" ePHI Archives - LuxSci

Posts Tagged ‘ePHI’

Healthcare Marketing & HIPAA: Are you in Compliance?

Wednesday, September 14th, 2022

Healthcare Marketing Today

Marketing is essential to growing any business successfully, but when you work in regulated spaces such as healthcare, there are compliance considerations. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstandings in marketing best practices can lead to patient privacy breaches.

The Health Insurance Portability and Accountability Act (HIPAA), which controls what and when patient information may be shared for marketing purposes, was enacted before the electronic age. As a result, it can be challenging to find information regarding appropriate marketing practices using modern social and software technologies.

HIPAA and Healthcare Marketing

A large part of HIPAA regulates what is appropriate for the use or disclosure of patient information. There are certain instances where the use and disclosure of protected health information (PHI) is allowed without patient consent. These instances include sharing PHI for treatment, payment, or healthcare operations.

However, before you can use patient information for marketing efforts, you need to receive explicit written consent from the patient. The consent form must be specific to the marketing efforts you will use the patient’s PHI in. For instance, if you would like to share patient testimonials, photos, or videos on your website or social media accounts, the patient must sign a consent form stating that you will use their information in this way.

HIPAA-compliant marketing also largely depends on an employee’s understanding of the law. Employees responsible for handling PHI must be trained to use and disclose PHI within the scope of their job role. Improperly trained employees can expose your practice to HIPAA violations and costly fines.

examples of healthcare marketing breaches

8 Common Misunderstandings of Marketing and HIPAA

1. As long as patient consent is obtained, HIPAA doesn’t matter
Some organizations think they can use any marketing tool with a signed patient consent form. Still, the tool has to be HIPAA-compliant. Even if patients agree, it does not remove the organization’s obligations to secure PHI under the law. If protected health information is improperly accessed, it is still a breach and can lead to severe financial and reputational consequences.

2. Marketing emails do not need encryption
Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as protected health information. PHI must be encrypted in transit and at rest to comply with HIPAA.

3. Personalizing marketing emails is a HIPAA violation
Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

4. Marketing companies do not need to sign Business Associates Agreements
As of 2013, the HIPAA Omnibus rule expanded HIPAA obligations to include business associates and subcontractors. Marketing agencies and vendors that process PHI on behalf of a covered entity must comply with HIPAA regulations, which include signing a BAA.

5. The only way to protect PHI is to use patient portals
TLS encryption meets HIPAA transport encryption requirements and provides a better user experience. Marketing emails sent with TLS encryption are more likely to be opened than those sent to a patient portal.

6. Using BCC is enough to keep patient identities private
BCC is NOT enough to protect patient identities. Although the end recipient cannot tell who else received the message, the entire list is visible as the messages are transmitted from server to server. The messages can be eavesdropped on by someone with technical abilities.

7. Always respond to social media reviews
Be extremely careful when responding to online reviews. Publicly confirming information about a patient’s health or treatment status is a HIPAA violation.

8. Healthcare marketing isn’t necessary or worth the hassle
Healthcare consumerism is rising, and patients are willing to change providers if they are unsatisfied with their experience. Educating and informing current and potential patients about your services is essential to improve new customer acquisition and retention.

How to be HIPAA-Compliant

The most crucial step is vetting marketing vendors and HIPAA compliance tools. Any vendor that handles PHI on behalf of a healthcare entity needs to sign a Business Associate Agreement that outlines how patient data will be stored, transmitted, and disposed of. Don’t choose a vendor who is unfamiliar with HIPAA’s stringent requirements. Also, watch out for quasi-compliance. Some self-identified “HIPAA-compliant” vendors can protect data at rest but not in transmission or require patient waivers to achieve compliance.

Next, always use encryption and default to security. Identifying PHI is often tricky, and the legal burden should not fall on the marketing team. By selecting technology that encrypts every marketing email, you can rest assured that messages are secure and compliant. A bonus tip- do not send marketing messages to an encrypted patient portal. Instead, send marketing messages with TLS encryption directly to patients’ inboxes. You will see much higher response rates and engagement.

