14 I Winter 2019 www.anjc.info CHIRO ASSIST TECHNIQUE Council NUTRITION Council REHABILITATION Council Compliance OUR HEALTH As the number of people using email and text messaging increases, more doctors feel the need to utilize these means to communicate with both their patients and colleagues. Automated patient appointment reminders via email or text message are a convenient way to remind patients about their upcoming appointments. There’s plenty of evidence that this strategy can reduce your patient no-show rate and help maintain patient compliance. Many Providers assume that if they are sending the reminders via their EHR, then they are automatically compliant with HIPAA. Unfortunately, this is not the case. HIPAA is federal law comprised of the Privacy Rule, Security Rule and Breach Notification Rule and provides federal protections for personal health information held by covered entities. Accordingly, all health plans, health care clearinghouses and any healthcare provider (and, by extension, a healthcare provider’s business associate) are considered “covered entities” and must follow HIPAA. The HIPAA/HITECH privacy and security rules cover any communication with electronic protected health information (ePHI), including e-mail, social media and text messages. In 2002, the Department of Health and Human Services (HHS) commented that both the traditional postcard reminders and phone/email/ text message reminders are an integral part of patient care and do not violate HIPAA per se. However, the 2013 Omnibus final rule states the following regarding your Notice of Privacy Practices (NPP): “In particular, §164.520(b)(1)(iii) requires a separate statement in the notice if the covered entity intends to contact the individual to provide appointment reminders or information about treatment alternatives or other health related benefits or services.” Based on the above, there are certain steps that providers should take to ensure the communications to patients and colleagues are compliant with HIPAA, as follows:  Make sure your NPP (Notice of Privacy Practices) is updated and includes information about opting-in for appointment reminders by text and/ or email.   The NPP should be explicitly clear and state something similar to: “We are going to be sending auto- mated text message/email reminders about your upcoming appointments. Please notify us if you do not wish to be contacted in this manner.”   Have patients verify their contact information, including their phone number, regularly.   Consider an additional opt-in outside of the NPP; many people do not read the NPP.   Give patients the option for a preferred method of contact.   Obtain a release from the patient in which they acknowledge that they understand that there are risks associated with texting appointment reminders.   Update the practice’s “Policies and Procedures” to include information on how appointment reminders are made and how they don’t include ePHI.   Train employees regarding SMS and email reminders and keep a training log.   Make sure that all staff understand the risks of emailing or texting patients directly and all messages to patients must be pre-approved. Additionally, when sending electronic appointment reminders it is best to avoid being too specific – DO NOT include any PHI. Generic reminders should only include: • Appointment date and time • Provider first and last name • Location of the appointment Automated appointment reminders appear to be playing an increasing role in healthcare services. Sending automated medical appointment reminders has been shown to decrease appointment “no shows” and has a potential to enhance the patient-doctor relationship. As such, the need for better standards and understanding is necessary. Email and text message reminders can be done in a compliant fashion as long as the practice recognizes and implements the requirements of keeping ePHI safe and secure. David Klein, CPC, CPMA, CHC, is co-founder of PayDC www.paydc.com, a web-based fully certified EHR system that focuses on compliance and reim- bursement. He is a certified professional coder and certified professional medical auditor through the American Academy of Professional Coders (AAPC), and is certified in healthcare compliance through the Health Care Compliance Board (HCCB). He is the Founder and President of DK Coding & Compliance, Inc., a healthcare consulting firm that focuses on audit defense, education, compliance and reimbursement issues. HIPAA and Appointment Reminders Is Your Practice Compliant? By David Klein ANJC Coding & Compliance Consultant