|
Post by plevineod on Nov 7, 2015 7:46:54 GMT -6
When we email patients their user name and password to access the portal, this is insecure. How is this not some sort of noncompliance with HIPAA?
Paul
|
|
|
Post by plevineod on Nov 16, 2015 17:07:22 GMT -6
Any chance to get a CPM representative to respond to this question?
|
|
|
Post by friscoeyeassociates on Nov 16, 2015 18:29:09 GMT -6
I am not a CPM Representative, but I will comment that the default message sent by CPM to inform the patient of their portal login and password is HIPAA compliant as long as your office is following the necessary protocols to communicate with patients electronically in the first place. These protocols include: - Mentioning in your office's Notice of Privacy Practices that you may conduct certain patient communications electronically, but that you will not disclose PHI (Patient Health Information) in these messages. An example that many of us probably already use would be appointment reminders, or these portal notifications sent by CPM.
- When your patients check-in there should be some kind of verification that the information contained on file is up to date and accurate for them and their E-Mail should be included in this information. The patient needs to sign either a paper verifying this info is correct or sign after verifying on a signature pad. They also need to sign an Acknowledgement of Notice of Privacy Practices when they check in signifying they know that they have the opportunity to read the full Notice of Privacy Practices should they desire to do so. Our office utilizes the TOPAZ signature pads recommended by CPM for both of these items. It will quickly display their basic info, they will sign, then it will display a short Acknowledgement of Notice of Privacy Practices which they will sign and both signatures go straight to their chart in CPM. This covers your office against any non-compliance with HIPAA- you have both verified that the email on file is correct, and also notified the patient you may contact them via email through your notice of privacy practices. If you are interested (im sure most have already stopped reading lol) there is some more information if you follow this link to the department of health and human services www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf
- It is also a good idea to always include a disclaimer in emails sent to patients. I have ours set up as a signature with our email client and it is included in every email sent from that address. example --> "THE INFORMATION CONTAINED IN THIS MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENT NAMED ABOVE. This message is confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, disclosure, dissemination, distribution or copying of this message, or the taking of any action in reliance on its contents, is strictly prohibited. If you have received this communication in error, please notify us immediately and destroy the documents. Thank you."
Hope that helps!
|
|