or leaving a healthcare related message more than one minute (voice) or 160 characters (text) long; no more than one per day or three per week – This would include healthcare reminders, appointment reminders, etc. 23
  • 24. Text and E-mail based Marketing to Patients • Marketing is encouraging the sale or use of a product or service • HIPAA Prohibits Marketing without an Authorization • Marketing does NOT include communications for healthcare operations or treatment options • BUT! Communication for healthcare operations or treatment options paid for above costs by a third party IS Marketing and requires a HIPAA Authorization 24
  • 25. Texting and Marketing to Patients • Using Texting for Marketing purposes requires Authorization and must meet TCPA requirements • Using Texting for healthcare operations or treatment option communications does not require Authorization but must meet TCPA requirements • Using Texting for healthcare operations or treatment option communications must meet TCPA requirements and requires Authorization if there is 3rd party remuneration 25
  • 26. E-mail Marketing and CAN-SPAM • Covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service” • Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $40,654 • https://www.ftc.gov/tips-advice/business- center/guidance/can-spam-act-compliance-guide-business 26
  • 27. E-mail Marketing and CAN-SPAM 1.Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify who initiated the message. 2.Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message. 3.Identify the message as an ad. You must disclose clearly and conspicuously that your message is an advertisement. 4.Tell recipients where you’re located. Your message must include your valid physical postal address: current street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency. 27
  • 28. 5.Tell recipients how to opt out of receiving future email from you via a return email address or other easy Internet-based way. You may allow a recipient to opt out of certain types of messages, but you must include the option to stop all ads. Make sure your spam filter doesn’t block opt- out requests. 6.Honor opt-out requests promptly, for at least 30 days after you send your message, and honor it within 10 business days. You can’t charge a fee, require the recipient to give you personally identifying information beyond an email address, or make the recipient do more than sending a reply email or visiting a single page on an Internet website as a condition. Once opted out, you can’t sell or transfer their email addresses. You may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act. 7.Monitor what others are doing on your behalf. If you hire another company to handle your email marketing, both you and the company that actually sends the message may be held legally responsible. E-mail Marketing and CAN-SPAM 28
  • 29. Potential Mobile Device Issues • Information provided to the wrong individual through poor authentication and access control, leading to a “small” breach and a healthcare threat • Patient loses control of device exposing their data or allowing impersonation (their problem) and potentially exposing additional data or providing faulty data (whose problem?) • Provider loses control of device potentially allowing impersonation or exposing extensive data (big problem) and potentially providing access to provider systems (bigger problem) • Data travels through insecure channels and may remain, accessible, on systems 29
  • 30. Individual Access of PHI • Must have a process for individual to request access for free, with copies for a reasonable cost-based fee • Must have a process for managing denials of access • Must provide the entire record in the Designated Record Set if requested: – Medical and billing records used in whole or in part to make decisions related to health care – Exceptions for Psychotherapy notes, information for civil, criminal, or administrative proceedings, if harm may result, other specific exceptions – Information kept electronically must be available electronically if requested – Lab results now may be accessed by the individual, effective April 7, 2014 • 30-day extension for offsite data no longer allowed • Access of PHI by individuals is a HOT BUTTON issue for HHS 30
  • 31. Patient Rights • Discussed in the Guidance on Individual Access of Information from HHS, initially published in January of 2016 and updated since then • Privacy Rule §164.522(b)(1) Standard: Confidential Communications Requirements – (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. • Privacy Rule §164.524(c) Provision of Access – (2) Form of access requested. (i) The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual. – (ii) If PHI is electronic, individual may request electronic copy. 31
  • 32. Communication with Patients requires flexibility • Provide a variety of means of communication that you understand and manage • Provide and encourage using secure solutions for communications • Be prepared to respond to requests to do other than your preferences • Need to have policies and processes for such decisions, and documentation 32
  • 33. Secure Texting Solutions • Secure Texting for Business Use with PHI (encrypted with no documentation capability) – Telegram – WickrMe – Signal • Secure Texting for official Business Use (incl. documentation & reporting) – Cortext by Imprivata – http://www.imprivata.com/secure-messaging – TigerText – http://www.tigertext.com/messaging-for-healthcare/ – DocHalo – http://www.dochalo.com/secure-texting.html • Secure Texting as part of an Integrated Communications Solution – pingMD – https://www.pingmd.com – OhMD – http://www.ohmd.com • Free App, easy to sign up and authenticate on-line • Office implementation integrates with the EHR • Messages from patients go to team for Triage • Fantastic acceptance by individuals and providers 33
