mutual consent Archives

Posts Tagged ‘mutual consent’

Frequently Asked Questions: HIPAA and Email Marketing

Thursday, October 27th, 2022

HIPAA is a complicated law that offers a lot of guidance but does not require the use of any specific technologies to protect patient privacy. This causes a lot of confusion when it comes to HIPAA-compliant marketing campaigns. This article addresses some frequently asked questions about HIPAA-compliant email marketing and what you need to do to be on the right side of the law.

Do generic practice newsletters still count as PHI?

In many cases, even generic email newsletters can be considered PHI because they are sent to lists of current patients. Email addresses are individually identifiable and combined with the email content; it may imply that they are patients of the practice. For example, say you send a “generic” newsletter to the patients of a dialysis clinic. An eavesdropper may be able to infer that the recipients receive dialysis. Therefore the email is PHI and should be protected.

In some cases, it can be complicated to determine what is PHI and what is not. Using a HIPAA-compliant marketing solution is best to avoid ambiguity and ensure you are secure.

What are email marketing best practices for organizations using Mailchimp?

The best practice is not to use Mailchimp! Mailchimp is NOT HIPAA-compliant and will not sign a Business Associate Agreement to protect your data. The best way to begin an email marketing program is to select a fully HIPAA-compliant vendor. Simply put, this means that emails are encrypted in transit, and stored data is also encrypted.

What is an Email API?

API is an acronym that stands for “Application Programming Interface.” An email API gives applications (like CRMs, CDPs, or EHRs) the ability to send emails and retrieve analytics. Email APIs are often used to send transactional or bulk marketing emails. Trigger-based emails are ideal for sending with an email API. In this situation, emails are sent when pre-determined conditions in the application are met. For example, an order confirmation is a transactional, trigger-based email. A person buys a product online, the transaction is processed, and an email is sent to the buyer with their transaction details. The email is sent automatically with an email API. When a new patient has an upcoming appointment, an email API could be used to send a reminder email and offer rescheduling options. Email APIs enable the automation of common email workflows.

Does HIPAA permit providers to send unencrypted emails with PHI to patients?

Encryption is an addressable standard under the HIPAA Security Rule, but that does not mean it’s optional. The HIPAA Privacy Rule does not explicitly forbid unencrypted email. Still, it does state that “other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email.”

The Department of Health and Human Services (HHS) has clarified this by stating that “covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” Some organizations use waivers to inform patients of the risks and acquire permission to send unencrypted emails.

However, we do not recommend this for several reasons. One, keeping track of waivers over time and recording status changes and updates is challenging. Two, signed waivers do not insulate you from the consequences of a HIPAA breach. And finally, using waivers to send unencrypted emails doesn’t eliminate your other HIPAA obligations. Using a HIPAA-compliant solution is more manageable and eliminates ambiguity.

Do patients have a right to exercise their right of access to their own PHI by receiving it via unencrypted email?

Yes, but they must be fully informed of the risks and sign waivers acknowledging them. The caveats in the previous answer apply. It’s always better to encrypt emails.

Is Microsoft 365/Exchange 365 encryption sufficient for marketing emails?

Microsoft 365 can be configured with Office Message Encryption (OME) to comply with HIPAA. However, it is not well-suited to send marketing emails. OME primarily relies on portal pickup encryption, in which the message is stored securely on a server and requires the recipient to log in to the portal to read the email. If you are a marketer trying to increase open and response rates, the portal adds a barrier to access that many will not cross. Light-PHI marketing messages are best sent using TLS encryption. TLS-encrypted messages arrive in the recipient’s inbox just like a regular email and do not require a user to log in to read the message.

Conclusion

HIPAA can be difficult to understand, but choosing the right tools and properly vetting your vendors makes it easy to execute HIPAA-compliant email marketing campaigns. If you are interested in learning more about LuxSci’s easy-to-use, Secure Marketing platform, please get in touch with our sales team.

Tags: email api, email marketing, encrypted email, hipaa compliance, mutual consent, quasi compliance, quasi hipaa compliance, unencrypted email
Posted in Email Marketing
Comments Off on Frequently Asked Questions: HIPAA and Email Marketing

Healthcare Marketing & HIPAA: Are you in Compliance?

Wednesday, September 14th, 2022

Healthcare Marketing Today

Marketing is essential to growing any business successfully, but when you work in regulated spaces such as healthcare, there are compliance considerations. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstandings in marketing best practices can lead to patient privacy breaches.

The Health Insurance Portability and Accountability Act (HIPAA), which controls what and when patient information may be shared for marketing purposes, was enacted before the electronic age. As a result, it can be challenging to find information regarding appropriate marketing practices using modern social and software technologies.

HIPAA and Healthcare Marketing

A large part of HIPAA regulates what is appropriate for the use or disclosure of patient information. There are certain instances where the use and disclosure of protected health information (PHI) is allowed without patient consent. These instances include sharing PHI for treatment, payment, or healthcare operations.

However, before you can use patient information for marketing efforts, you need to receive explicit written consent from the patient. The consent form must be specific to the marketing efforts you will use the patient’s PHI in. For instance, if you would like to share patient testimonials, photos, or videos on your website or social media accounts, the patient must sign a consent form stating that you will use their information in this way.

HIPAA-compliant marketing also largely depends on an employee’s understanding of the law. Employees responsible for handling PHI must be trained to use and disclose PHI within the scope of their job role. Improperly trained employees can expose your practice to HIPAA violations and costly fines.

