" ePHI Archives - Page 3 of 10 - LuxSci

Posts Tagged ‘ePHI’

Rules for Using PHI in Patient Engagement

Friday, November 11th, 2022

As you know by now, we believe strongly in the benefits of using protected health information (PHI) to create highly targeted and personalized email campaigns. However, before you dive in and kick off your campaigns, you must be aware of the complex compliance requirements governing healthcare organizations’ marketing communications.

using PHI for patient engagement

Reminder: What is PHI?

PHI, or protected health information, is “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data can be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with “protected health information,” would constitute PHI.

It’s often more complicated than it looks. For example, if you are running email campaigns, an email address is an individual identifier because it can be connected to a specific individual. That, combined with the email content, which often refers to the name of the provider, information about their health conditions, insurance coverage, or upcoming appointments, means that most communications from a healthcare practice could qualify as PHI.

HIPAA Rules for Using PHI in Patient Engagement

HIPAA regulates patient privacy. Healthcare organizations and their associates must obtain consent and implement technical safeguards before starting marketing campaigns.

HIPAA Privacy Rule

According to the U.S. Department of Health & Human Servicesyou must acquire consent to send marketing communications under the HIPAA Privacy Rule. It reads, “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

The Privacy Rule defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This also applies to many patient engagement communications.  

Generally, if the communication is “marketing,” then the communication can only occur if the covered entity obtains an individual’s authorization. Organizations must keep track of who has consented to receive marketing communications and allow them to opt-out at any time. We further discuss the nuances of patient consent for marketing communications here.

HIPAA Security Rule

All covered entities and their Business Associates are subject to the HIPAA Security Rule. If you are working with a vendor (like a marketing consultant, email marketing platform, or ad agency) that will have access to PHI, you need to enforce a Business Associate Agreement.

The HIPAA Security Rule categorizes the necessary safeguards into three categories: Physical, Administrative, and Technical Safeguards. More details about the requirements for each can be found here. Any vendor you choose to work with must follow these regulations. Some basic requirements include the following:

  • Physically protecting data and where it is stored,
  • Training staff on handling PHI, and
  • Setting up technology to protect PHI properly.

Assuming your patient engagement campaigns are primarily occurring via email, at a minimum, you must ensure that the email marketing vendor will:

  • Protect data at rest and
  • Protect data in transmission.

This means utilizing encryption to ensure that PHI cannot be eavesdropped on. Many popular email marketing vendors do not encrypt PHI in transmission. It’s extremely important to choose a provider who can protect PHI following HIPAA regulations.

hipaa compliant applications

The Benefits of Using PHI for Patient Engagement

Once you have established the proper policies and procedures, signed a BAA, and put any technical requirements in place, you can start segmenting and personalizing emails using PHI. Here are some segmentation and personalization ideas to get started.

By applying these techniques and using PHI in your patient engagement strategy, you can:

  • Design targeted patient journeys
  • Deliver better patient outcomes
  • Improve ROI and reduce costs

Contact us today to learn more about how to securely engage patients using PHI.

4 Email Personalization Strategies for Member Engagement

Friday, November 4th, 2022

For many benefits administrators, it’s open enrollment season! During this period, individuals can make changes to their insurance coverage. It’s vital to engage members to educate them about their plans and benefits to increase satisfaction, retain members, and acquire new enrollees. This article presents four email personalization strategies for member engagement.

member engagement strategies

Insurance Information is ePHI

Before we get to strategies for improving engagement, it’s worth reflecting on the regulatory hurdles. According to the Department of Health and Human Services, healthcare payers, insurers, and benefits administrators are covered entities. This means they must abide by HIPAA regulations when transmitting and storing protected health information (PHI).

Emails about an individual’s insurance coverage and eligibility, plan types and offerings, health status, and financial information are considered PHI and must be protected accordingly. We’ve written extensively about the HIPAA requirements for email elsewhere, but in brief, this means that emails containing PHI need to be encrypted and archived appropriately. Do not proceed with the following strategies until a HIPAA-compliant email solution is implemented correctly.

 

4 Email Personalization Strategies for Member Engagement

Segmentation and personalization are the keys to crafting messages that appeal to your audience. Particularly when it comes to healthcare coverage, there is no one-size fits all approach. Personalization techniques allow marketers to create highly relevant emails that the audience will find beneficial.

Age-Related Changes

In the US health insurance market, insurance coverage is often tied to age. As individuals reach new stages of life, there is an opportunity for them to change their insurance coverage. For example, insurers and benefits administrators can create targeted messaging to:

  • 26-year-old individuals about to enter the healthcare marketplace and
  • 65-year-old individuals who qualify for Medicare

It would not make sense to send these messages to a sizeable non-segmented email list because they would be irrelevant to the majority of recipients. By segmenting your email list by age and creating targeted messaging, you will receive a better response and return on investment from your email campaigns.

Plan and Benefit Educational Opportunities

There are many different types of health insurance coverage and benefit plans. Educating enrollees on their plan benefits makes them more likely to utilize their coverage and be satisfied with their plan. For example, if eligible members are not taking advantage of a dental benefit, it may be wise to create an email campaign that educates them on what they can access with their benefits.

