In our personal lives, Americans have grown used to giving up personal information to technology in exchange for convenience. We manage passwords using smartphone keychain and apps. We share our emails, phone numbers and birthdays to get store coupons. We save our credit cards in online shopping carts.
As healthcare professionals, however, we are cautious—fearful, even—of dealing in personal information because of the 5-letter abbreviation that looms over our work: HIPAA.
HIPAA, the Health Insurance Portability and Accountability Act, became law in 2002 and was designed to protect the private information of patients and to make sure they are well informed about their choices and their consent for those choices.
Yet even as far back as 2003, HIPAA recognized the need to balance patient privacy and efficiency for healthcare providers. In fact, HIPAA makes digital patient engagement, education and care management easier than you may think.
HIPAA describes the balance this way:
“The HIPAA Privacy Rule establishes a foundation of federal protection for personal health information, carefully balanced to avoid creating unnecessary barriers to the delivery of quality healthcare.”
You can send patients educational communications by email—without separate consent—as long as the patient gives you an email address.
HIPAA specifies that for certain aspects of treatment—“coordination, or management of healthcare and related services”—no separate or additional consent is required.
HIPAA allows covered healthcare providers to communicate digitally, such as through email, with their patients, provided they apply reasonable safeguards when doing so. Such safeguards include making patients aware of the possible risks of using unencrypted email, and giving them a clear way to unsubscribe. With most patients requesting access to email their physicians, however, unsubscribing is unlikely.
Automatically enrolling patients into digital communications as your standard of care is called using an “opt-out” method of communication, because patients receive your care information automatically and can choose to “opt-out” or unsubscribe.
For example, HealthEast in St. Paul, Minn., uses a HIPAA-compliant, opt-out method of emailing educational messages to patients who are scheduled for knee and hip replacement surgery. The health system is impacting key cost measures as a result.
As of February 2018, the system had reduced readmissions by .8%, shortened length of stay by .29 days and reduced discharge to skilled nursing facilities by 17%. Looking at length of stay only, that rate of reduction would enable HealthEast to do 200 more joint replacements annually, which would roughly translate into $2.9 million in revenue.
HIPAA anticipated that the implementation of electronic health records and other digital health tools would necessitate accessing protected health information while giving hospitals an efficient means to coordinate and manage care.
Hospitals can balance privacy and efficiency by leveraging technology to deliver digital patient education starting early in the care episode.
The U.S. Department of Health and Human Services (HHS) established the feasibility of using email with patients as far back as 2008—and has continued to support it. Laws are interpreted based on usage and often, as the world changes, interpretations change without compromising the spirit or meaning of the law.
This is true for HIPAA, as well. HHS makes it clear. HIPAA allows healthcare professionals to deliver educational communications through email to improve patient care.