Texting, Social Media, & Case Walkthrough HIPAA Guidance to be Published in 2017

Recently at HIMSS17, OCR’s Deven McGraw outlined the HIPAA guidance OCR expects to publish in 2017. OCR may be busy reviewing the findings of the HIPAA compliance desk audits of healthcare groups and their business associates, but a flurry of new HIPAA guidance documentation is set to be published this year.

In 2016, the Joint Commission cancelled the ban on the use of text messages for making orders, although within weeks of the announcement the ban was reinstated. Late in 2017, the Joint Commission partially lifted the ban, saying the use of a secure text messaging service was acceptable for doctors when communicating with each other, although the usage of text messages – regardless of whether a safe, HIPAA-compliant platform was implemented – remained banned.

OCR receives many queries from health sector employees and covered organizations on the use of text messaging and HIPAA compliance Rules. McGraw has confirmed that as a reaction to the many questions, OCR will be issuing HIPAA guidance on text messaging later in 2017.

In an interview conducted with Information Security Media Group, McGraw outlined “There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department.”

In the new guidance OCR will cover the use of text messages between physicians, healthcare groups, and the broadcasting of messages to patients, along with the circumstances under which the use of text messages is not allowable under HIPAA Rules.

In 2017, there were a number of recorded instances of healthcare workers disclosing by mistake the protected health information of patients on social media sites and deliberately posting images and videos containing personally identifiable information and data.

While it is clear to most healthcare sector workers what is, and what is not, permitted according to HIPAA Rules, guidance on the use of social media services will be issued including explanations on when prior official permission from a patient is required.

McGraw also said OCR is planning to update and refresh its FAQ section on its official website as many published answers are ‘horribly out of date.’

To improve transparency, OCR has been developing guidance on what covered groups can hope t=when OCR investigators come knocking. OCR reviews all privacy breaches that have affected more than 500 people, yet how those reviews take place remains something of a enigma. OCR will be publishing an “Anatomy of a Case,” in which the steps that take place when OCR looks into a healthcare data breach or complaint are outlined. The guidance and assistance will detail how CMPs are calculated and settlements are reached, including the criteria used by OCR when calculating appropriate fines.

Much of the guidance has already been completed, although it must now be reviewed by OCR’s legal team. When that process has been finished, and OCR has made the document readable once more, the new guidance will be published.

Author: Maria Perez