  • 34. Communications and Access Guidance • HHS Guidance and Preamble discussions in new rules say unencrypted e-mail between providers and patients is permitted if requested, per §164.522, §164.524 • January 2016 Guidance on Access of PHI by Individuals: http://www.hhs.gov/hipaa/for- professionals/privacy/guidance/access/index.html • See HHS Guidance, Question 3, page 3: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/s pecial/healthit/safeguards.pdf • See Preamble to Omnibus Update, page 5634: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf • See Preamble to CLIA/HIPAA Modifications, page 7302: http://www.gpo.gov/fdsys/pkg/FR-2014-02-06/pdf/2014-02280.pdf • Guidance on Access of PHI, particularly re minors, mental health and opioid abuse: http://www.hhs.gov/hipaa/for-professionals/special-topics/mental- health/index.html 34
  • 35. So, how are we allowed to communicate with patients? • Do what the patient or their representative wants – Meet HIPAA Requirements – Accommodate what you reasonably can • Meet the Patient’s needs – Communication with the office for scheduling, prescription renewals, etc. – Discussion of particular health issues – Access of Medical Records, test results • Do what you can handle properly – For Patient Care – For Medical Records 35
  • 36. Information Security Management Process • Definition of Information Security – Protecting:  Confidentiality  Integrity  Availability • Definition of a Management Process:  Define and understand what you have  See how well it performs  Watch for problems  Review activities and issues  Make changes based on bang-for-buck 36
  • 37. Information Security Management Process  Information Inventory and Flow Analysis  Access and Configuration Control  Know who and what’s been going on in your networks and systems  Respond to and learn from Incidents  Audit and review regularly, and when operations or environment change  Make risk-based improvements  Focus: Confidentiality, Integrity, Availability 37
  • 38. Calculating/Evaluating Risk • Each Risk Issue has an Impact and Likelihood – Impact is how great the damage would be; more information about more people with more detail has a greater Impact – Likelihood is how likely it is that the risk issue would become a reality • Risk = Impact x Likelihood • If risk level appears low, it may be acceptable to both the entity and the individual – An informed risk decision can be made about the importance of mitigating certain risks – Individuals can make an informed risk decision to exert their rights 38
  • 39. Security Policy Framework • Cover the Administrative, Physical, and Technical Safeguards • Four Basic Policies or Policy Types – Security Management Process – Information Access Controls – Data Management (Contingency-Backup-Retention) – User Policy • Include enabling language in Policy • Define details in Procedures • Documentation, Documentation, Documentation 39
  • 40. Policy on Using Insecure Communications with Patients • Insecure communications with PHI are prohibited between professionals • Define the usual, preferred, secure means of communication, and the preferred insecure alternatives – Consider what you are “reasonably able” to do • Require patient to request using insecure communication methods, and indicate preferred method to be used • If another method is requested, consider it according to §164.522(b)(2) and §164.524(c) and guidance • If an insecure alternative method is granted: – Explain risks – Obtain consent (with signature if appropriate) – Inform those who communicate of the preference • Document the request and consent or denial 40
  • 41. Portable Technology Policy • Responsibility to use devices securely – Physical and technical security • Must protect devices and any PHI on them – Good passcodes and encryption • IT approval for access; required settings – Auto-wiping and remote wiping • Security of passwords • Don’t intermingle personal and patient e-mail & texts • Remote Use of PHI is subject to controls • Must inform manager if lost or stolen • Must have device cleared of any PHI prior to trade-in 41
  • 42. Security & Incident Policy Help • The SANS Security Policy Project – A Short Primer For Developing Security Policies, samples, guidance – Available at: http://www.sans.org/resources/policies/ • New York University HIPAA security policies – A good level of detail; many of the concepts are directly transferable – http://www.nyu.edu/about/policies-guidelines-compliance/policies-and- guidelines/hipaa-policies.html • NIST Guide for Cybersecurity Event Recovery SP 800-184, an excellent overall guide that now incorporates incident handling and contingency planning: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf • NIST Computer Security Incident Handling Guide SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf • In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf 42
  • 43. When Communications Go Awry • Breach may be any acquisition, access, use, or disclosure of PHI in violation of Privacy Rule, except when: – Unintentional use, in good faith, with no further use; – Inadvertent use within job scope; or, – Information cannot be retained (returned, sealed, unopened) • A Breach but Not Reportable if: – Destroyed, or Secured per HHS guidance • Otherwise, must report unless there is a “low probability of compromise” of the data, based on a risk assessment including: – What was the info (and is its release “adverse to the individual”) – To whom it was disclosed – Was it actually acquired or viewed – The extent of mitigation • If Ransomware is involved, also consider integrity and availability 43
  • 44. Is It a Reportable Breach? 44
  • 45. Breach Analysis, Plain e-mail, and Texting • Compromise: loss of control or a violation of security policy that may result in exposure, corruption, or loss of information – What is the information concerned? – How well identified is it? – How clearly is it health information? – What is the context? • What do we know about where plain e-mails and text messages go and who looks at them? Many unknowns! • Mitigation through Disclaimers helps 45
