With the increased push for convenience from patients and improved clinical and financial outcomes from payers, it is clear that healthcare will be the next frontier for omni-channel customer experiences.
The elephant in the room is obviously how to maintain patient privacy and adhere to the rules governing PHI (personal health information). Some see this as a gigantic hurdle to adopting a truly omni-channel strategy—but it doesn’t need to be.
HIPAA (Health Insurance Portability & Accountability Act) standards, which are designed to protect sensitive patient data, regulate how a covered entity can handle PHI. Covered entities must have measures and policies in place to restrict access to PHI to only those with explicit permission.
Hospitals, providers, pharmacies, and other covered entities outsource some of their operations to third parties—think medical billing companies, claims processing agencies, or physician answering services. For the third parties who may not be HIPAA compliant, Business Associate Agreements (BAA) hold them accountable for protecting the PHI they access.
Compliance and Communication
Although patients can transmit their own PHI to anyone, things can get a little tricky when a covered entity wants to initiate communication. A best practice is for providers to ask patients their communication preferences (AKA “opt in”) as a part of their HIPAA Compliance form.
Outlining specific options, like whether a provider can leave a detailed message on a patient’s voicemail or share information with a designated family member, helps clarify how the covered entity will protect PHI and engage patients outside their walls. Appointment reminders are a great example of how opening this channel of communication can improve health outcomes and save money.
According to Health Management Technology, no show rates for healthcare appointments are 30% nationwide. Those missed appointments cost the U.S. healthcare system nearly $150 billion each year, and every unused appointment slot can cost a physician’s practice upwards of $200. Meanwhile, approximately 62% of smartphone users have used their phones to look up health or medical information—sending appointment reminders to patients via their preferred method of communication could reduce financial costs and negative clinical outcomes associated with missed appointments.
What the Rules Say
The HIPAA Conduit Exception Rule allows HIPAA covered entities to conduct business with certain vendors without having to enter into a business associate agreement. If a third party does not access or retain PHI, they may be able to operation under the Conduit Exception Rule instead of signing a BAA
Mail carriers and friendly neighborhood UPS drivers don’t have access to PHI, nor do they retain a copy of the information—they are simply conduits transmitting information from point A to point B. Third parties that transmit PHI without retaining or accessing the information other than on a random or infrequent basis as necessary to perform the services provided can operate under the HIPAA Conduit Exception Rule. The network a hospital or healthcare system uses to power their phones and 911 access would also fall under the conduit exception.
The misclassification of vendors can result in serious consequences, so it’s imperative that when a company chooses a vendor, they do so with a full understanding their policies around data access and retention.
Bringing It Together
HIPAA Compliance might seem like a major obstacle in bringing communications technology to healthcare, which is why it is important to choose an experienced partner who can serve as an advisor on best practices.
HIPAA regulations are in place to prevent sensitive information from falling into the wrong hands. Following these rules and regulations not only protect patient privacy, but protect covered entities and business associates from litigation and severe fines.
Join us for Part 2 of our mini series on navigating communications in healthcare, where we will focus on best practices for utilizing text messaging and key considerations when choosing a provider.Talk to an Expert
Check out our whole series:
Part 1: HIPAA, BAA, and Conduit Exception