By Compliancy Group

The ways that medical aesthetic practices communicate with patients has evolved as patients seek the easiest way to contact their health care providers. As patient-provider communication tactics change, it is crucial to keep HIPAA in mind.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules and regulations differ depending on how your medical aesthetic practice communicates with patients. Here is some advice about best practices in health care communication and how to avoid common communication errors.

Rules for HIPAA-compliant communication

The HIPAA regulation dictates best practices in health care communication. Regardless of the communication method (phone, text message, mail, email or chat), it must fully comply with HIPAA rules and regulations.

Before using these tools to communicate with patients, confirming a patient’s contact information (mailing address, email and phone number) is essential. Written patient consent is also required for certain communication methods before use, and before using some tools, you must have a signed business associate agreement (BAA).

How can you use different communication tools in your medical aesthetic practice while maintaining HIPAA compliance?

Patient phone calls

As it can be challenging to confirm the patient’s identity via phone, patients must sign a consent form before you can discuss medical information with them over the phone. Consent isn’t required for a simple appointment reminder, but limiting the information communicated is important. It is especially important when leaving a voicemail.

Voicemails can easily be overheard, allowing a patient’s family members or friends to hear sensitive treatment information that the patient does not want to share with others. Information appropriate to leave on a voicemail includes the patient’s name, the doctor’s name and a call-back number.

Texting with patients

Traditional text messaging (SMS) does not have security measures required to secure protected health information (PHI). Therefore, SMS is not HIPAA compliant and cannot be used for patient communication. Other popular texting platforms, such as iMessage and WhatsApp, are also not compliant, as the software providers don’t sign BAAs. There are, however, texting platforms designed explicitly for health care businesses. These platforms can be used for HIPAA compliant texting, provided your practice secures a signed BAA with them before its use and employees correctly use the texting platform.

Sending PHI through mail

There have been instances when health care providers have sent sensitive information to the wrong patient. To avoid the wrong patient receiving correspondence, it is crucial to double-check a patient's address before sending them anything containing PHI. HIPAA also requires providers to send patient information through certified mail or a similar service that requires a signature. Because standard mail cannot be tracked to confirm receipt, it is not HIPAA compliant.

Emailing patients

Generally, providers should not communicate with patients through email. However, it is permitted with written patient consent. Since the patient is unlikely to use a secure email service, the provider must also warn the patient of the cybersecurity risks associated with email. Lastly, health care providers must use a HIPAA-compliant email provider and encryption service when sending PHI through email.

Live chat

Online chat tools through your website can quickly and easily answer patient questions. When choosing which chat tool is right for your medical aesthetic practice, it is important to choose a HIPAA-compliant tool. While specific chat tools are made with health care in mind, others can provide a HIPAA-compliant service. As a general rule, HIPAA-compliant chat software includes safeguards to secure PHI and will sign a BAA.

HIPAA-compliant communication considerations

As you may have noticed, HIPAA-compliant communications come down to several considerations.

1. Do you have written patient consent to communicate with them in a certain way?
2. Have you confirmed the patient’s contact information?
3. Are you using a HIPAA-compliant communication tool? (Do you have a signed BAA with the service provider? Does the platform have the required security features?)
4. Is the tool being properly used by your staff?
5. Are you limiting communication of PHI to the minimum required to perform a job function?

Contributed by Compliancy Group

Compliancy Group’s simplified software and Customer Success Team remove the complexities and stress of HIPAA, helping medical spa professionals achieve HIPAA compliance quickly. They give practices confidence in their compliance plan, increasing patient loyalty and profitability while reducing risk. As an AmSpa Vendor Affiliate, medical spa professionals can be confident in their compliance program.

Compliancy Group’s software automates HIPAA compliance for medical spas. Achieving compliance can be done quickly through just a few self-paced virtual meetings. New customers will save 15% on Compliancy Group’s software, which includes live coaching to guide you through your compliance requirements, risk assessment that makes the required HIPAA risk assessment a breeze, policies and procedures that fully satisfy HIPAA regulations and protect your business, and intuitive and automated HIPAA training that awards the HIPAA Seal of Compliance upon completion.