Compliance and Legal Issues with Your Patient Engagement Strategy

Melissa Goldman, Esq. Baker Donelson

mgoldman@bakerdonelson.com

Promise of Patient Engagement

• Patient engagement helps practices improve the patient experience

• Reimbursement and revenue increasingly tied to

patient satisfaction scores • Engaged patients are more likely to take

preventative measures and experience better outcomes

Key Engagement Statistics

69% of healthcare organizations use

patient engagement tools

Source: West Strengthening Chronic Care: Patient Engagement Strategies for Better Management of Chronic Conditions

54% of patients feel a weekly or twice-weekly

check-in from their provider would be

valuable

Source: 2016 NEJM Catalyst Patient Engagement Survey

80% of smartphone users want to use their

smartphones to interact with health

care providers

Source: 2014 FICO Survey

69% of smartphone users want to receive reminders to schedule appointments or take

medication Source: 2014 FICO Survey

Patient Engagement Trends

• Automating patient outreach via phone, email, text and bots

• Microtargeting patients and potential patients on social media

• Encouraging user-generated content

Compliance Challenges

• FDA Regulation

• HIPPA

• CAN-SPAM Act

• FTC guidance on endorsements and testimonials

• Telephone Consumer Protections Act (TCPA)

• CITA

Chatbots • What is a chatbot? • A chatbot is a software program that "chats" simulating

human conversations through voice commands, textual methods or both

• How are practices using chatbots? • Uses it to automate routine administrative patient

communications on their websites, through social media messaging services (e.g facebook messaging) and SMS texts

• Integrating with population health platforms to communicate with patients regarding care management interventions

Chatbot as Care Delivery • FDA Draft Guidance on Clinical and Patient Decision Support

Software published December 8, 2017 • FDA does not intend to enforce compliance with applicable regulatory

requirements for Patient Decision Support Software that meets all of the following factors:

1. Do not acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system;

2. Display, analyze, or print medical information about a patient or other medical information (such as information derived from peer-reviewed clinical studies and clinical practice guidelines);

3. Support or provide recommendations to patients or non-health care professional caregivers about prevention, diagnosis, or treatment of a disease or condition; and

4. Enable the patient or non-health care professional caregiver to independently review the basis for the recommendation so that it is not the intent that such patient or non-health care professional rely primarily on any of such recommendations to make a decision regarding the patient

Chatbot as Care Delivery

• Potential malpractice risk?

• Terms of Use and Disclosures – patients should be aware they are speaking to a bot

• Disclaimers and potential human triggers

• Data protection

• Infringement of third party rights

HIPAA

• Covered entities must obtain authorization for uses or disclosures of PHI for “marketing”

• “Marketing” means a communication about a product or service that encourages recipients of the communication to purchase or use the product or service

• Exceptions exist (statutory from HITECH and within definition)

• If marketing involves financial remuneration to covered entity from a third party, the authorization must disclose this

• “Financial remuneration” means direct or indirect payment by the third party whose product or service is being described

CAN-SPAM – Not Just Emails

• Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003

• CAN-SPAM applies to social media messages as well as emails • MySpace Inc. v. Wallace –rejected the defendant’s arguments

that to be “electronic mail messages” under the CAN-SPAM Act, messages must include a domain name and an external route for travel

• Facebook, Inc. v. MaxBounty, Inc. held that messages sent by Facebook users to their Facebook friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act

CAN-SPAM Act

• Applies to both initiators and senders

• A person/entity is an "initiator" of a commercial electronic message if it either:

• Originates or transmits the message

• Procures the transmission of the message, meaning that the business either intentionally pays or provides other consideration to, or induces, another person to transmit the message on its behalf.

• A sender is an initiator whose own product or service, or internet website, is advertised or promoted in the commercial message.

