Scheduling Telehealth Appointments
Telehealth expanded rapidly to deal with COVID-19. Providers routinely email and text patients to schedule appointments because it’s convenient. Patients overwhelmingly want to use regular (unencrypted) emails and text messages to schedule their telehealth appointments.
However, many providers put themselves at risk because they don’t follow simple, mandatory HIPAA rules for using unencrypted email and text messaging to schedule telehealth appointments. And they may risk violating another law that applies to texting patients, the Telephone Consumer Protection Act (TCPA). TCPA violations carry heavy financial consequences. But if you comply with HIPAA, you eliminate TCPA risks.
The number of inquiries we receive about emails and text messages indicates widespread and probably unintended violations of HIPAA compliance requirements for electronic communications. They also signal the TCPA violations that expose providers to severer financial risk.
Unencrypted Communication is Risky
We have written about emails and texts before, because a common myth about HIPAA is that patients who email or text using an unencrypted method have consented to unencrypted communication, just by communicating with a provider this way. But that is not the case. A covered entity must obtain an individual’s consent to use unencrypted communication beforehand.
What is the big deal about encrypted vs. unencrypted email or text? We all communicate dozens of times a day with our family, work colleagues, social media, retail and grocery stores, etc., without giving it a thought. The big deal is that medical identity theft is a big business, and cyber thieves are searching for communications between a provider and a patient to steal medical identity. It’s way too easy to steal if it’s unencrypted.
HIPAA Requires Prior Consent
And since HIPAA is designed to maintain patient privacy and security, the HIPAA Privacy and Security Rules both require this protection. The TCPA, mentioned above, requires providers to follow the HIPAA Privacy Rule for text messaging.
There is a simple “safe harbor” rule that protects health care providers who want to communicate via email and text, but you must follow the steps.
The three-step safeguard for obtaining consent:
- first, a “light warning” is required – inform the patient there is some level of risk that an unencrypted text or email can be read by someone else;
- if, after the light warning, the patient still wants standard email and text messages (as almost all do) you must follow their direction;
- document the light warning and the patient’s preference in writing.
The HIPAA three-step safeguard is a complete defense to the TCPA, because it documents prior express consent.
HIPAA Protects Privacy and The HIPAA E-Tool® Protects Providers
Knowing your risks, knowing what law applies, and following HIPAA doesn’t come naturally to most people. There are a LOT of rules.
The HIPAA E-Tool® has everything you need – policies, forms, legal citations and training – and ways to get answers to your questions. If you have a question, let us know.