  • 46. Learning from Past Breaches • Breaches are caused by hackers, loss of PHI, theft of PHI, malicious insiders, and user errors • Breaches are prevented by good processes, good security methods, and good people who know how to do the right thing carefully • Breaches can lead to enforcement penalties in the millions of dollars https://www.hhs.gov/hipaa/for- professionals/compliance- enforcement/agreements/index.html 46
  • 47. Trends in Breaches • Hacking impact is way UP • Laptops and Portable Electronic Devices still the leading preventable cause of breaches • Malicious Insiders still a threat • Increasing new threats from new technologies, like insecure e-mail, texting, and social media • Most small breaches affect one or two individuals – paper handling mistakes • http://www.hhs.gov/hipaa/for- professionals/breach-notification/reports- congress/index.html 47
  • 48. Tiered Penalty Structure • Tier 1: Did not know and, with reasonable diligence, would not have known – $100 - $50,000 per violation (may use an Affirmative Defense if no willful neglect) • Tier 2: Violation due to reasonable cause and not willful neglect – $1000 - $50,000 per violation (may get a Waiver if no willful neglect) • Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated • Willful Neglect complaints must be investigated, and ignorance is no excuse • Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence – $10,000 - $50,000 per violation (no Waiver or Affirmative Defense available) • Tier 4: Violation due to willful neglect and NOT corrected within 30 days of when known or should have been known with reasonable diligence – $50,000 per violation (no Waiver or Affirmative Defense available) • $1.5 million maximum for all violations of a similar type in a calendar year 48
  • 49. Enforcement and Communications • Almost too many laptop, portable device and lack of security process settlements to count! – $100K settlement with a physician’s office: using insecure e-mail & calendar, no risk analysis or security policies – $3.2 million Civil Money Penalty for Children’s Medical Center of Dallas for knowing they had risks of insecure portable devices and doing nothing about it • Texting has been recognized as an under-reported breach issue • Ignoring Texting in your Risk Analysis may be seen as Willful Negligence 49
  • 50. What is a HIPAA Audit? • HITECH §13411 requires HHS to conduct periodic audits; initial program in 2012, second round initiated in 2016 • If you haven’t been notified, you will not get an audit this round • Be able to show you have in place the policies and procedures required by the HIPAA Privacy, Security, and Breach Notification Rules • Show you have been using them – e.g., Show access policy, access requests, and approvals or denials – e.g., Show risk analysis and risk management policy and reports/documentation • 2 week notice! – You must be prepared in advance or it’s too late! • http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/audit/index.html 50
  • 51. 2012 HIPAA Audit Program Highlights • Overall – Small covered entities (30% of the sample) had 66% of the deficiencies – Health care providers (50% of the sample) had 81% of the deficiencies – Security findings were 2/3 of the issues • Security issues – User activity monitoring – Contingency planning – Authentication/integrity – Media reuse and destruction – Risk assessment – Granting and modifying user access • Privacy Issues – Review process for denials of patient access to records – Failure to provide appropriate patient access to records – Lack of policies and procedures – Uses and disclosures of decedent information – Disclosures to personal representatives – Business associate contracts 51
  • 52. Change in Focus for 2016 Audit Program • Not a general, soup-to-nuts review like in 2012 • 166 Desk Audits, specific to particular problem areas revealed in prior Audits, Breaches, and Enforcement Actions – Privacy Rule • Notice of Privacy Practices & Content Requirements §164.520(a)(1), (b)(1) • Provision of Notice - Electronic Notice §164.520(c)(3) • Right to Access §164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3) – Breach Notification Rule • Timeliness of Notification §164.404(b) • Content of Notification §164.404(c)(1) – Security Rule • Security Management Process – Risk Analysis §164.308(a)(1)(ii)(A) • Security Management Process – Risk Management §164.308(a)(1)(ii)(B) • 41 Business Associates audited beginning November 2016 • On-site Audits for 2017 CANCELLED 52
  • 53. What might I be asked in an Audit or Enforcement Investigation? • 42 questions asked in first OIG HIPAA Security audit in March 2007: http://tinyurl.com/meupq8t • CMS OESS 2008 Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews: http://tinyurl.com/27eakjz • Questions asked of a small provider after a data breach involving theft of a laptop and server: http://tinyurl.com/3jpoa4p • Questions asked in the first round of 2012 HIPAA random audits (still a good framework of questions): http://tinyurl.com/jdoz47z • The 2016 HIPAA Audit Protocol, at: http://www.hhs.gov/hipaa/for- professionals/compliance-enforcement/audit/protocol- current/index.html 53
  • 54. Your To-Do List • Don’t be in denial – willful neglect costs more than compliance • Evaluate your marketing plans and define healthcare communications • Review and update your policies and procedures regarding marketing and communications • Establish your processes for Risk Analysis and Documentation • Review your compliance with HIPAA, TCPA, and CAN-SPAM • Conduct drills in audit and breach response • Make corrections based on results • Always have a plan for moving forward, and follow it! 54
  • 55. Thank you! Any Questions? For additional information, please contact: Jim Sheldon-Dean Lewis Creek Systems, LLC Charlotte, VT 05445 jim@lewiscreeksystems.com www.lewiscreeksystems.com 55