CAN-SPAM Act • FTC is the primary enforcer of the CAN-SPAM Act, the CAN-SPAM Act also

allows various federal, state, and Internet access services to bring claims for violations

• FTC • civil penalties up to $16,000 for each separate message (if based on actual

knowledge or knowledge fairly implied) • Injunctive relief (even without a showing of knowledge)

• FCC • the FCC can seek fines up to $16,000 per message with a maximum of

$112,500 per message

• States • Injunctive relief • Actual damages or statutory damages up to $250 per e-mail, whichever is

greater, up to a maximum award of $2 million (Note that claims for false or misleading header information do not count towards the $2 million cap.)

• Three times the amount of statutory damages for willful, knowing, or aggravated violations

• Attorney’s fees and costs

CAN-SPAM Act

• Limited application to informational messages

• Does not prohibit all unsolicited commercial email, but does have specific content and opt-out requirements for most emails in addition to prohibition on misleading transmission information

• Prohibits the sending commercial messages to certain wireless email domain addresses, unless the recipient gives express prior authorization (opts-in), which can be written or oral • The FCC maintains a list of domain names for wireless

messaging services posted at https://www.fcc.gov/domain-name-downloads

CAN-SPAM Requirements

• Prohibits fraudulent or misleading transmission information for informal and commercial messages

• The "From" line must identify the business as the sender.

• Provide the recipient with enough information to understand who is sending the message

• Additional requirements for commercial messages:

• The message must include complete and accurate transmission and header information

• Clear identification that the message is an advertisement or solicitation

• Cannot use deceptive subject heading

• Include the sender's valid physical postal address

• Opt-out mechanism

Opt-Out Requirements • The message must include either an email address or other online

mechanism that the recipient may use for this opt out

• The mechanism must not require the recipient to:

• Do anything more than reply to the email or visit a single web page to opt out

• Make any payment or submit any personal information, including account information (other than email address), to opt out

• The opt-out mechanism must work for at least 30 days after the email is sent

• Must honor opt-out requests within 10 days

• Opt-outs do not expire

HIPAA: Emails or Texts

OCR HIPAA Privacy FAQ 570

HIPAA: Emails or Texts

OCR HIPAA Security FAQ

Patient Reviews and Testimonials

• FTC has issued Guidelines Concerning the Use of Endorsements and Testimonials in Advertising intended to help advertisers comply with the FTC Act and minimize the risk of FTC enforcement action

• FTC will treat a consumer’s statements as an endorsements if, viewed objectively, it appears that the relationship between the advertiser and the speaker is of a type that the speaker's statement can be understood to be sponsored by the advertiser

• An advertiser may be liable for an endorser's statements, even if the advertiser:

• Did not authorize the consumer's statements

• Had no ability to control the consumer's statement

• Relevant facts to determine if endorsement is sponsored vary and cannot be fully set out, but include:

• Whether the speaker is compensated by the advertiser or its agent.

• Whether the product or service in question was provided for free by the advertiser.

• The terms of any agreement.

• The length of the relationship.

• The previous receipt of products or services from the same or similar advertisers, or the likelihood of future receipt of products or services.

• The value of the items or services received

Patient Reviews and Testimonials

• Must disclose any material connection between an advertiser and an endorser

• Must ensure that claims in endorsement are truthful

• FTC advises advertises to:

• Ensure that endorsers make the disclosures

• Make certain that employee postings that mention company products on social media include disclosure of the employment relationship

• Monitor to ensure that endorsers and employees make the appropriate disclosures

• Ensure that the disclosure is clear and conspicuous

• Avoid encouraging endorsements that use features – such as "likes," "pins," or "shares" – that do not allow for clear and conspicuous disclosures if the absence of that disclosure would be misleading

• Take appropriate steps if an endorser does not make the disclosure

Patient Reviews and Testimonials

Patient Reviews and Testimonials

• HIPAA applies!

• Follow all HIPAA marketing requirements when soliciting and posting testimonials

• For any patient testimonial, you must have an agreement and authorization form signed by your patient

• Patient does not waive HIPAA rights by posting online

• There is no HIPAA exception for responding to an online patient complaint

TCPA • What does the TCPA place restrictions or prohibitions on?

