Are Automatic Patient Communication Solutions HIPAA-compliant?

Personal privacy is no longer personal – it's even in the news these days. Every day seems to bring reports of some celebrity cell phone hack or coverage concerning a business that decided to toss sensitive files in a dumpster instead of shred them as required. It's enough to make any reasonable person concerned, and if you're in the health profession with the civil and criminal liabilities of HIPAA hanging over your head, your concern is certainly more threatening than Dorothy's imagined nemesis along the yellow brick road.

While concern is advisable, it can be stifling if it prevents you from adopting more streamlined approaches to patient communication. Yes, HIPAA guidelines can be confusing, but they're not impossible to understand, and they're there for everyone's benefit. After all, every one of us is a patient to some health care practitioner out there, and we all want to maintain our personal privacy. With that in mind, we wanted to share a few questions (and answers) that come up frequently when a dental practice considers implementing a marketing and automated patient communication software like RevenueWell to grow their business.

Is it legal for a dental practice to share patient data with an outside company like RevenueWell?

Yes. There are actually two separate sets of regulations that govern this. First is HIPAA (the Health Insurance Portability and Accountability Act of 1996), which establishes your practice as a “Covered Entity” and regulates how you use and disclose Protected Health Information (PHI). PHI is any information concerning health status, health care or payment for health care that can be used to identify an individual. Second is the HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009), which stipulates that you can safely share information with your “Business Associates” (e.g. RevenueWell or another company that helps you carry out health care functions) so long as the Business Associate is compliant with HIPPAA privacy and security rules.

Does HIPAA permit health care providers to use email for patient communications?

Yes. According to 45 C.F.R § 164.530(c), the Privacy Rule allows health care providers to communicate with their patients electronically (including email), so long as reasonable safeguards are in place to limit unintentional disclosure. Because RevenueWell or a similar solution will use patient contact information directly from your practice management software, it is your responsibility to ensure that you have each patient’s correct email address on file. It may be a good idea to double-check this information as you’re checking patients in, and limiting instances where patients share email accounts among multiple adult family members.

Are there any special considerations around a patient communication solution sending automatic postcards and letters to patients?

No. Healthcare providers are allowed to mail correspondence, including that which contains Protected Health Information to patients’ home or other specified mailing addresses. Whether such mailing happens directly from the office or via a Business Associate does not make a difference. RevenueWell will always use covered envelope letters for any correspondence that contains health-related or payment-related information (like your treatment plan follow-up letters or expiring benefits reminders), and will send postcards for recalls and appointment reminders just like you probably did before you implemented the system. As always, the office needs to take the necessary precautions to ensure that the patient’s mailing address is listed correctly in the practice management software.

Are automatic phone calls and answering machine messages HIPAA-compliant?

Yes. The HIPAA Privacy Rule allows health care providers to communicate with patients regarding their health care — including communicating via phone, mail or in any other manner.

According to 45 C.F.R § 164.510(b)(3), a covered entity may leave a message on an answering machine, with a family member, or with another person who answers the phone when the patient is not home, so long as a reasonable precaution is taken to limit the amount of information disclosed in such a non-personal interaction.

For example, RevenueWell’s phone calls (and answering machine messages) do not contain any treatment-specific information and hence comply with this requirement. Our solution is also configured to look for a patient’s personal mobile phone number first in order to place the call, making it more likely that only the intended person will receive the communication.

I know that a patient communication service will store my patients’ data in “the cloud.” How secure is that?

In the case of RevenueWell, very. First off, RevenueWell only synchronizes information that it needs to effectively communicate with your patients. This means no Social Security Numbers, Driver’s License numbers or the like. Once data is extracted from your practice management software, it traverses over an encrypted Internet connection to our secure, HIPAA, HITECH and PCI-compliant hosting facility, where all data operations are performed. With regular HIPAA audits and HIPAA compliance experts on staff, RevenueWell’s “cloud” is one of the safest, most closely managed environments your data may ever touch. Finally, your own access to your RevenueWell dashboard is safeguarded using SSL and 128-bit encryption so you can safely log in from your office, home or mobile device.

Keeping ahead of the curve with regard to technology, and staying on the right side of the law, doesn't have to be a mind-numbing experience. Following a few simple guidelines, and choosing the right patient communication service, can allow you to operate without fear of what's around the next turn in your own yellow brick road to a more successful practice.