Finally, to create the most effective marketing campaigns, use PHI to create segmented audiences and send them personalized content. These tactics are widely used outside the healthcare industry because they deliver results. *Remember that any tool you put PHI into must be HIPAA-compliant.

healthcare marketing webinar sign up

How LuxSci and Compliancy Group Can Help

LuxSci’s Secure Marketing tool is an email marketing platform designed to meet HIPAA requirements. It allows marketing teams to segment audiences and personalizes emails to engage patients and improve marketing ROI. If you are already using a third-party email marketing platform, no worries, we got you covered. LuxSci’s Secure High Volume Email solution can integrate with any third-party platform to make sure those emails are also HIPAA-compliant.

Compliancy Group enables healthcare organizations and vendors serving the healthcare industry to achieve HIPAA compliance through an automated software platform and live guided coaching. The Guard, its proprietary compliance platform, covers all the necessary parts of the HIPAA regulation. Compliancy Group awards clients the HIPAA Seal of Compliance upon successful completion of their process. The Seal can be displayed on a practice’s website, email signature, and signage, and proves they are dedicated to protecting patient information and have completed the steps required to satisfy the law.

email CTA

Personalize Healthcare Communications to Improve the Patient Experience

Tuesday, August 16th, 2022

Recent survey results from CVS Health indicate that healthcare patients desire a more personalized healthcare experience. Over the last ten years, the online experience has become highly customized. Online vendors have more customer data and use it to extend personalized offers, reminders, and updates. Although people are concerned about online privacy, they are more likely to open and engage with relevant marketing communications.

As the healthcare industry has undergone digital transformation, more data is available in a digital format. But how and when can it be used? This article discusses how to use patient data to personalize healthcare communications without violating HIPAA requirements.

personalize healthcare communications

What is Healthcare Personalization?

Personalized health care places individuals at the center of the health care experience. Health care is a complex issue, and one system does not work for everyone. A person’s health status is influenced by many factors, including genetics, age, environment, social determinants, income, and countless others. A health care program that considers as many of these variables as possible can better address patient needs and increase access to care.

Why Personalize Healthcare Communications

Patients understand that their healthcare providers manage a lot of their personal data and want a personalized experience that respects their preferences. As audience segmentation and personalization techniques become more common in other industries like e-commerce and personal care, consumers expect the same experiences from their health care providers.

For example, say you order a jug of laundry detergent on Amazon. They can use common consumer data in combination with your last order date to estimate when you are likely to run out. Then, they can send an email reminder to encourage a reorder before you run out again. In a similar manner, healthcare providers should know when someone’s prescription is running low and could send a notification to let the patient they need to refill and help improve medication adherence.

A recent survey by CVS Health found that 85% of patients find personalized care to be important. In fact, 83% expect their primary care provider to be aware of their family medical history, genetics and inherited lifestyle habits. 71% of consumers said it was very or somewhat important to their health that they have customized alerts and reminders of screenings and checkups. This is even more common among patients under 40. The next generation of healthcare consumers expects their healthcare to fit seamlessly into their normal lives.

Ways to Personalize the Healthcare Experience

There are many ways to personalize the healthcare experience, but they all depend on the available data. An easy way to start is by asking for patient preferences. Some common ways to personalize healthcare communications include collecting information about patient preferences:

  • Communication methods: How do they prefer to be contacted? Ask patients their preferred channels- email, texting, phone, and paper notifications are standard options.
  • Language proficiency: Is English their first language? If not, send communications in the person’s primary language.
  • Patient status: Are they active patients or overdue for regular screenings and appointments?

Looking at these attributes can help craft messages that appeal to patient subgroups.

The next level of personalization uses protected health information (PHI) to deliver extremely customized healthcare communications. The possibilities are truly endless, but here are a few examples to spark some ideas:

  • Medical conditions: use information about patient medical conditions to send highly targeted communications about managing or preventing chronic conditions like depression, diabetes, and heart conditions.
  • Screening reminders: Remind patients when they are due for mammograms, colonoscopies, or other screenings that are ordered based on age or risk factors.
  • Patient retention and re-engagement: Did a patient skip their annual appointment or screening? Make it easy to reschedule by sending periodic reminders.
  • Insurance status: send relevant communications based on the patient’s insurance status. For example, letting healthcare marketplace insurance holders know about re-enrollment periods to ensure they don’t drop their coverage.