Geography-Specific Messaging

There are often differences in enrollment periods, eligibility, and benefits in the US market on a state-by-state basis. Creating personalized messages based on the recipient’s residence makes the messages more relevant. For example, sending recipients the accurate enrollment date based on their residence is essential to getting people to sign up!

Health Status Messaging

You can also use information you know about your members to craft messages that can help improve their health. For example, it may be possible to know who is overdue for an annual appointment, and email messages can help them reschedule care. Similarly, several standard preventative screenings are tied to age and gender, like annual mammograms for women at 40 years old. By sending an email to all members who meet that criteria reminding them to get screened, it can improve population health and reduce costs.

Conclusion

Today’s consumers prefer email communications from businesses and brands. Personalizing your approach can improve your campaign performance and deliver significant results. If you want help improving your enrollment outreach with HIPAA-compliant email, contact LuxSci.

Healthcare Marketing & HIPAA: Are you in Compliance?

Wednesday, September 14th, 2022

Healthcare Marketing Today

Marketing is essential to growing any business successfully, but when you work in regulated spaces such as healthcare, there are compliance considerations. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstandings in marketing best practices can lead to patient privacy breaches.

The Health Insurance Portability and Accountability Act (HIPAA), which controls what and when patient information may be shared for marketing purposes, was enacted before the electronic age. As a result, it can be challenging to find information regarding appropriate marketing practices using modern social and software technologies.

HIPAA and Healthcare Marketing

A large part of HIPAA regulates what is appropriate for the use or disclosure of patient information. There are certain instances where the use and disclosure of protected health information (PHI) is allowed without patient consent. These instances include sharing PHI for treatment, payment, or healthcare operations.

However, before you can use patient information for marketing efforts, you need to receive explicit written consent from the patient. The consent form must be specific to the marketing efforts you will use the patient’s PHI in. For instance, if you would like to share patient testimonials, photos, or videos on your website or social media accounts, the patient must sign a consent form stating that you will use their information in this way.

HIPAA-compliant marketing also largely depends on an employee’s understanding of the law. Employees responsible for handling PHI must be trained to use and disclose PHI within the scope of their job role. Improperly trained employees can expose your practice to HIPAA violations and costly fines.

examples of healthcare marketing breaches

8 Common Misunderstandings of Marketing and HIPAA

1. As long as patient consent is obtained, HIPAA doesn’t matter
Some organizations think they can use any marketing tool with a signed patient consent form. Still, the tool has to be HIPAA-compliant. Even if patients agree, it does not remove the organization’s obligations to secure PHI under the law. If protected health information is improperly accessed, it is still a breach and can lead to severe financial and reputational consequences.

2. Marketing emails do not need encryption
Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as protected health information. PHI must be encrypted in transit and at rest to comply with HIPAA.

3. Personalizing marketing emails is a HIPAA violation
Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

4. Marketing companies do not need to sign Business Associates Agreements
As of 2013, the HIPAA Omnibus rule expanded HIPAA obligations to include business associates and subcontractors. Marketing agencies and vendors that process PHI on behalf of a covered entity must comply with HIPAA regulations, which include signing a BAA.

5. The only way to protect PHI is to use patient portals
TLS encryption meets HIPAA transport encryption requirements and provides a better user experience. Marketing emails sent with TLS encryption are more likely to be opened than those sent to a patient portal.

6. Using BCC is enough to keep patient identities private
BCC is NOT enough to protect patient identities. Although the end recipient cannot tell who else received the message, the entire list is visible as the messages are transmitted from server to server. The messages can be eavesdropped on by someone with technical abilities.

7. Always respond to social media reviews
Be extremely careful when responding to online reviews. Publicly confirming information about a patient’s health or treatment status is a HIPAA violation.

8. Healthcare marketing isn’t necessary or worth the hassle
Healthcare consumerism is rising, and patients are willing to change providers if they are unsatisfied with their experience. Educating and informing current and potential patients about your services is essential to improve new customer acquisition and retention.

How to be HIPAA-Compliant

The most crucial step is vetting marketing vendors and HIPAA compliance tools. Any vendor that handles PHI on behalf of a healthcare entity needs to sign a Business Associate Agreement that outlines how patient data will be stored, transmitted, and disposed of. Don’t choose a vendor who is unfamiliar with HIPAA’s stringent requirements. Also, watch out for quasi-compliance. Some self-identified “HIPAA-compliant” vendors can protect data at rest but not in transmission or require patient waivers to achieve compliance.

Next, always use encryption and default to security. Identifying PHI is often tricky, and the legal burden should not fall on the marketing team. By selecting technology that encrypts every marketing email, you can rest assured that messages are secure and compliant. A bonus tip- do not send marketing messages to an encrypted patient portal. Instead, send marketing messages with TLS encryption directly to patients’ inboxes. You will see much higher response rates and engagement.

Finally, to create the most effective marketing campaigns, use PHI to create segmented audiences and send them personalized content. These tactics are widely used outside the healthcare industry because they deliver results. *Remember that any tool you put PHI into must be HIPAA-compliant.

