At RevenueWell, we continually invest in procedures and technology to support your every effort in upholding HIPAA’s privacy and security rules. Our patient communications suite was built specifically for healthcare providers, and as a result has built-in support for all the data security and regulatory compliance requirements that apply to a modern dental practice.
There are two separate sets of regulations that govern the sharing of patient data: HIPAA (the Health Insurance Portability and Accountability Act of 1996), which establishes your practice as a “Covered Entity” and regulates how you use and disclose protected health information (PHI); and the HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009), which complements HIPAA and controls with whom you can share this information. Parties with whom you share such information are identified as “Business Associates,” and must comply with HIPAA Privacy and Security rules to the same degree as any covered entity. In this framework, RevenueWell acts as your Business Associate, and your office is the Covered Entity.
The 2013 amendments to the HIPAA rules under the HITECH Act state a covered entity is required to obtain prior authorization from the patient to “market” to them, which is defined as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” [Title 45 of the Code of Federal Regulations, section 164.501].
However, HIPAA offers exemptions for communications about services you render or offer as their healthcare provider, as well as “healthcare operations” communications around treatment plans, alternatives to treatment, new services and care coordination. The only instance when such messages could be considered “marketing,” and would thus require permission from the recipient, would be if a Covered Entity or their Business Associate received third-party “financial remuneration” to send these messages. This isn’t common in a typical dental office – and RevenueWell as a business associate never accepts any form of third-party remuneration for content within the system.
Data extracted from your practice management software is sent over an encrypted Internet connection to RevenueWell’s secure, HIPAA, HITECH and PCI-compliant hosting facility, where all data operations are performed. Regular HIPAA audits and HIPAA compliance experts on staff ensure your data is closely managed and compliant. Your own access to the system is safeguarded using SSL and 128-bit encryption so you can safely log in from your office, home or mobile device.
Telephone Consumer Protection Act rules are designed to protect consumers from telemarketing messages, and apply to text messaging, residential phone lines, and wireless lines. Treatment plan notifications, appointment confirmations and other types of messaging sent on your behalf via RevenueWell are deemed by the FCC to be “health care messaging,” or “informational messaging,” and both have been exempted from the 2013 modification to the Act (known as the “new rules”).
In exempting this type of messaging, the FCC stated there is efficient and thorough oversight in HIPAA so as to “already safeguard consumer privacy” and that it did not “need to subject these calls to its consent, identification, opt-out, and abandoned call rules” (77 FR 34240).
For questions about these regulations, always confer with your attorney. The information contained herein should not be construed as legal advice.