At HIMSS17, OCR’s Deven McGraw revealed some details regarding the HIPAA guidance OCR expects to publish during 2017. OCR may be still trying to assess of the findings of the HIPAA compliance desk audits of healthcare groups and their business associates, but a swathe of new HIPAA guidance is set to be published in 2017.
In 2016, the Joint Commission removed the ban on the use of text messages for orders, although within weeks of the announcement the ban was reestablished. In late 2016, the Joint Commission partially removed the ban once again, saying the use of a secure text messaging platform was allowable for doctors when communicating with each other, although the use of text messages – regardless of whether a protected, HIPAA-compliant platform was implemented – remained prohibited.
OCR receives many queries from physicians and covered groups on the use of text messaging and HIPAA Rules. McGraw has confirmed that in answering many of the questions, OCR will be issuing HIPAA guidance on text messaging later in 2017.
In an interview with Information Security Media Group, McGraw outlined “There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department.”
In the published guidance, OCR will go over the use of text messages between physicians, healthcare groups, and the sending of messages to patients, along with the circumstances under which the use of text messages is forbidden under HIPAA Rules.
Last year, there were a number of cases where healthcare professionals accidentally shared the protected health information of patients on social media sites and deliberately posting images and videos containing personally identifiable data.
While it is obvious to most healthcare workers what is, and what is not, allowable under HIPAA Rules, guidance on the use of social media platforms will be issued with explanations on when prior authorization from a patient is needed.
McGraw also stated that the OCR is attempting to address its FAQ section on its website as many posted answers are ‘horribly out of date.’
To enhance transparency, OCR has been working on guidance on what covered groups can expect then OCR investigators come knocking. OCR looks into all data breaches that have impacted more than 500 people, yet how those investigations take place remains something of a mystery. OCR will be publishing an “Anatomy of a Case,” in which the processes that take place when OCR investigates a healthcare data breach or complaint are explained. The guidance will detail how CMPs are calculated and settlements are reached, including the criteria used by OCR when determining appropriate financial finees.
Much of the guidance has already been completed, although it must now be reviewed by the OCR’s legal team. Once that process has been finished, and OCR has made the document readable again, the new guidance will be published.