• Calls that violate a consumer’s request not to receive calls • Telemarketing calls to residential landlines • Telemarketing and information calls and texts to wireless lines • Times calls and texts can be made

• What do the prohibitions depend on? • Equipment used to make the calls or texts – ATDS v. manual • Form of consent – prior express v. prior written • Content of the call – marketing v. information

• Who Enforces the TCPA? • FCC • States • Private right of action

TCPA Litigation on the Rise • Consumers can sue and win without showing harm even when

good faith mistake

• Class actions are increasingly popular

• Injunctive relief which can disrupt business practices

• Penalties of $500 per call/text and $1,500 per call/text for willful violations plus attorneys’ fees

• Common misconceptions:

• TCPA doesn’t cover calls to patients from HIPAA covered entities

• TCPA only applies to telemarketing calls

• Mostly compliant is okay

Key Definitions • Automatic telephone dialing system (ATDS) - Equipment that has

“capacity” to: • Store or produce numbers to be called, using a random or

sequential number generator • Dial those numbers

• Equipment is ATDS not just based on present capacity but also on potential future capabilities

• May includes predictive dialers not only when they call numbers

randomly/sequentially but also when they call from fixed customer list

• Many patient engagement tools are currently considered ATDS • FCC is expected to look at/further refine the definition of ATDS

again

TCPA Required Consent

Call/text to: Using: Message: Required Consent:

Cell phone ATDS or pre-recorded/ artificial voice

Informational Prior express

Cell phone ATDS or pre-recorded/ artificial voice

Marketing Prior written

Residential landline

Pre-recorded/ artificial voice

Marketing Prior written

Cell or residential landline

Manual with live caller

Informational or marketing

None

Prior Express Consent

• Written

• Oral (ensure you can prove)

• Implied by consumer providing his/her number (risky)

• Scope of consent is key issue

• Case-by-case determination

Prior Express Written Consent • What is required for valid prior express written consent?

• Clear and conspicuous consent to receive prerecorded or autodialed calls/texts

• Specifically name the company to whom consent is provided

• Specify the consumer’s phone number

• State consent is not required as a condition of purchasing products/services

• Signed by consumer (electronic or handwritten)

• How can written consent be obtained? • Web form

• Texting to short code

• Paper

CTIA Requirements

• Disclose name, product, short code

• Obtain separate written consent for unrelated messages

• Obtain user-initiated written consent

• Confirm web-form subscription with double opt-in

• Specify if recurring messaging (ex. 3msg/wk)

• Disclose inherent cost “Msg & data rates may apply” adjacent to the call to action

• Provide easy access to terms and conditions and privacy policy (ex. Hyperlinks)

• Instruct how to get help and how to stop (opt-out) from the handset

TCPA and Healthcare Safe Harbor • There are TCPA carve-outs and safe harbors for certain calls

subject to HIPAA, but they are much narrower than most people think

• Only calls that are exigent and made for a health care treatment purpose fall within the safe harbor, specifically: • Appointment and exam confirmation and reminders

• Wellness checkups

• Hospital pre-registration instructions

• Pre-operative instructions

• Lab results

• Post-discharge follow-up intended to prevent readmission

• Prescription notifications

• Home healthcare instructions

TCPA and Healthcare Safe Harbor • The calls/texts must be only for the reasons listed previously

and must met the following strict conditions:

• Must be informational only

• Must have obtained express consent (written not required)

• Must meet HIPAA consent/authorization requirements

• Must be free to recipient of the call (usually the patient)

• Must be sent only to the number provided by the patient

• Must state the name and contact information of the provider

• Must be from a HIPAA covered entity/business associate

• Must be concise (cannot exceed 1 minute or 160 characters)

• Cannot exceed 1 call/text per day or 3 calls/texts per week

• Must include easy means to opt-out

• Must honor opt-out requests immediately

Questions?

Melissa Goldman, Esq,

Baker Donelson

mgoldman@bakerdonelson.com