At the Healthcare Information and Management Systems Society’s 2017 conference-HIMSS17-OCR’s Deven McGraw released some new information on the HIPAA guidance OCR expects to release in 2017.
Last year, the Joint Commission lifted the ban on the use of text messages for orders. However, within weeks of the announcement, this decision was overturned and the ban was back in place. Further in to 2016, the Joint Commission partially lifted the ban, saying the use of a secure text messaging platform was acceptable for doctors when communicating with each other. However, the use of text messages – regardless of whether a secure, HIPAA-compliant platform was used – remained banned by the organisation.
OCR receives many questions from physicians and covered entities regarding the use of text messaging and whether it complies with HIPAA Rules. McGraw has confirmed that OCR will be issuing HIPAA guidance on text messaging later this year in response to the overwhelming volume of questions it has received.
In an interview with Information Security Media Group, McGraw explained “There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department.”
OCR’s new guidelines will cover the use of text messages between physicians, healthcare organizations, and the sending of messages to patients, along with the circumstances under which the use of text messages is prohibited by HIPAA Rules.
2016 saw several cases of healthcare professionals accidentally disclosing the protected health information of patients on social media sites and deliberately posting images and videos containing personally identifiable information. This is in violation of current HIPAA rules and guidelines regarding PHI and patient data security.
HIPAA Rules are normally clear in what is and what is not acceptable in regard to patient data security. However, many professionals seek guidance from OCR on the use of social media platforms will be issued including explanations on when prior authorization from a patient is required.
In his statement, McGraw also said OCR is working to address its FAQ section on its website as many posted answers are ‘horribly out of date.’
OCR has been working to improve transparency in recent times. This includes clarifying what covered entities can expect if they are under investigation by OCR. OCR investigates all data breaches that have impacted more than 500 individuals, yet how those investigations take place is not widely known.
To clarify their procedures, OCR will be releasing an “Anatomy of a Case,” in which the processes that take place when OCR investigates a healthcare data breach or complaint are explained. The guidance will detail how CMPs are calculated and settlements are reached, including the criteria used by OCR when determining appropriate financial penalties.
Much of the guidance has already been written, although it must now be passed to OCR’s legal team. Once that process has been completed, and OCR has made the document readable again, the new guidance will be released.