Health IT and Electronic Health Activate your FREE membership today |  Log-in

Community Blog

Jul 9 2014   1:55PM GMT

Patient engagement technologies: How to stay in touch and HIPAA-compliant

Posted by: adelvecchio
Accountable Care Organizations, HIPAA, HIPAA privacy rule, mHealth

RebekahJohnson (2)Guest post by Rebekah Johnson, senior compliance manager, West Corporation

Technology has become so woven into the fabric of our society that it often overshadows face-to-face communication. It’s so prevalent in healthcare that patients have come to expect their doctors to use technology to communicate with them between office visits, hence the rise of patient engagement technologies. In 2012, a Medical Group Management Association study reported that approximately 44% of healthcare practices were using notifications technology to automate appointment reminders[1]. Today, mHealth is the fastest growing area in the health IT space. However, along with mass adoption of healthcare technology comes the necessary evil of compliance — which can be a crippling force that works against patient engagement.

When there are more pages of regulations for Medicare than in the Internal Revenue Service code, it’s no wonder healthcare professionals are struggling to keep up with regulations. Add HIPAA and its steep requirements for protecting sensitive patient data, and you’ve got a big case of compliance overload in the healthcare industry.

The compliance challenge makes it difficult for healthcare providers to maximize the technology investments they’ve made. There are thousands of healthcare providers that have automated appointment reminder systems in place. Most want to use that same technology platform to engage patients between doctor visits to drive improved health outcomes. When it comes to patient engagement, these same healthcare providers stop at simple appointment reminders because they don’t know what types of patient communications fall within the limits of HIPAA regulations.

The good news is, healthcare providers have a fairly open field when it comes to patient engagement technologies — they just need to understand the rules. For simplicity, compliance dos and don’ts should be considered in relation to messages that reach and engage patients and lead to better health outcomes.

Keep in touch with patients to reduce missed appointments

Today, it’s quite common for healthcare providers to reach out to patients with communications that remind them to make and keep appointments, or pay their bills. In fact, this strategy has resulted in a more than 30% reduction in missed appointments, industry-wide. It’s also been proven to reduce past-due accounts and increase monthly collections and by more than 25%.[2]

When this type of message is generic in content, privacy and security considerations are not a concern, and the patient communications can be delivered via interactive voice response, text, email or mobile applications.

The most common compliance culprit for these messages is including information about the purpose of the appointment, such as, “This message is to remind you of your appointment for a biopsy of your left breast on Friday, November 2, at 3:00 PM.” ┬áThese messages are fine when it comes to engaging patients. However, when patient details are included, it’s important the message be delivered using a secure mobile application with features that protect the privacy of the patient. Alternatively, the healthcare provider can simply remove the test details. Patients are open to receiving this type of communication via SMS or email — in fact, that’s often exactly the type of communication they prefer to receive from their healthcare provider. In that instance, it’s simply a matter of getting the patient’s permission and documenting her preferences so you can communicate in this fashion while remaining compliant.

Engaging patients to increase accountability

While payers and providers are usually in the spotlight when it comes to accountable care, the most successful models will be the ones that place a strong focus on patient accountability, said Kevin Pho, M.D. “All patients across the care continuum need to be participants in their own care, and providers should be implementing strategies to encourage this accountability both at the point of care and, more importantly, once the patient goes home[3],” he wrote.

To achieve success, healthcare professionals need to go beyond reminding patients to keep appointments and pay their bills. Healthcare providers must communicate with patients between visits and offer information that will help them understand the state of their health, their personal role in becoming healthier, and hope that will help patients stick with treatment plans between appointments. This is precisely the level of support Americans are asking for from their healthcare providers.

The TeleVox Healthy World report titled, “Technology Beyond the Exam Room,” found that 85% of United States healthcare consumers feel that high-tech engagement, from sources such as email, text messages and voicemails, is as helpful, if not more helpful, than in-person or phone conversations with their healthcare provider. More than 35% of patients who don’t follow exact treatment plans say that they would be more likely to follow directions if they received reminders from their doctors via email, voicemail or text[4].

Moving from simple appointment reminders to engaging patients at this level is where healthcare providers begin to feel crippled by compliance. Fortunately, when taking patient engagement up a notch, a little knowledge goes a long way toward remaining compliant. In the case of HIPAA regulations, the most important thing for healthcare providers to remember is that the same rules apply regardless of whether the communication is a text message reminding the patient of an upcoming appointment or an email intended to educate the patient about his health and encourage him to follow his treatment plan.

Healthcare providers don’t need to worry about non-compliance of HIPAA privacy and security when communications contain generic information. However, messages that reveal past or present health conditions can cause compliance concerns. The workaround is being diligent about capturing, documenting and using patient engagement preferences and permissions. With diligence comes a policy that enables compliance officers, in many cases nurses, to quickly and easily approve and deliver patient engagement communications based on the patient’s unique preferences and permissions. A policy should provide communications guidelines that include clear examples of messages or pre-approved scripts by the healthcare professional. It also should include examples of messages that may require a closer compliance review prior to delivery.

It’s also a good idea to have a formal procedure for capturing and documenting patient engagement preferences. It could be as simple as having the patient complete an electronic questionnaire on a tablet while waiting to be greeted by the doctor. This intake form should ask patients to share their preferences for receiving various types of communications. The way patients prefer to receive communications from their provider will likely change based on the information being delivered. For example, patients often want their doctors to email educational tips or information that will help them live a more healthy life, but they may prefer to receive a phone call to remind them about an upcoming appointment.

1404931729_Rebekah Johnson blog graphic

[Activating positive patient behaviors requires providers not only understand what information their patients require to stay on track, but how their patients want that communication to be delivered — via voice, automated messages, text or email.]

Activating improved health outcomes

With the industry’s movement toward accountable care, it’s no longer enough to prescribe a treatment plan. It’s increasingly important for healthcare providers to focus on encouraging patients to follow treatment plans. This requires ongoing reminders and alerts to take medication, check blood sugars, eat right, and exercise. In fact, research shows patients welcome activation emails, text messages and voicemails from their healthcare providers that tell them to do something specific, such as take medication, schedule a routine medical screening, or get a flu shot. Almost half of American adults are currently treating a disease or chronic illness, such as a heart problem, diabetes or cancer[5]. That’s more than 100 million opportunities for healthcare providers to deliver communications that drive patients to follow their treatment plans.

In the near future, two-way communication between patients and providers will be the norm. So, overcome the compliance challenge today by putting the power of preference in the hands of the patient.

This article is intended to provide general information about the subject matter covered. It is not intended to provide legal advice, opinions, or serve as a substitute for counsel by licensed legal professionals.

About the author: Rebekah Johnson, CIPP/US, is a senior compliance manager for West Corporation. In this role, she develops and maintains compliance operations concerning the privacy and security of client information, including personally identifiable information, PHI, sensitive and financial data. Rebekah’s experience also includes managing West Notification, Inc.’s U.S.-European Union Safe Harbor certification.

[1] “2012 Performances and Practices of Successful Medical Groups,” Medical Group Management Association, 2012.

[2] TeleVox Software

[3] “Implementing Strategies to Encourage Patient Accountability”,, January 2012.

[4] “Technology Beyond the Exam Room: How Digital Media is Helping Doctors Deliver the Highest Level of Care, TeleVox Software, December 2012.

[5] “Chronic Diseases: The Leading Causes of Death and Disability in the United States,” Centers for Disease Control and Prevention, 2012.

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: