New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough

At HIMSS17, OCR’s Deven McGraw shed some light on the HIPAA guidance OCR expects to release in 2017. OCR may be busy with assessing the findings of the HIPAA compliance desk audits of healthcare organizations and their business associates, but a swathe of new HIPAA guidance is set to be released this year.

Last year, the Joint Commission lifted the ban on the use of text messages for orders, although within weeks of the announcement the ban was back in place. Late last year, the Joint Commission partially lifted the ban, saying the use of a secure text messaging platform was acceptable for doctors when communicating with each other, although the use of text messages – regardless of whether a secure, HIPAA-compliant platform was used – remained prohibited.

OCR receives many questions from physicians and covered entities on the use of text messaging and HIPAA Rules. McGraw has confirmed that in response to the many questions, OCR will be issuing HIPAA guidance on text messaging later this year.

In an interview with Information Security Media Group, McGraw explained “There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department.”

In the guidance, OCR will cover the use of text messages between physicians, healthcare organizations, and the sending of messages to patients, along with the circumstances under which the use of text messages is prohibited by HIPAA Rules.

Last year, there were a number of instances of healthcare professionals accidentally disclosing the protected health information of patients on social media sites and deliberately posting images and videos containing personally identifiable information.

While it is clear to most healthcare professionals what is, and what is not, allowable under HIPAA Rules, guidance on the use of social media platforms will be issued including explanations on when prior authorization from a patient is required.

McGraw also said OCR is working to address its FAQ section on its website as many posted answers are ‘horribly out of date.’

To improve transparency, OCR has been working on guidance on what covered entities can expect then OCR investigators come knocking. OCR investigates all data breaches that have impacted more than 500 individuals, yet how those investigations take place remains something of a mystery. OCR will be releasing an “Anatomy of a Case,” in which the processes that take place when OCR investigates a healthcare data breach or complaint are explained. The guidance will detail how CMPs are calculated and settlements are reached, including the criteria used by OCR when determining appropriate financial penalties.

Much of the guidance has already been written, although it must now be passed to OCR’s legal team. Once that process has been completed, and OCR has made the document readable again, the new guidance will be released.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.