Step 8: Communicate with patients

Give patients the opportunity to discuss the confidentiality and security of PHI, and make sure they know how to report concerns or discoveries of breaches.

In Guide to Privacy and Security of Electronic Health Information, HHS says you must accommodate reasonable requests by patients to receive communications from you by the means or at the locations they specify. For example, they may request that appointment reminders be left on their work voicemail rather than home phone voicemail. For those who prefer email communications, you may send unencrypted emails.

 

Page 5634 of the Privacy Rules states that clearly: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”

 

The important thing: That patients are advised of risks, and that they consent based on personal preference.

 

Regarding patient consent, there is greater focus now on “meaningful” consent. HHS defines meaningful consent this way:

Consent should not be a “check-the-box” exercise. Meaningful consent occurs when the patient makes an informed decision and the choice is properly recorded and maintained. Specifically the meaningful consent decision has six aspects. The decision should be:

  1. Made with full transparency and education

  2. Made only after the patient has had sufficient time to review educational material;

  3. Commensurate with circumstances for why health information is exchanged (i.e., the further the information-sharing strays from a reasonable patient expectation, the more time and education is required for the patient before he or she makes a decision);

  4. Not used for discriminatory purposes or as a condition for receiving medical treatment;

  5. Consistent with patient expectations; and

  6. Revocable at any time

 

Finally, you should be aware of this provision on Page 5634 of the Privacy Rule:

“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”

 

Tools and Resources for Step 8

See this report as a general reference on security of ePHI.

Guide to Privacy and Security of Electronic Health Information

Privacy Notices can help achieve meaningful consent, and the HHS offers Privacy Notification templates in English and Spanish.

For Healthcare Providers:

NPP Booklet for Healthcare Providers (English)

NPP Booklet for Healthcare Providers (Spanish)

NPP Layered for Healthcare Providers (English)

NPP Layered for Healthcare Providers (Spanish)

NPP Full-Page for Healthcare Providers (English)

NPP Full-Page for Healthcare Providers (Spanish)

NPP Text-Version for Healthcare (English)

NPP Text-Version for Healthcare (Spanish)

For Health Insurers:

NPP Booklet – Health Plan (English)

NPP Booklet – Health Plan (Spanish)

NPP Full-Page – Health Plan (English)

NPP Full-Page – Health Plan (Spanish)

NPP Layered – Health Plan (English)

NPP Layered – Health Plan (Spanish)

NPP Text-Version – Health Plan (English)

NPP Text-Version – Health Plan (Spanish)

A Health Care Professionals’ Privacy Guide updated to cover rules in effect since 2013.

These headings from the Privacy Guide indicate topics covered:

  • HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances may share information for treatment purposes.

  • HIPAA does not require you to eliminate all incidental disclosures.

  • HIPAA is not anti-electronic.

  • HIPAA does not cut off all communication between healthcare professionals and the families and friends of patients.

  • HIPAA does not prevent calls or visits to hospitals by a patient’s family or friends, the clergy, or anyone else.

  • HIPAA does not prevent child abuse reporting. The Privacy Guide also discusses strengthened patient protections, and includes links to additional resources, including guidelines on communications with family and friends.

Health Care Professional’s Privacy Guide

This eConsent Toolkit includes samples of tools and educational materials that organizations can customize for patient education and meaningful consent.

The toolkit includes a tip sheet on meaningful consent, HHS says organizations can develop content through what it calls a Story Engine feature. It also contains an eConsent Story Engine download as well as the technical standards needed to download and house the tool, along wih a guide for installing and using the tool. To start, you can download an eConsent User Guide.

eConsent Toolkit Tipsheet eConsent Story Engine eConsent User Guide

Architectural Analysis and Technical Standards eConsent Installation Guide

Upcoming Webinars

[add_eventon_list hide_month_headers="no" hide_empty_months="yes" event_order="ASC" number_of_months="3" ]

New Social Media Course

November 10, 2023 No Comments

MyHIPAA Guide is offering a new social media course that will help you protect your organization from potential privacy violations that result from social media

Read More »

Upcoming Events

10 Steps to Compliance

MyHIPAA Guide helps HIPAA-covered organizations understand what they need to do on a daily basis. Subscribers gain access to a comprehensive, human-centered HIPAA program.

CALL US TODAY:  (234) 281-4310

MyHIPAA Guide

Product

Discover

DISCLAIMER: MyHIPAA Guide content, including newsletters, is for informational purposes only. MyHIPAA Guide is not intended as legal advice or as a recommendation for a provider’s specific circumstances, and it is not intended as an exhaustive or definitive source on protecting health information from privacy and security risks. Providers and professionals seeking expert advice should consult an attorney and/or a risk assessment professional.

NOTICE TO READERS: We will do our best to report updates on HIPAA rules as quickly as possible following public notifications. In submitting questions or comments to MyHIPAAGuide.com, NEVER SEND THE PROTECTED HEALTH INFORMATION OF A PATIENT.

Copyright © by M.E.D. Media Mart LLC - Published by M.E.D. Media Mart LLC.