AMA preparing to tackle questions surrounding physician-patient texting

Regulators are serious about privacy and violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), and crackdowns keep providers on their toes. The evolution of technology provides innovative and efficient ways to practice medicine and communicate with patients, but this evolution brings with it new obstacles that can easily trip up a provider who is not paying close attention. At the end of a long day, a tired doctor might send a quick text to a mother who does not want to bring in her sick child if over-the-counter medicines will do the trick, trying to be as accommodating as possible and truly caring for the patient’s well-being. Both mother and doctor will be relieved that an unnecessary trip was avoided, but is this type of communication appropriate?

The American Medical Association (AMA) provides guidelines for providers on issues just like this one, and the AMA House of Delegates will consider expanding its advice on email communications to include text messaging at a June meeting. Although the AMA maintains that a face-to-face meeting is the foundation of a physician’s relationship with a patient, it recognizes that patients and physicians may prefer text message communications in various settings.

Considerations when texting

As expected, the AMA’s first basic standard of engagement to consider is HIPAA. The Board of Trustees (BOT) recommends discussing obligations under HIPAA’s Security Rule with both information technology (IT) staff and legal counsel. This rule requires that entities transmitting electronic protected health information (ePHI) ensure that these transmissions are confidential and secure. The AMA provides an educational tool to assist providers in achieving compliance with the rule, and HHS offers advice on protecting ePHI when using cell phones.

Providers should keep in mind potential differences in communication with patients, as opposed to colleagues. While doctors and nurses in the same office may think nothing of texting one another, a patient needs to consent to communication. Current guidance indicates that a patient’s initiation of a text conversation may serve as consent, but some providers might obtain written consent that acknowledges risks in such transmissions. Patients should be reminded that security is not guaranteed and that privacy can be breached as easily as someone they know using their phone and seeing a text.

Boundaries

In addition to consent and security issues, the AMA raises several points more along the lines of etiquette but that must be approached within the patient-physician relationship framework. A physician should establish boundaries with patients, such as establishing reasonable response times and appropriate times of day for texting. Additionally, extensive conversations are not recommended, and if a patient requests a lengthy explanation the physician should request that the patient come into the office.

When texting, the AMA recommends keeping a formal tone, cordial but refraining from using jokes, emoticons, or emotionally charged or sarcastic speech. The recommendations even extend to ending texts with the physician’s full name and business affiliation, accompanied by a request to acknowledge receipt of the message. Although it may seem obvious, the AMA also reiterates refraining using identifying information such as name or Social Security number and keeping text records.

Gatekeeping vital to a best practice organization

Gatekeeping should be viewed as a first line of defense, protecting not only a healthcare organization, but the patients as well. In a Health Care Compliance Association (HCCA) webinar titled “Gatekeeping & Monitoring – Developing Sound Processes for Screening, Removal & Reinstatement,” Amy Andersen, Director of Operations at Verisys Corp., noted that every organization can be sorted to a risk aversion spectrum. On one end, the most risk-averse organizations use best practice compliance to achieve stellar outcomes. On the other end, non-compliant organizations risk fines and loss of reputations. The greatest cost to organizations in terms of monetary impact to establish gatekeeping measures is the change management and system implementation. Regardless, best practices organizations need to be proactive about gatekeeping and monitoring, not after the fact.

Gatekeepers

The best way to protect organizations is to implement a gatekeeping strategy. Gatekeeping is ensuring that information is properly disseminated among an organization and its association. Thus, the first consideration for an organization is which parties are being let into the organization. Organizations should not only focus on the healthcare professionals within their organizations, but the vendors and contractors employed by the organization. Andersen noted that the vendor space was one of the most overlooked areas in protecting an organization.

Secondly, once an organization permits vendors or individuals into the organization, it must readily identify any gaps. In essence, Andersen said that the organization should understand what it knows and does not know about the admitted vendor or individual.

Finally, the organization should establish criteria for admittance of these vendors or individuals. Thus, an organization’s gatekeeping strategy should include three parts: (1) identification, (2) communication, and (3) remediation.

Identification, communication, and remediation

At a most basic level, identification starts with screening and monitoring. Some barriers to gatekeeping include data “hoarders,” those entities who do not share what they know or require you to go through a gate itself. These entities can be threats to the organization.

Andersen advised that organizations should examine and avoid unconsidered risks. In terms of credentialing, Andersen stressed “verify, verify, verify.” These risks are created when an organization silos information within itself. She cautioned against this, noting that organizations should do holistic reviews to determine whether the departments within the organization are communicating any risks effectively.

Access to information is vital. Once identification generates data for the organization, relevant information must be made visible. After policy and procedure access occurs, the organization must take action in a consistent manner. This is includes removal of individuals from the organization or vendor from a business relationship, expectations should be laid out clearly. Any auditing that is done should be unbiased and adhere to industry standards.