How LuxSci and Compliancy Group Can Help

LuxSci’s Secure Marketing tool is an email marketing platform designed to meet HIPAA requirements. It allows marketing teams to segment audiences and personalizes emails to engage patients and improve marketing ROI. If you are already using a third-party email marketing platform, no worries, we got you covered. LuxSci’s Secure High Volume Email solution can integrate with any third-party platform to make sure those emails are also HIPAA-compliant.

Compliancy Group enables healthcare organizations and vendors serving the healthcare industry to achieve HIPAA compliance through an automated software platform and live guided coaching. The Guard, its proprietary compliance platform, covers all the necessary parts of the HIPAA regulation. Compliancy Group awards clients the HIPAA Seal of Compliance upon successful completion of their process. The Seal can be displayed on a practice’s website, email signature, and signage, and proves they are dedicated to protecting patient information and have completed the steps required to satisfy the law.

email CTA

Personalize Healthcare Communications to Improve the Patient Experience

Tuesday, August 16th, 2022

Recent survey results from CVS Health indicate that healthcare patients desire a more personalized healthcare experience. Over the last ten years, the online experience has become highly customized. Online vendors have more customer data and use it to extend personalized offers, reminders, and updates. Although people are concerned about online privacy, they are more likely to open and engage with relevant marketing communications.

As the healthcare industry has undergone digital transformation, more data is available in a digital format. But how and when can it be used? This article discusses how to use patient data to personalize healthcare communications without violating HIPAA requirements.

personalize healthcare communications

What is Healthcare Personalization?

Personalized health care places individuals at the center of the health care experience. Health care is a complex issue, and one system does not work for everyone. A person’s health status is influenced by many factors, including genetics, age, environment, social determinants, income, and countless others. A health care program that considers as many of these variables as possible can better address patient needs and increase access to care.

Why Personalize Healthcare Communications

Patients understand that their healthcare providers manage a lot of their personal data and want a personalized experience that respects their preferences. As audience segmentation and personalization techniques become more common in other industries like e-commerce and personal care, consumers expect the same experiences from their health care providers.

For example, say you order a jug of laundry detergent on Amazon. They can use common consumer data in combination with your last order date to estimate when you are likely to run out. Then, they can send an email reminder to encourage a reorder before you run out again. In a similar manner, healthcare providers should know when someone’s prescription is running low and could send a notification to let the patient they need to refill and help improve medication adherence.

A recent survey by CVS Health found that 85% of patients find personalized care to be important. In fact, 83% expect their primary care provider to be aware of their family medical history, genetics and inherited lifestyle habits. 71% of consumers said it was very or somewhat important to their health that they have customized alerts and reminders of screenings and checkups. This is even more common among patients under 40. The next generation of healthcare consumers expects their healthcare to fit seamlessly into their normal lives.

Ways to Personalize the Healthcare Experience

There are many ways to personalize the healthcare experience, but they all depend on the available data. An easy way to start is by asking for patient preferences. Some common ways to personalize healthcare communications include collecting information about patient preferences:

  • Communication methods: How do they prefer to be contacted? Ask patients their preferred channels- email, texting, phone, and paper notifications are standard options.
  • Language proficiency: Is English their first language? If not, send communications in the person’s primary language.
  • Patient status: Are they active patients or overdue for regular screenings and appointments?

Looking at these attributes can help craft messages that appeal to patient subgroups.

The next level of personalization uses protected health information (PHI) to deliver extremely customized healthcare communications. The possibilities are truly endless, but here are a few examples to spark some ideas:

  • Medical conditions: use information about patient medical conditions to send highly targeted communications about managing or preventing chronic conditions like depression, diabetes, and heart conditions.
  • Screening reminders: Remind patients when they are due for mammograms, colonoscopies, or other screenings that are ordered based on age or risk factors.
  • Patient retention and re-engagement: Did a patient skip their annual appointment or screening? Make it easy to reschedule by sending periodic reminders.
  • Insurance status: send relevant communications based on the patient’s insurance status. For example, letting healthcare marketplace insurance holders know about re-enrollment periods to ensure they don’t drop their coverage.

Personalization provides a customizable healthcare experience for patients that eliminates friction and barriers to care. Using personalization to create educational campaigns can also help improve health outcomes. See How to Use ePHI to Segment and Personalize Email Marketing Campaigns for more information.

HIPAA Considerations in Customizable Healthcare

One reason that healthcare has been slow to adopt personalization techniques is HIPAA. These guidelines protect sensitive medical information and govern how it can be used. To send personalized messages like the examples discussed above, HIPAA guidelines must be followed. Some of the core requirements for sending HIPAA-compliant emails include:

  • Encryption
  • Access Controls
  • Backups and Archival
  • Anti-Malware Defenses
  • Identity Authorization
  • Reporting Mechanisms
  • Review Procedures and Policies

See our HIPAA-Compliant Email Checklist for more information about the requirements.

LuxSci offers several solutions for sending HIPAA-compliant personalized messages. Contact us today to learn more about our Secure High Volume Email and Secure Marketing tools.

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.