Patient Communication HIPAA, HITECH and HB 300 FAQ

HIPAA, HITECH, HB 300 FAQs

Patient Communications/Electronic Communications

Q. #1 Are faxes, email, and texts considered electronic communication?

A.

Please refer to:

• The following HIPAA definitions: 45 CFR §160.103

• Electronic protected health informationmeans information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section.

• Protected health informationmeans individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii) Employment records held by a covered entity in its role as employer.

• Individually identifiable health informationis information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

• Electronic mediameans:

(1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or

(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

• The following HIPAA FAQs from the U.S. Department of Health and Human Services website:

• Does the Security Rule apply to written and oral communications?
• Answer: No. The standards and specifications of the Security Rule are specific to electronic protected health information (e-PHI). It should be noted however that e-PHI also includes telephone voice response and fax back systems because they can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission. In contrast, the requirements of the Privacy Rule apply to all forms of PHI, including written and oral.

• Question: Can a physician’s office FAX patient medical information to another physician’s office?
• Answer:The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician’s office, and placing the fax machine in a secure location to prevent unauthorized access to the information. See 45 CFR164.530(c).

• Question:Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?
• Answer:The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.

• Additionally, see TMLT CME activity that appears in the Nov-Dec 2010 issue of the TMLT Reporter entitled “There is an ‘e’ in Medicine” - article begins on page 4:

• For HIPAA compliant physician-to-physician electronic communication, consider using DocbookMD –

Q. #2 The clinical summary to be provided within 3 days – is that to all patients or only if the patient requests? This assumes all physicians have implemented EHR which is not currently the case.

A.

You are referring to the CMS Medicare and Medicaid EHR incentive program’s meaningful use objective that applies to physicianswho are participating in theprogram and wish to qualify for the incentives. For more information, view the following FAQ from CMS website:

Q. #3: How do we provide ePHI to patients if their email is not secure or encrypted?

A: For general information regarding use of email and HIPAA, please refer to:

• HIPAA FAQs above,

• TMLT CME activity that appears in the Nov-Dec 2010 issue of the TMLT Reporter entitled “There is an ‘e’ in Medicine” - article begins on page 4:

• Integrating email into your practice – TMLT:

• AMA Code of Medical Ethics Opinion 2.3.2 - The Use of Electronic Mail

Q. #4 What is time frame practices have to provide medical records to patients upon valid written request?

A:

Generally, a physician has 15 business days. HIPAA privacy provides for a greater response time, but since the Texas provision is more stringent (i.e., it is the shorter period) HIPAA covered entities must respond in 15 days, as well.

For more information see:

• Release of Medical Records whitepaper from TMA Office of the General Counsel

• TMB Rule 165

• For Texas’ electronic health records specific provision, see: Health and Safety Code Sec.A181.102. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS.

Q. #5: If you are doing marketing in your practice and want to send a letter to your patients discussing new technologies in your office, do you need a signed release from patients or their permission?

A:

For general information regarding marketing, please refer to:

• HIPAA information on marketing(NOTE: This information is pre-HITECHAct. Please see amendments under the HITECH Act below)
• HITECH Act provisions on marketing. See Sec. 13406
• Chapter 181, Texas Health and Safety Code
• See Texas Health and Safety Code §181.001(4) for a definition of “marketing” under the Texas Medical Records Privacy Act.
• See Texas Health and Safety Code §181.152. Marketing Uses of Information.

For general information regarding medical records release, see also:

• Release of Medical Records whitepaper from TMA Office of the General Counsel

Q. # 6: If HB 300 prohibits the sale of PHI, does this mean if a patient requests her own medical records, we cannot charge?
A: For general information on this topic, please refer to:

• See Chapter 181, Health and Safety Code, specifically, Sec. Sec.A181.153.AASALE OF PROTECTED HEALTH INFORMATION PROHIBITED; EXCEPTIONS
• See also HITECH Act, Sec. 13405(d) Prohibition on Sale of Electronic Health Records or Protected Health Information