Human subject research: expert discusses recent privacy and security concerns

Recent privacy and security developments in human subject research were the topic of discussion during a recent Health Care Compliance Association (HCCA) webinar. The webinar presenter, William J. Roberts, a partner in Shipman & Goodwin LLP’s Health Law Practice Group and the Chair of its Privacy and Data Protection team, discussed: (1) the disclosure of substance use disorder records for research purposes; (2) the rights of a research subject to directly access their test results; and (3) electronic informed consent of research subjects.

Disclosure for research purposes

In discussing the disclosure of substance use disorder records of patients for research purposes, Roberts focused on the revised requirements for the research exception (42 C.F.R. sec. 2.52) set forth in the January 18, 2017 Final rule (82 FR 6052) issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), which are effective March 21, 2017.

First, under the revised research exception at 42 C.F.R. 2.52(a), Roberts noted that a federally-assisted program or other lawful holder of patient identifying information may disclose this information to qualified personnel for the purpose of conducting scientific research if the individual designated as director or managing director, or other individual with comparable authority determines that the researcher or recipient of the patient identifying information satisfies the following requirements:

  • has obtained and documented patient authorization or a waiver/alteration of authorization consistent with HIPAA; and
  • provides documentation that (1) the researcher is in compliance with the requirements of the HHS regulations regarding the protection of human subjects, including the informed consent/waiver of consent requirements or (2) the research qualifies for exemption under the HHS regulations or any successor regulations.

In addition, under revised 42 C.F.R 2.52(b), Roberts pointed out that the researcher who receives the information must: (1) not re-disclose patient identifying information except back to the individual or entity from whom the information was obtained; (2) maintain and destroypatient identifying information in accordance with the security policies and procedures under the Part 2 regulations; (3) retain records in compliance with applicable federal, state, and local record retention laws; and (4) if necessary, resist in judicial proceedings any efforts to obtain access to patient records containing Part 2 data.

Further, under 42 C.F.R. 2.52(c), Roberts pointed out that researchers may link to data from federal and non-federal data repositories holding patient identifying information, if the researcher: (1) has the request for data linkages reviewed and approved by an institutional review board (IRB) registered with the HHS Office for Human Research Protections; and (2) ensures that patient identifying information obtained is not provided to law enforcement agencies or officials.

Finally, under 42 C.F.R. 2.52(d), Roberts indicated that upon receipt of patient identifying information, data repositories are fully bound by Part 2 regulations and must: (1) after providing the researcher with the linked data, destroy or delete the linked data from its records (including sanitizing any associated hard copy or electronic media); and (2) ensure that patient identifying information is not provided to law enforcement agencies or officials.

Roberts believes that the key take-aways from the revised Part 2 regulations are that: (1) we can expect a more simplified process for obtaining patient information from Part 2 subject facilities and providers, which may open more doors to research collaborations and projects: (2) population health studies will benefit from linkages; and (3) future revisions to the regulations may be possible because SAMHSA has been soliciting additional comments and has expressed openness to future changes.

Rights of research subjects

In discussing the right of research subjects to directly access their test results, Roberts focused on some problems with the February 6, 2014 joint CMS and Office of Civil Rights (OCR) Final rule designed to harmonize the requirements of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act (HIPAA) rules (see Amended CLIA, HIPAA regulations provide patients direct access to lab test results, Health Law Daily, February 6, 2014).

According to Roberts, while the joint Final rule amended the CLIA requirements to permit laboratories to give completed test results directly to a patient or patient’s representative upon request, and the HIPAA rule to require HIPAA covered laboratories to provide access rights to patients, it also created a conflict. For example, CLIA prohibits non-CLIA certified research laboratories from returning results to individuals for the “diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients,” while HIPAA-covered laboratories have a legal responsibility to provide research results to research subjects upon request if the information is in the “designated record set.”

Roberts explained that the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has made three recommendations to resolve the CLIA/HIPAA conflict:

  • HHS (including OCR, FDA, CMS) should clarify and ratify necessary regulatory interpretations or amendments so that researchers in a non-CLIA-certified laboratory are able to refer, without penalty, a research subject to a CLIA-certified laboratory for additional testing after identifying clinically actionable information.
  • HHS should clarify the duties of HIPAA covered entities to provide results to individuals, upon their request, from non-CLIA-certified laboratories.
  • OCR should provide guidance on how to interpret the “designated record set” in the context of access to test results from non-CLIA research laboratories.

Until there is closure on these recommendations, Roberts recommended that covered entities: (1) review existing practices of researchers with respect to participants’ access to test results; (2) review the standard for determining what test results are part of the “designated record set”; and (3) consult the IRB or counsel about responding to requests.

Electronic informed consent

Roberts’ discussion of electronic informed consent (eIC) included the examination of: (1) a joint FDA/Office for Human Research Protections (OHRP) frequently asked questions guidance; (2) paper v. eIC; (3) electronic signatures; and (4) verification of the research subject’s identity.

