WARMRegards April 2019: Safeguarding Your Clients’ Protected Health Information
Welcome to WARMRegards! We’ve recently restarted our popular e-newsletter aimed at helping WIC agencies discover the latest developments in technology, applications, and tips-of-the-trade. It’s our goal to support you in reaching and retaining more WIC clients.
With busy clinics and the advent of new technologies, it’s becoming increasingly more difficult to ensure the safety of your clients’ protected health information (PHI). While WIC is not subject to HIPAA regulations, your program does still need to comply with federal WIC regulations as well as USDA and state confidentiality policies.
What Kind of Information is Protected?
Because WIC is subject to regulation at the state and federal level, but does not need to comply with HIPAA, it can be confusing to understand exactly what kind of information is and is not protected. Your clinic will want to err on the side of caution and check state regulations regularly, as well as the WIC confidentiality policy.
Wisconsin WIC outlined the WIC confidentiality policy, including what information is available to whom and how much of it is protected:
- Applicants and participants have access to all the information they’ve provided to WIC (example: a participant wants to see what staff has entered into their file).
- Applicants and participants do not have access to information provided by WIC staff (example: information the staff received from a participant’s social worker).
- Identifying information (name, address, etc.) can be released to WIC staff, volunteers, and/or law enforcement.
- Information regarding treatment requires written consent for release.
- Parents of teenage WIC members can not access identifying or health-related information about their teenage child.
- Divorced or separated parents both have access to a child’s information, unless otherwise stated in a court custody order.
- Birth parents of a foster child can have access to the child’s information, unless parental rights have been terminated or restricted.
- Other staff (nurses, social workers, etc.) will need a Memorandum of Understanding to access health information.
How to Comply with Confidentiality Policies at Your Clinic
In short, while WIC agencies aren’t necessarily required to comply to HIPAA (though some hybrid facilities may be part of other health services and will need to comply), your clinic still needs to ensure that private and personal health information is kept secure. You need to know that when you share protected health information, you are sharing it with the right person.
The Iowa Department of Public Health suggests some easy steps you can take in your clinic to ensure the privacy of PHI. One thing you can do is separate the check-in area and clinic stations from pubic areas like the waiting room, minimizing the ability for others to overhear private conversations. This can be achieved using room dividers and walls to maximize privacy. Make sure computers log out quickly so information does not stay on-screen for long and turn computer screens so they are not visible to other people.
Some other steps you can take include:
- Creating waiting room distractions (a television at one end of the room) to establish privacy.
- Requiring written consent before sharing any personally-identifiable information.
- Establishing parent/guardian relationships with children before sharing information about the child.
But protecting your clients’ health information goes beyond in-person visits. While SMS appointment reminders are a great way to help busy moms stay on top of their appointments, you’ll want to make sure that you’re not inadvertently sending PHI over text message.
Protecting Your Clients’ Information in a Digital World
Sending electronic appointment reminders can help your clients make it to their appointments and get the services they need. These reminders should contain nothing more than the client’s name, general “what to bring” information, and the time and date of their appointment. Anything more identifying (such as a mention of a client’s high-risk pregnancy) risks the privacy and security of your client.
We have a few suggestions regarding text messaging and PHI. First, consider the vendor you choose. Often, vendors who are able to provide extremely low-cost services use offshore staff and/or resources. This is something you’ll want to be aware of as you shop around for a vendor, because many states prohibit using vendors who outsource their services. To ensure the security of sensitive personal information, you’ll want to use U.S. vendors who are legally bound to U.S. regulations. Note that legitimate vendors should not state that they are “HIPAA compliant” because they cannot verify that the individual WIC agency won’t transmit protected content.
Second, be aware that two-way chat via SMS is not secure. You will not be able to ensure that either party is not inadvertently disclosing information that should be protected. Therefore, we suggest that any two-way conversational chats be conducted using a secure and encrypted chat app.
Finally, check your state’s laws to determine whether you can communicate PHI electronically with written consent. You might also want to check your state’s regulations regarding IT security when it comes to the transmission and storage of PHI.
Because of the sensitive information kept in your clinic, you’ll want to do what you can to keep personal and private health information protected. Setting up your clinic in a way that enhances privacy is a great step, but be sure to carry over that privacy to electronic communications. When your clients feel safe, secure, and respected in your clinic, they’ll be more likely to continue participating in WIC.
By Shela Ward
Read last month’s WARMRegards Reaching and Retaining in All Demographics
View past WARMRegards issues HERE
Subscribe for the monthly e-newsletter HERE