8 Common Misunderstandings of Marketing and HIPAA

1. As long as patient consent is obtained, HIPAA doesn’t matter
Some organizations think they can use any marketing tool with a signed patient consent form. Still, the tool has to be HIPAA-compliant. Even if patients agree, it does not remove the organization’s obligations to secure PHI under the law. If protected health information is improperly accessed, it is still a breach and can lead to severe financial and reputational consequences.

2. Marketing emails do not need encryption
Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as protected health information. PHI must be encrypted in transit and at rest to comply with HIPAA.

3. Personalizing marketing emails is a HIPAA violation
Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

4. Marketing companies do not need to sign Business Associates Agreements
As of 2013, the HIPAA Omnibus rule expanded HIPAA obligations to include business associates and subcontractors. Marketing agencies and vendors that process PHI on behalf of a covered entity must comply with HIPAA regulations, which include signing a BAA.

5. The only way to protect PHI is to use patient portals
TLS encryption meets HIPAA transport encryption requirements and provides a better user experience. Marketing emails sent with TLS encryption are more likely to be opened than those sent to a patient portal.

6. Using BCC is enough to keep patient identities private
BCC is NOT enough to protect patient identities. Although the end recipient cannot tell who else received the message, the entire list is visible as the messages are transmitted from server to server. The messages can be eavesdropped on by someone with technical abilities.

7. Always respond to social media reviews
Be extremely careful when responding to online reviews. Publicly confirming information about a patient’s health or treatment status is a HIPAA violation.

8. Healthcare marketing isn’t necessary or worth the hassle
Healthcare consumerism is rising, and patients are willing to change providers if they are unsatisfied with their experience. Educating and informing current and potential patients about your services is essential to improve new customer acquisition and retention.

How to be HIPAA-Compliant

The most crucial step is vetting marketing vendors and HIPAA compliance tools. Any vendor that handles PHI on behalf of a healthcare entity needs to sign a Business Associate Agreement that outlines how patient data will be stored, transmitted, and disposed of. Don’t choose a vendor who is unfamiliar with HIPAA’s stringent requirements. Also, watch out for quasi-compliance. Some self-identified “HIPAA-compliant” vendors can protect data at rest but not in transmission or require patient waivers to achieve compliance.

Next, always use encryption and default to security. Identifying PHI is often tricky, and the legal burden should not fall on the marketing team. By selecting technology that encrypts every marketing email, you can rest assured that messages are secure and compliant. A bonus tip- do not send marketing messages to an encrypted patient portal. Instead, send marketing messages with TLS encryption directly to patients’ inboxes. You will see much higher response rates and engagement.

Finally, to create the most effective marketing campaigns, use PHI to create segmented audiences and send them personalized content. These tactics are widely used outside the healthcare industry because they deliver results. *Remember that any tool you put PHI into must be HIPAA-compliant.

How LuxSci and Compliancy Group Can Help

LuxSci’s Secure Marketing tool is an email marketing platform designed to meet HIPAA requirements. It allows marketing teams to segment audiences and personalizes emails to engage patients and improve marketing ROI. If you are already using a third-party email marketing platform, no worries, we got you covered. LuxSci’s Secure High Volume Email solution can integrate with any third-party platform to make sure those emails are also HIPAA-compliant.

Compliancy Group enables healthcare organizations and vendors serving the healthcare industry to achieve HIPAA compliance through an automated software platform and live guided coaching. The Guard, its proprietary compliance platform, covers all the necessary parts of the HIPAA regulation. Compliancy Group awards clients the HIPAA Seal of Compliance upon successful completion of their process. The Seal can be displayed on a practice’s website, email signature, and signage, and proves they are dedicated to protecting patient information and have completed the steps required to satisfy the law.

Tags: business associate, business associate agreement, email encryption, email marketing, ePHI, healthcare marketing, mutual consent, patient consent, personalization, social media
Posted in Collaboration, Email Marketing
Comments Off on Healthcare Marketing & HIPAA: Are you in Compliance?

Are Prescription Notifications HIPAA-Compliant?

Tuesday, December 14th, 2021

It is common to receive calls and text messages from pharmacies reminding us that it is time to pick up or renew our prescriptions for drugs or other medical items. Have you ever wondered if these prescription notifications are HIPAA-compliant?

Just because every pharmacy seems to send them, it doesn’t mean they are aware of the compliance requirements. Let’s look into the context and learn how to remind patients of prescription refills and appointments securely.

Read the rest of this post »

Tags: appointment reminder, ePHI, FCC, hipaa, hipaa compliance, mutual consent, phi, prescription notification, secure email, secure text
Posted in LuxSci Library: HIPAA
No comments »

Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?

Tuesday, April 27th, 2021

Email and text messaging are among the most common forms of business communication. However, if you are sending ePHI, regular texts and emails are off limits! If you are subject to HIPAA regulations, you will need mutual consent from your patients before sending ePHI insecurely via these methods.

This may seem frustrating because text and email are easy and switching to a secure service can feel like a lot of work. However, when ePHI is mishandled it can have significant repercussions. Personal information can be stolen, made public, and even used in fraud.

Text messaging and normal email carry significant risks to ePHI, because they aren’t designed to be secure. While it is best to only send ePHI over secure services, there may be instances where the patient wants to communicate over these insecure methods. Because of the risks, your organization needs signed mutual consent waivers to proceed with insecure communication.

Read the rest of this post »

Tags: consent, ePHI, hhs, hipaa, hipaa compliance, mutual, mutual consent, omnibus, phi, privacy rule, risk, security rule, unencrypted email
Posted in LuxSci Library: HIPAA
No comments »