Personalization provides a customizable healthcare experience for patients that eliminates friction and barriers to care. Using personalization to create educational campaigns can also help improve health outcomes. See How to Use ePHI to Segment and Personalize Email Marketing Campaigns for more information.

HIPAA Considerations in Customizable Healthcare

One reason that healthcare has been slow to adopt personalization techniques is HIPAA. These guidelines protect sensitive medical information and govern how it can be used. To send personalized messages like the examples discussed above, HIPAA guidelines must be followed. Some of the core requirements for sending HIPAA-compliant emails include:

  • Encryption
  • Access Controls
  • Backups and Archival
  • Anti-Malware Defenses
  • Identity Authorization
  • Reporting Mechanisms
  • Review Procedures and Policies

See our HIPAA-Compliant Email Checklist for more information about the requirements.

LuxSci offers several solutions for sending HIPAA-compliant personalized messages. Contact us today to learn more about our Secure High Volume Email and Secure Marketing tools.

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.

Using Technology to Address Clinician Burnout

Tuesday, April 26th, 2022

Even before the COVID-19 pandemic, challenges with clinician burnout were impacting the healthcare system. A 2019 British Medical Association (BMA) survey found 80% of doctors were at high or very high risk of burnout.

Enter the pandemic: staffing shortages, supply chain issues, and new regulations all contributed to an increase in clinician burnout over the last two years. This is a major issue- burned out clinicians make more mistakes and have less satisfied patients. In this article, we discuss ways to use technology to address burnout and improve workflows.

clinician burnout

Causes of Clinician Burnout

The COVID-19 pandemic illuminated just how fragile the healthcare workforce is. As COVID-19 swept across the country, front-line workers were under immense pressure to serve their patients in extremely stressful circumstances. In the early days of the pandemic, the lack of personal protective equipment required clinicians to put their lives on the line to care for patients. In addition, quarantines for COVID-19 exposure and family caretaking responsibilities drastically impacted staffing and patient-to-nurse levels. Healthcare workers often had no choice but to take on more shifts during highly stressful time periods to help patients get the care they deserve.

Even though the pandemic is winding down, clinicians are still experiencing the effects of burnout. Healthcare workers are leaving their jobs at high rates and in some cases leaving the field altogether. Workforce shortages, increasing stress, and clinical documentation requirements leave healthcare professionals increasingly burned out.

Ways to Alleviate Clinician Burnout with Digital Technology

Not only is burnout bad for health care providers, but it can also lead to mistakes and poor patient experiences. New technology can help alleviate burnout, but it is important to find a balance. Introducing new technologies without proper training or administration can increase stress and make things worse. EHRs are an example of a type of technology that is often a major cause of burnout. It is important to be thoughtful with any technology implementation.

Below, we discuss some ways to use technology to streamline and accelerate clinician workflows.

Reduce Administrative Burdens

New technology can help streamline administrative workflows. Let’s use an annual doctor’s appointment as an example. Upon arrival to an appointment, a patient fills out a paper form with their health conditions, medications, family history, and other information. It is collected by the front desk and the patient heads into the appointment, where they are often asked the same series of questions by the clinician, who hastily types the answers into the patient’s health record.

There is a better way to collect this information. By digitizing the patient intake form, the patient’s answers are automatically added to their health record, reducing administrative time. The clinician can spend more time providing health care, rather than filling out paperwork. Updating patient health records is one of the most time-consuming tasks that leads to burnout. By digitizing some of this paperwork, it reduces the administrative burden on clinicians.

Patient Education

Patient education is extremely important in a world of medical misinformation. However, it can also be a time-consuming process for front-line staff. Digitizing patient resources in the form of articles, videos, and PDFs is a convenient way to answer frequently asked questions.

Let’s use an example of a patient with a broken arm. They get a cast at the office and the doctor explains how to take care of it. However, when they get home and go to sleep, they wake up with an extremely itchy arm. They might be concerned and reach out to their healthcare provider. Instead interrupting the clinician’s day with a phone call, the administrative staff can email pre-produced videos or articles explaining how to treat the itching and what they should do if it becomes more severe.

