hipaa security rule Archives

Posts Tagged ‘hipaa security rule’

Rules for Using PHI in Patient Engagement

Friday, November 11th, 2022

As you know by now, we believe strongly in the benefits of using protected health information (PHI) to create highly targeted and personalized email campaigns. However, before you dive in and kick off your campaigns, you must be aware of the complex compliance requirements governing healthcare organizations’ marketing communications.

Reminder: What is PHI?

PHI, or protected health information, is “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

An individual’s past, present, or future physical or mental health or condition.
The past, present, or future provisioning of health care to an individual.
The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data can be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with “protected health information,” would constitute PHI.

It’s often more complicated than it looks. For example, if you are running email campaigns, an email address is an individual identifier because it can be connected to a specific individual. That, combined with the email content, which often refers to the name of the provider, information about their health conditions, insurance coverage, or upcoming appointments, means that most communications from a healthcare practice could qualify as PHI.

HIPAA Rules for Using PHI in Patient Engagement

HIPAA regulates patient privacy. Healthcare organizations and their associates must obtain consent and implement technical safeguards before starting marketing campaigns.

HIPAA Privacy Rule

According to the U.S. Department of Health & Human Services, you must acquire consent to send marketing communications under the HIPAA Privacy Rule. It reads, “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

The Privacy Rule defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This also applies to many patient engagement communications.

Generally, if the communication is “marketing,” then the communication can only occur if the covered entity obtains an individual’s authorization. Organizations must keep track of who has consented to receive marketing communications and allow them to opt-out at any time. We further discuss the nuances of patient consent for marketing communications here.

HIPAA Security Rule

All covered entities and their Business Associates are subject to the HIPAA Security Rule. If you are working with a vendor (like a marketing consultant, email marketing platform, or ad agency) that will have access to PHI, you need to enforce a Business Associate Agreement.

The HIPAA Security Rule categorizes the necessary safeguards into three categories: Physical, Administrative, and Technical Safeguards. More details about the requirements for each can be found here. Any vendor you choose to work with must follow these regulations. Some basic requirements include the following:

Physically protecting data and where it is stored,
Training staff on handling PHI, and
Setting up technology to protect PHI properly.

Assuming your patient engagement campaigns are primarily occurring via email, at a minimum, you must ensure that the email marketing vendor will:

Protect data at rest and
Protect data in transmission.

This means utilizing encryption to ensure that PHI cannot be eavesdropped on. Many popular email marketing vendors do not encrypt PHI in transmission. It’s extremely important to choose a provider who can protect PHI following HIPAA regulations.

The Benefits of Using PHI for Patient Engagement

Once you have established the proper policies and procedures, signed a BAA, and put any technical requirements in place, you can start segmenting and personalizing emails using PHI. Here are some segmentation and personalization ideas to get started.

By applying these techniques and using PHI in your patient engagement strategy, you can:

Design targeted patient journeys
Deliver better patient outcomes
Improve ROI and reduce costs

Tags: business associate agreement, email marketing, ePHI, hipaa compliance, hipaa privacy rule, hipaa security rule, patient engagement, personalization, phi, quasi compliance, segmentation
Posted in Email Marketing
Comments Off on Rules for Using PHI in Patient Engagement

What You Need To Know About the HIPAA Security Rule

Thursday, January 10th, 2019

In this day and age of rampant cybercrime, protecting a patient’s electronic health information is of the utmost importance. But, how do you know if the protections are adequate? Well, that’s where the HIPAA Security Rule comes in.

What is the difference between the privacy and security of health information?

With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA privacy Rule applies to all protected health information.

Security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls within a covered entity. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address electronic protected health information

Now, the HIPAA Security Rule isn’t extensive regarding the regulatory text. However, it is quite technical. It is the codification of specific information and technological best practices and standards.

The HIPAA Security Rule mainly requires the implementation of three key safeguards, that is, technical, physical, and administrative. Other than that, it demands certain organizational requirements and the documentation of processes, as it is with the HIPAA Privacy Rule.

Developing the necessary documentation for the HIPAA Security Rule can be complex, compared to the requirements of the HIPAA Privacy Rule. Healthcare providers, especially smaller ones, need to be given access to HIT (Health Information Technology) resources for this purpose.

Having said that, the HIPAA Security Rule is designed to be flexible, which means covering all the required aspects of security shouldn’t be tough. There is no need for leveraging specific procedures or technologies. Organizations are allowed to determine the kind of resources necessary for ensuring compliance.

Read the rest of this post »

Tags: ePHI, hipaa, hipaa compliance, hipaa security rule
Posted in LuxSci Library: HIPAA
No comments »

Jump/Thumb Drives and PHI Don’t Mix

Friday, July 20th, 2012

It is very common for the staff of small and medium sized healthcare organizations to store patient data on USB Flash Drives (a.k.a. Jump Drives or Thumb Drives). This is universally a bad idea and guarantees non-compliance with HIPAA. Below, I will discuss why and suggest some alternatives to accomplish the same ends.

While this article discusses USB Flash drives in particular, the same arguments hold for all portable media — full sized USB hard drives, writable CDs and DVDs, laptops, etc.