Text or Email: Does it Fit in Healthcare?

office-620822_640Communication by text or email is a part of daily life. Such forms of communication occur non-stop and through a variety of means whether it be Gmail, WhatsApp, iMessage, or any other number of services. However, the question that arises just as frequently is whether texting and/or email are appropriate in healthcare. The simple answer is yes, texting and email fit very well into healthcare and are very much permissible.

However, staying at the level of the simple answer is not sufficient. It is necessary to dive deeper and determine just how text and email communication can be done. Answering the more nuanced question largely depends upon the purpose of the communication. The purpose can be broken into two primary categories: marketing or provision of information. As would be expected, marketing communications create more concern and require attention to a wider array of regulatory requirements.

Regardless of the purpose of the communication, HIPAA is a driving force behind what a healthcare provider or entity can do when it comes to texting and emailing. Hopefully it is well known, but the HIPAA Privacy and Security Rules influence what communication tools can be used. If the healthcare entity is initiating the communication, then any such communication must carefully adhere to privacy and security requirements. Since any communication tool will most likely not just transmit but store the data sent, the communication tool will be considered a business associate and all attendant requirements (implementing a Business Associate Agreement) apply. However, if a patient requests that a provider send a record or other communication by email, then some of those concerns may be reduced. No matter who starts the communication though, HIPAA must be considered.

The other side to HIPAA is whether marketing communications are allowed. As a general matter, pretty much all marketing requires patient authorization under HIPAA. There are some forms of communication that do not require authorization, but those exceptions are not very broad.

The discussion in the preceding paragraphs is only a taste of how HIPAA impacts the use of texting and email. That being said, the key takeaway is that texting and emailing can occur. It may not be a publicly available tool like Gmail that can be used, but there are options. Such an approach helps to dispel the common misconception that HIPAA prohibits or otherwise prevents the use of texting or email.

While HIPAA is clearly a healthcare-specific law, any entity or organization seeking to text or email an individual must consider other laws as well. Foremost among those laws are the Telephone Consumer Protection ACT (“TCPA”) for texting and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) for email. These laws may not be readily known to healthcare entities, but lack of awareness is no defense to a violation.

TCPA is designed to protect privacy interests when it comes to phone-based communications, whether texting or phone calls. TCPA sets parameters as to how individuals can be contacted by companies. Obtaining consent to communicate by phone or text will generally solve potential issues under TCPA, but it is not always clear whether such consent has been provided. Many entities will also collect phone numbers without including consent to communication and then want to implement outreach by phone or text afterwards. When seeking to use already collected information, going back to get consent is not high on the list of priorities. Healthcare benefits from some relief in that regard. Communications for treatment purposes are exempted from the consent requirement. Before celebrating and thinking that all healthcare communications are treatment related, guidance around the exemption spells out what constitutes treatment. Further, there appears to be a requirement that any communication cannot result in a charge to the individual. Before sending a text, it is necessary to consider whether that will charge the individual or not. That question could be hard to answer. Again, like HIPAA, TCPA does not prohibit texting, it forces an organization to slow down and plan.

CAN-SPAM, as indicated, focuses upon email advertising. Generally, CAN-SPAM covers all commercial messages where the primary purpose is advertisement or promotion. As the acronym of the act implies, it is meant to help reduce the number of emails that we all receive. To avoid issues, seven principles have been laid out to flag an email as an advertisement or promotion: (1) make the header accurate and not false or misleading, (2) do not use deceptive subject lines, (3) identify the email as an advertisement, (4) tell rcipients where the sender is located, (5) tell recipients how to opt out of future emails, (6) promptly honor all opt out requests, and (7) monitor activities of vendors that may act on your behalf. Additionally, question what the “primary purpose” of the email is. CAN-SPAM only applies if it is advertisement or promotion. If a transactional or relationship is the primary purpose, then CAN-SPAM does not apply. Unlike TCPA, there are no exceptions or carve-outs for healthcare. Instead, healthcare must comply like all other industries.

The above are some general considerations when it comes to text and email communication in healthcare. If you want to join a more in-depth conversation, sign up for a webinar that I will lead on Wednesday, November 15th at Noon EST through Physician Practice. Sign up is available here: http://bit.ly/2yvKMv8.