The upshot of the joint guidance, according to Roberts, is that: (1) if the research is conducted or supported by HHS and involves a FDA-regulated product, it is subject to both the FDA and HHS regulations; and (2) in the event the regulations differ, the regulations that offer the greater protection to human subjects should be followed.

Roberts explained that both OHRP and FDA regulations allow for the use of eIC and paper informed consent, independently or in combination with each other, and for electronic signatures to be used in lieu of traditional signatures.

Roberts suggested that an eIC should: (1) be easy to navigate, (2) allow the user to proceed forward and backward and to stop and continue at a later time, (3) use hyperlinks where helpful, (4) give patients options to use paper or electronic; and (5) ask: Do research subjects need assistance in completing the eIC? Roberts also suggested that research subjects be given a copy of the written informed consent form, preferably with the subject’s signature and the date the form was executed.

Finally, Roberts cautioned that before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization must verify the identity of the individual.

Overall, with regard to eIC, Roberts recommends checking with the IRB about the use of eIC to ensure that the IRB agrees that the format may be used for the particular research. Examples of possible formats include: encrypted digital signature, electronic signature pad, voice print, and digital fingerprint.

Roberts also recommended: (1) reviewing and revising privacy policies and procedures with respect to any eIC data stored in “the cloud” to ensure compliance with applicable laws; (2) ensuring that eIC materials are easy for the research subject to navigate; and (3) ensuring eIC technology allows an easy way for subjects to ask questions and get answers.

Protecting personal data beyond HIPAA

Safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) is important, but what responsibilities do hospitals have to protect other types of personally identifiable information (PII)? What concrete steps can hospitals take to follow through on these responsibilities? Meg Grimaldi, Director of Compliance at Martin Luther King, Jr. Community Hospital in Los Angeles, and Sarah Bruno, Matthew Mills, and Jade Kelly, Partners at Arent Fox LLP, answered these questions in a Health Care Compliance Association (HCCA) webinar titled, “Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA.”

Grimaldi began by reminding hospitals of the different types of information they encounter and the manner in which they encounter them. Aside from PHI gleaned through medical records, for example, hospitals may take in data used in accessing patient portals or submitted through event registrations and surveys. When gathering such information, hospitals must weigh the benefits of detriments of easy to use portals with the need to verity identity. User IDs, passwords, and personal questions are no longer sufficient to protect data; instead, hospitals should implement two-factor authentication—something a person knows, such as a User ID and password, with something a person has, such as a card or mobile device. Some hospitals may even consider utilizing biometrics. Hospitals should carefully consider the need to use cookies, which store data. If using cookies, session cookies are less risky because they do not save personal information beyond a single session. The use of long-term cookies must be carefully safeguarded.

The hospitals, themselves, may handle payment information or employee information submitted through secure portals, or may farm these duties out to third parties, but they remain no less responsible for the protection of the PII. Hospitals must ensure that business associate agreements (BAAs) or other contracts hold third parties accountable for handling types of data.

In general, hospitals should implement safeguards such as network segmentation, security scans, penetration testing, and encryption. In addition, they should routinely review software patching solutions, implement active alerts in intrusion detection systems, and periodically perform test backups. When data is no longer needed, hospitals should destroy it.

Bruno noted a need to categorize data as falling into the purview of specific laws, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277), and various other federal and state laws, as well as industry standards. In addition, hospitals should take note that European countries accept a much broader definition of PII than the U.S., and that care should be taken the handling of information from European nationals. The hospital’s website should disclose its privacy practices. Mills discussed laws and industry standards that govern debtor data, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide their customers with notice of the institutions’ privacy practices and to safeguard sensitive data.

Kelly discussed hospitals responsibilities with respect to employee data, including noting in many cases that employee medical information should be kept separate from personnel files and accessed only by certain authorized individuals. Employer must also be sure to comply with the Fair Credit Reporting Act (15 USC § 1681 et seq.) and any applicable state laws.

Grimaldi discussed the need to inform employees of the location of PII policies and procedures and make sure they are easily accessible to employees. Hospitals should diversify training materials to discuss types of data beyond PHI so that they understand what must be protected. It is crucial for hospitals to use plain language, skipping jargon, abbreviations, and acronyms, to ensure that each employee understands what is being discussed. For example, many employees may understand the importance of not clicking on strange emails, but may not know that the tactic is referred to as “phishing” and may thus not understand directions about responses to phishing campaigns. It has been suggested that information needs to be communicated seven times before it is truly understood, so it is important to deliver information in various modes, including training, newsletters, and staff huddles. Hospitals should train employees in various social engineering techniques that are relevant to the particular organization.

Bruno noted that hospitals must create a culture in which employees feel comfortable letting the organization know about potential and actual breaches, which are inevitable, whether through a malicious hack or a lost laptop. Once a breach is identified, a number of individuals should be involved in the response, including the privacy officer, the head of marketing, and the chief information security officer (CISO).