There are two separate sets of regulations that govern the sharing of patient data: HIPAA (the Health Insurance Portability and Accountability Act of 1996), which establishes your practice as a “Covered Entity” and regulates how you use and disclose protected health information (PHI); and the HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009), which complements HIPAA and controls with whom you can share this information. Parties with whom you share such information are identified as “Business Associates,” and must comply with HIPAA Privacy and Security rules to the same degree as any covered entity. In this framework, RevenueWell acts as your Business Associate, and your office is the Covered Entity.
The 2013 amendments to the HIPAA rules under the HITECH Act state a covered entity is required to obtain prior authorization from the patient to “market” to them, which is defined as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” [Title 45 of the Code of Federal Regulations, section 164.501].
However, HIPAA offers exemptions for communications about services you render or offer as their healthcare provider, as well as “healthcare operations” communications around treatment plans, alternatives to treatment, new services and care coordination. The only instance when such messages could be considered “marketing,” and would thus require permission from the recipient, would be if a Covered Entity or their Business Associate received third-party “financial remuneration” to send these messages. This isn’t common in a typical dental office – and RevenueWell as a business associate never accepts any form of third-party remuneration for content within the system.
Email: Health care providers are permitted to communicate with their patients electronically (including email), as long as reasonable precautions and safeguards are taken to limit unintentional disclosure [45 C.F.R § 164.530(c)]. Because RevenueWell utilizes patient contact information directly from your practice management software, it is your responsibility to ensure that you have each patient’s correct email address on file.
Phone Calls and Answering Machine Messages: A Covered Entity or a Business Associate may leave a message on an answering machine, with a family member, or with another person who answers the phone when the patient is not home, so long as a reasonable precaution is taken to limit the amount of information disclosed in such a non-personal interaction [45 C.F.R § 164.510(b)(3)]. RevenueWell’s phone calls (and answering machine messages) do not contain any treatment-specific information and hence comply with this requirement.
Postcards and Letters: Business Associates are allowed to mail correspondence to a patient’s home or other specified mailing addresses on behalf of a Covered Entity even if it contains PHI. As an additional measure of security, RevenueWell uses covered envelopes for any correspondence containing health-related or payment-related information. Again, as with email addresses, your office needs to take the necessary precautions to ensure that the patient’s mailing address is listed correctly in the practice management software.
Data extracted from your practice management software is sent over an encrypted Internet connection to RevenueWell’s secure, HIPAA, HITECH and PCI-compliant hosting facility, where all data operations are performed. Regular HIPAA audits and HIPAA compliance experts on staff ensure your data is closely managed and compliant. Your own access to the system is safeguarded using SSL and 128-bit encryption so you can safely log in from your office, home or mobile device.
Telephone Consumer Protection Act rules are designed to protect consumers from telemarketing messages, and apply to text messaging, residential phone lines, and wireless lines. Treatment plan notifications, appointment confirmations and other types of messaging sent on your behalf via RevenueWell are deemed by the FCC to be “health care messaging,” or “informational messaging,” and both have been exempted from the 2013 modification to the Act (known as the “new rules”).
In exempting this type of messaging, the FCC stated there is efficient and thorough oversight in HIPAA so as to “already safeguard consumer privacy” and that it did not “need to subject these calls to its consent, identification, opt-out, and abandoned call rules” (77 FR 34240).