Advertisements
Posted in Business, Compliance, Health IT, HIPAA, Regulations | Tagged , , , , | Leave a comment

The Great Digital Hope or Just Hype

sunrise-1756274_640Healthcare has become the proverbial shiny object to many technology companies, both within and without of Silicon Valley. The technology companies seem to view healthcare as a great, untapped wilderness that is flush with potential profits. However, the rush into and promise of healthcare is never quite so simple.

Companies such as Amazon and Apple generate a ton of press, whether sought out or created on the outside, because these companies are viewed as having solved so many technology and interaction issues. For example, Apple has become a master of producing or refining seemingly stuck technology, while Amazon is considered to be (and likely is) the dominant retail force. The narratives around these companies and the new technology that they develop then lead the press, investors and others who like to speculate down the road that healthcare is a natural progression after having disrupted and conquered other fields.

A recent example is the nearly constant speculation that Amazon’s Alexa, a digital assistant, could revolutionize home health care, coach patients, or otherwise deliver healthcare. Amazon recently held a diabetes challenge event that sought uses for Alexa in promoting use cases with patients. Holding events of this nature clearly explore actual and practical uses in healthcare on the one hand, but are only big teases on the other hand because current regulatory failures are explicitly acknowledged (i.e. not being up to HIPAA standards). In spite of known and acknowledged regulatory deficiencies, the potential examples for the use of Alexa and other digital assistants never really ends. Every day a new use is thrown out and discussion begins.

Adding more fuel to the fire, the Food and Drug Administration announced a digital health pilot program, officially known as the Pre-Cert for Software Pilot, to enable companies to obtain pre-clearance for certain products. Apple, Google (through Verily), Samsung, and FitBit are the big traditionally consumer-facing technology companies that were among the nine participants selected to participate. The goal of the pilot is to speed that way to approval for certain software products in order to respond to the normally slow pace of development in healthcare.  The thinking goes that if healthcare wants to tap into digital innovation, then it must be able to act at the speed of digital innovation. The open question is how safe these new solutions will be and can such solutions live up to the traditional quality standards for healthcare devices.

Theorizing about possible uses of different technology solutions and bringing the known capability of companies like Amazon or Apple to healthcare makes for great theater, but significant hurdles exist. The hurdles can certainly be overcome, but doing so means dedication and attention to detail. The primary hurdle that I constantly think about is HIPAA. If any traditional technology company wants to get into healthcare, it will be necessary for that company to determine how it fits into the ecosystem, namely whether it is a covered entity or a business associate (most likely). Taking the assumption that a technology company will be a business associate creating and/or operating tools on behalf of providers (covered entities), the technology companies will need to sign business associate agreements. Taking the experience from provision of cloud services, thinking AWS, expect the technology companies to drive the terms of the business associate agreement, which will most likely be limited to strictly the requirements set out in the HIPAA regulations.

A business associate agreement is only the start though. It is also necessary to implement and comply with the privacy and security obligations that come with being a business associate. While such requirements are arguably easy to implement, doing so does require attention to detail. The privacy protections are fairly black and white, it is mostly a matter of preparing the policies and then educating. This is a gross over-simplification but gets the point across. The security side of the house is probably even easier for technology companies because it would be expected that the baseline protections utilized by such companies go well above and beyond what HIPAA requires. In my assessment, the biggest stumbling block will be appropriately educating and then monitoring individuals to ensure compliance. Insiders are already neck and neck with ransomware/hacking for the biggest security threats, which would only become more volatile by throwing in a workforce that is not accustomed to operating in a highly regulated area. As such, while HIPAA presents challenges, those challenges can be overcome.

Another, less explored regulatory issue is how full entry into healthcare could implicate fraud and abuse laws. Will Apple, Amazon or other companies seek to introduce products that could be reimburseable by Medicare or Medicaid? If yes, then standard operating procedure such as offering discounts or attractive offers to drive purchases would then likely result in a regulatory violation and much unwanted attention. Can the technology companies exercise enough discipline to wall off healthcare operations from other business teams? Other companies can and do create divisions, but technology companies have at times garnered reputations of pursuing ideas without necessarily thinking through full implementation. Chasing an idea down a rabbit hole without fully vetting regulatory considerations is not a preferable way to go. Then again, the pharmaceutical industry is cynically viewed as incorporating fraud and abuse allegations and settlements into the way of doing business. Could technology replicate this approach? Thinking of the government’s settlement with eClinicalWorks for misrepresenting the capabilities of its electronic medical records, maybe that path is already being laid.

