HIPAA Compliant Appointment Reminders
HIPAA compliant appointment reminders are communications with patients that must take into account any consent requirements or privacy restrictions and the channel of communication being used to remind the patient of the appointment. In addition to complying with HIPAA, appointment reminders must also comply with FCC regulations.
The HIPAA Privacy Rule permits the use of Protected Health Information (PHI) to remind patients of appointments under the treatment, payment, and healthcare operations (TPO) provisions of §164.506. This is according to an FAQ published by the Department of Health and Human Services (HHS) in 2002. However, while the use of PHI is permitted, how much PHI can be disclosed may be subject to several factors, including:
- Who is receiving the appointment reminder?
- Have privacy restrictions been requested?
- How is the reminder being communicated?
- Does the reminder comply with FCC regulations?
Who is Receiving the Appointment Reminder?
In the context of how much PHI can be disclosed in HIPAA compliant appointment reminders, although the minimum necessary standard does not apply to “uses and disclosures made to the individual” (§164.502(b)), it does apply to disclosures to family members, friends, etc., and disclosures made via a business associate. FCC regulations also place limits on the frequency and length of calls (FCC regulations are discussed below).
This means that, if a healthcare provider speaks directly with a patient via a communication channel that does not require a HIPAA Business Associate Agreement, there is no limit on how much PHI can be disclosed – subject to FCC regulations. Note: communication channels that do not require a Business Associate Agreement are mostly limited to PSTN landlines, the US Postal Service, and other communication “conduits”.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
If appointment reminders are communicated to a family member, friend, colleague, or other person involved in the individual’s care – or via a third party’s communication channel for which a Business Associate Agreement is necessary – any PHI disclosed in HIPAA compliant appointment reminders must be limited to the minimum necessary to achieve the purpose of the disclosure. The same applies to messages left on voicemail.
A patient can consent to (or authorize) disclosures of more than the minimum necessary to family members, friends, etc. Also, healthcare providers can disclose more than the minimum necessary PHI if, “in the exercise of professional judgment”, the disclosure is in the best interests of the patient (§164.510(b)). In such cases – and particularly when disclosing reproductive PHI – it is a best practice to verify the recipient of HIPAA compliant appointment reminders.
Have Privacy Restrictions been Requested?
§164.522 of the Privacy Rule is particularly relevant to HIPAA compliant appointment reminders. This is because it gives patients the right to request restrictions of uses and disclosures (of PHI), including those which are considered to be in the best interests of the patient (§164.510(b)). The section also gives patients the right to request confidential communications by alternative means or at alternative locations.
Healthcare providers do not have to agree to a request to restrict uses and disclosures of PHI (unless it is to a health plan for a service paid for in full by the patient), but, if agreeing to a restriction, must comply with the patient’s request with regards to HIPAA compliant appointment reminders. Exceptions exist for disclosures in emergency circumstances and to HHS’ Office for Civil Rights.
With regards to the right to request confidential communications by alternative means or at alternative locations, healthcare providers must accommodate “reasonable requests”. Reasonable requests are most often interpreted as requests for an alternative means of communication that the healthcare provider already uses and that is HIPAA compliant. But exceptions are allowed to accommodate special circumstances.
For example, if a patient is in an abusive relationship, they may request that confidential communications are sent via SMS text to a mobile device. Although SMS text messages are not HIPAA compliant, healthcare providers can agree to request if they warn the patient of the security risks, obtain the patient’s written consent to use a non-compliant communication channel, and document both the warning and the written consent.
How is the Reminder being Communicated?
Other than when a patient provides written consent to receive confidential communications via an unsecure channel of communication, it is necessary to enter into a Business Associate Agreement with any communication service provider that is not exempted under the conduit exception. In such cases, because PHI is being transmitted via a business associate with “persistent access” to PHI, the minimum necessary standard applies.
This requirement for HIPAA compliant appointment reminders not only applies to encrypted email services and other HIPAA compliant messaging solutions, but also to any automated scheduling software or patient engagement systems used by the healthcare providers to increase productivity and reduce no-shows. Depending on how scheduling or engagement software connects with patients, it may be necessary to enter into more than one Business Associate Agreement in order to support HIPAA compliant appointment reminders.
Do Reminders Comply with FCC regulations?
In addition to the HIPAA compliance requirements, appointment reminders have to comply with the Federal Communications Commission (FCC) regulations. The regulations were developed in response to the Telephone Consumer Protection Act 1991, and although they are often interpreted to apply only to phone calls and text messages, the FCC regulations can apply to any contact between a healthcare provider and patient.
Under the FCC regulations, healthcare providers can only contact patients for specific purposes (including HIPAA compliant appointment reminders) and no more than three times a week. The length of telephone calls must be limited to 60 seconds, and other communications must be limited to 160 characters. Any additional contact must be authorized by the patient or their personal representative.
HIPAA Compliant Appointment Reminders – Conclusion
To support HIPAA compliant appointment reminders, healthcare providers must take the factors discussed above into account when developing policies and procedures for appointment reminders or when configuring automated appointment scheduling software. If appointment reminders are managed by members of the workforce, it may also be necessary to incorporate the above into HIPAA training.
Healthcare providers with questions about permitted uses of PHI for HIPAA compliant appointment reminders, consent requirements, or privacy restrictions are advised to speak with a HIPAA compliance professional. Those with questions about configuring automated appointment scheduling software to comply with the Privacy Rule requirements should speak with the software vendor.
