Privacy, Privacy, Privacy
It’s hard for many of us to remember what the days before HIPAA were like, when access to patients’ health info was fair game for just about anyone. Medical and dental offices may grumble about the complications HIPAA added to their practices, but it was obviously a law whose time had come.
There are many aspects to the original rules, as well as those added through HITECH and Omnibus (and whatever comes next...) – our intent is to make sure that any of the requirements that apply to your practice website are followed to the letter.
The Notice of Privacy Practices
Every medical or dental practice website must have the latest copy of their Notice of Privacy Practices (NPP) published on their website. This needs to be either as a regular web page, or more commonly as a PDF document. We usually link to the NPP from the Patient Forms page, or if that’s not available on the footer of the home page.
If your practice doesn’t currently have an NPP we’ll be happy to create one for you. There’s a very patient-friendly new format that we’re using now (click on the icon at right to view) or we can use the traditional all-text format. Either one is approved for use by the HHS.
HIPAA regulations state that practices are required to provide the Notice to new patients and use their best efforts to obtain acknowledgment of receipt. This is often overlooked on practice websites; we’ll be happy to provide a secure online acknowledgement form upon request.
Patient Forms
There are two areas where healthcare practices can get into HIPAA trouble – unsecured patient forms and email (more on email below). If all you provide are non-submittable PDF forms on your website, there’s no privacy issue. If, however, you opt for the convenience and speed of online patient forms, they must follow a rigid set of rules set forth by HIPAA.
To begin with, they must reside on a secure URL (one starting with https://) – this assures the patients that they are in fact on your website and not filling out a renegade form that’s attempting to capture their data. Next, the form should submit the patient’s entries in an encrypted format, directly to a secure server. Please note that regular email is not a secure way to send anything. And even if you employ secure email for form submittal, there are a host of conditions to fulfill regarding the way you store this info (more on this below).
Our Secure Patient Forms Program provides a fully HIPAA-compliant method of patient form submission, storage and retrieval. We know of no other way to shortcut this procedure and still be compliant.
Patient Email
This is the biggest area we’ve seen of both non-compliance and outright confusion. Although email and texting are the preferred method of communication for many patients, there are three big areas of concern here (the first two of which are not even HIPAA-related).
“I’m having chest pains...”
We always advise our customers to never allow patients to email the practice directly. Unsolicited email of an emergency nature will most likely not receive your immediate attention, and could end in an undesired result – and maybe an undesired lawsuit. If you wish to allow patients to contact you electronically, it’s best to use a secure patient form that specifically states what the patient must do in an emergency instead of using the form.
“What your doctor won’t tell you about...”
Nobody likes spam email. Ever wonder how spammers get hold of your email address, and why it’s so hard to get off?
Let’s look at a common scenario. Someone hacks into your practice’s email account and harvests all your incoming and outgoing email addresses (and maybe even the message contents themselves). They then have a list of valid email addresses that were used in connection with a physician’s or dentist’s office. All it takes now is to contact one of the unethical list brokers they work with and make a sale, and your patients start getting spam emails targeting the diseases your office treats. If your patients then put two and two together...
“We’re contacting you to notify you of a breach of your Protected Health Information...”
Here’s the direct HIPAA issue. You’ve been emailing with your patients or referring providers (or surgery centers or hospitals or...) and someone hacks your email account or the server it lives on. If your emails are not fully encrypted end-to-end (including where they’re stored), and your server is not fully protected from physical or electronic intrusion, you’re operating in violation and are susceptible to a breach of your patients’ ePHI.
You may add all the disclaimers you want to the pages your email address is shown on – good luck with that in court. The only HIPAA compliant way to communicate electronically is with a dedicated, secure email system – ideally one that’s not on your premises (otherwise you have to provide 24/7 physical security, employee training, maintain system audit logs, etc.). We offer a complete secure email program that can take all that off your back!