While I am admittedly not an FDA lawyer, it seems that the potential need for approval as a medical device presents one of the biggest issues for new technology to come into healthcare. Even though the FDA, as mentioned above, is experimenting with easing regulations, the baseline of needing approval as a medical device for many uses still exists. Unless the law is fundamentally changed, such a requirement cannot be glossed over. The need for approval drives a very conservative approach to develop, implementation and maintenance. For example, many traditional medical device companies feel that FDA approval precludes the ability to update and/or patch operating systems on a device because a device obtains approval with a certain operating system. If that system is changed, then the functionality of that device could arguably change and the basis for approval undercut. Can technology companies that so often throw incomplete or “buggy” products into the marketplace while expecting to then fix on the fly work in such an environment? Will the environment change? The inability to answer these questions at the moment is cause for a pause.

Technology sparks imagination and possibility. Opportunities are as endless as what can be thought of. That promise is justifiably appealing, but it should be tempered by reality. Until a real solution comes to market and proves itself, the hopes are just hype.

Posted in Business, Compliance, Health IT, Healthcare, HIPAA | Tagged , , , , | Leave a comment

Copy & Paste: Is It Fraud or Not?

imagesElectronic medical records require a lot of interaction on the part of physicians and other providers to get all necessary information entered. There are drop down menus, boxes to check, and other information to fill in. With the well documented complaints about impact on workflow, a number of workarounds have been mentioned for a long time. Foremost among the workarounds is the use of copy and paste. Copy and paste can come in many forms including taking the entire contents of one note and bringing it forward, using templates to fill in predetermined information based upon a set of standards, or other similar uses. The premise is to make use of the EMR easier and more user-friendly. However, like most actions within healthcare, there are risks.

Let’s explore the benefits and arguably permissible uses of copy and paste first.  On the positive side, copying and pasting through the use of templates lets providers input a baseline of information, such as all normal results in a systems check. For example, a fact sheet produced by the Centers for Medicare and Medicaid Services suggests that templates or auto-fill can improve physician documentation and lead to more complete information being included in the medical record. An appropriately utilized template can potentially prompt the physician to include relevant information from a patient examination, which in turn ensures a fuller picture of the patient is present for future visits. Such positives can be achieved through careful, considerate and deliberate use of templates.

While the positives suggest the ability to enhance patient care, there are also numerous negatives. For example, the Office of the Inspector General has made its position well-known that copy and paste functionality can lead to fraud and abuse. The argument is that copying and pasting from one note to another can result in additional information being included resulting in claims being coded at a higher than justified level. The argument rests upon an assumption that information not actually collected or services not rendered would be included and billed. Such an assumption to some degree assumes guilt as opposed to innocence in provider activities. Such usage would more accurately be described as cloning and could lead to complications. Trying to be optimistic, hopefully the majority of providers are not using copy and paste functionality with an intent to defraud a governmental or private payor.

Another less obvious drawback from copy and paste is the creation of confusion within a medical record. If information is continuously carried forward, it may be difficult to determine when the information was first collected and whether the information is still accurate. Such a scenario could arise where copy and paste is used, but then not modified to reflect a patient’s current status or if it is used to build upon prior information in a repeating and lengthening record. Either way, the muddying of the medical record could give rise to potential liability in the event of an adverse patient outcome. For example, the confusing medical record could make it difficult to demonstrate that a standard of care was met or be the root cause for a bad outcome. Both scenarios are not ones that a physician or other provider would want to discover in the context of litigation.

Much more could be said about the benefits and dangers of copy and paste. Many will and likely do use the functionality. The key is to be considerate in such usage and not use it as an excuse to be complacent.

Posted in Business, CMS, Compliance, EHR, EMR, Health IT | Tagged , , , , | 1 Comment