By creating these materials in advance, it is easy for clinicians to rapidly answer questions. In addition, patients can have their issues addressed quickly and will have a better experience. They also may be less likely to turn to social media to crowdsource at-home remedies.

Patient Communication

On that note, anyone who has tried to get in touch with their doctor by making a phone call knows how time-consuming and tedious it can be. Instead, encourage asynchronous messaging for non-urgent medical issues. Asynchronous messaging, like secure email and texting, is not immediate and clinicians can respond to whenever is convenient. It is useful when requesting referrals and prescription refills.

Using a patient portal allows both doctors and administrators from the office to address the patient’s needs and distribute workflows in a way that makes sense. Although a patient may seek out a doctor, their issues may be more properly handled by a nurse or administrative staff.

Conclusion

Clinician burnout is a major issue impacting health systems and patient health outcomes. Tackling this challenge is a difficult task, but organizations should look into ways to use technology to improve and automate workflows.

Addressing Health Equity with Digital Communications

Tuesday, April 19th, 2022

According to a HIMSS Market Insights study, nine out of ten healthcare executives see health equity as a top business priority. Improving health equity can drive value for other business metrics including patient satisfaction, provider retention, health outcomes, and cost reduction. Using personalized, scalable digital communications can be an effective way to address health equity issues.

health equity

 

What is Health Equity?

According to the CDC, health equity is “achieved when every person has the opportunity to attain his or her full health potential and no one is disadvantaged from achieving this potential because of social position or other socially determined circumstances.”

Under President Biden, the Department of Health and Human Services has prioritized health equity in the response to the COVID-19 pandemic. COVID-19 highlighted the racial, economic, and social disparities of the healthcare system. COVID-19 killed Black, Latino, and Indigenous people at double the rate of White people. Native Hawaiians and Pacific Islanders remain three times as likely to contract the illness compared to White people. Addressing the social, cultural, racial, and economic factors that contribute to this disparity is essential to improving individual and population health.

Improve Health Equity with Digital Messaging

Digital messaging is just one tool that can be used to improve health equity. Today’s technologies make it easier to communicate with patients at scale. Email and text messaging are two scalable and cost-effective options for engaging with patients. To address health equity issues with email and text messaging, it is essential to utilize segmentation and personalization techniques.

Segmentation and Personalization

Thanks to the widespread use of EHR systems, healthcare marketers can access a wide variety of patient data. These health records not only contain information about health conditions, but also information about demographic and racial categories.

Marketers can create segments of patients that share common characteristics and develop messaging that speaks to their needs. Redpoint Global found that personalized messages had a response rate that was 7x that of generic messages. By personalizing digital communications, it is possible to reach more patients and improve health outcomes.

An Example of Personalization and Segmentation

Let’s use the COVID-19 vaccine rollout as an example. The vaccines were available for certain age groups first, with some exceptions for those with pre-existing conditions or job roles. Using demographic data from the patient database, marketers sent targeted campaigns to segments of patients when they were eligible for a vaccine appointment. These highly relevant emails were very effective at encouraging sign ups.

Age is one way to segment the audience, but let’s take it another step further to address health equity. In addition to age information, a health record also contains information like the patient’s native language and communication preferences. By further segmenting the patient population using these factors and personalizing the message content, it can increase response rates and close care gaps. For example, sending a Spanish version of the vaccine sign-up communication to Spanish-speaking patient populations increases the likelihood that those patients will understand and act on the message. Another example is sending a text message instead of an email to households that lack broadband access. This ensures that everyone receives the message, regardless of income level or geography.

For more information, learn how this Colorado health care provider used personalized text messaging in their COVID vaccine rollout. They reached nearly 80% of their patient population with targeted outreach and community support.

Conclusion

Digital communications like email and texting can be highly effective ways to reach marginalized patient populations. However, do not forget about HIPAA compliance! Communications personalized and segmented using ePHI need to be secured.

LuxSci offers secure email services and texting designed to meet HIPAA requirements. If you would like to learn more about how to address health equity with secure communications, please contact us today.