Compliance and Legal Issues with Your Patient Engagement ...€¦ · Source: 2014 FICO Survey 69%...
Transcript of Compliance and Legal Issues with Your Patient Engagement ...€¦ · Source: 2014 FICO Survey 69%...
Compliance and Legal Issues with Your Patient Engagement Strategy
Melissa Goldman, Esq. Baker Donelson
Promise of Patient Engagement
• Patient engagement helps practices improve the patient experience
• Reimbursement and revenue increasingly tied to
patient satisfaction scores • Engaged patients are more likely to take
preventative measures and experience better outcomes
Key Engagement Statistics
69% of healthcare organizations use
patient engagement tools
Source: West Strengthening Chronic Care: Patient Engagement Strategies for Better Management of Chronic Conditions
54% of patients feel a weekly or twice-weekly
check-in from their provider would be
valuable
Source: 2016 NEJM Catalyst Patient Engagement Survey
80% of smartphone users want to use their
smartphones to interact with health
care providers
Source: 2014 FICO Survey
69% of smartphone users want to receive reminders to schedule appointments or take
medication Source: 2014 FICO Survey
Patient Engagement Trends
• Automating patient outreach via phone, email, text and bots
• Microtargeting patients and potential patients on social media
• Encouraging user-generated content
Compliance Challenges
• FDA Regulation
• HIPPA
• CAN-SPAM Act
• FTC guidance on endorsements and testimonials
• Telephone Consumer Protections Act (TCPA)
• CITA
Chatbots • What is a chatbot? • A chatbot is a software program that "chats" simulating
human conversations through voice commands, textual methods or both
• How are practices using chatbots? • Uses it to automate routine administrative patient
communications on their websites, through social media messaging services (e.g facebook messaging) and SMS texts
• Integrating with population health platforms to communicate with patients regarding care management interventions
Chatbot as Care Delivery • FDA Draft Guidance on Clinical and Patient Decision Support
Software published December 8, 2017 • FDA does not intend to enforce compliance with applicable regulatory
requirements for Patient Decision Support Software that meets all of the following factors:
1. Do not acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system;
2. Display, analyze, or print medical information about a patient or other medical information (such as information derived from peer-reviewed clinical studies and clinical practice guidelines);
3. Support or provide recommendations to patients or non-health care professional caregivers about prevention, diagnosis, or treatment of a disease or condition; and
4. Enable the patient or non-health care professional caregiver to independently review the basis for the recommendation so that it is not the intent that such patient or non-health care professional rely primarily on any of such recommendations to make a decision regarding the patient
Chatbot as Care Delivery
• Potential malpractice risk?
• Terms of Use and Disclosures – patients should be aware they are speaking to a bot
• Disclaimers and potential human triggers
• Data protection
• Infringement of third party rights
HIPAA
• Covered entities must obtain authorization for uses or disclosures of PHI for “marketing”
• “Marketing” means a communication about a product or service that encourages recipients of the communication to purchase or use the product or service
• Exceptions exist (statutory from HITECH and within definition)
• If marketing involves financial remuneration to covered entity from a third party, the authorization must disclose this
• “Financial remuneration” means direct or indirect payment by the third party whose product or service is being described
CAN-SPAM – Not Just Emails
• Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003
• CAN-SPAM applies to social media messages as well as emails • MySpace Inc. v. Wallace –rejected the defendant’s arguments
that to be “electronic mail messages” under the CAN-SPAM Act, messages must include a domain name and an external route for travel
• Facebook, Inc. v. MaxBounty, Inc. held that messages sent by Facebook users to their Facebook friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act
CAN-SPAM Act
• Applies to both initiators and senders
• A person/entity is an "initiator" of a commercial electronic message if it either:
• Originates or transmits the message
• Procures the transmission of the message, meaning that the business either intentionally pays or provides other consideration to, or induces, another person to transmit the message on its behalf.
• A sender is an initiator whose own product or service, or internet website, is advertised or promoted in the commercial message.
CAN-SPAM Act • FTC is the primary enforcer of the CAN-SPAM Act, the CAN-SPAM Act also
allows various federal, state, and Internet access services to bring claims for violations
• FTC • civil penalties up to $16,000 for each separate message (if based on actual
knowledge or knowledge fairly implied) • Injunctive relief (even without a showing of knowledge)
• FCC • the FCC can seek fines up to $16,000 per message with a maximum of
$112,500 per message
• States • Injunctive relief • Actual damages or statutory damages up to $250 per e-mail, whichever is
greater, up to a maximum award of $2 million (Note that claims for false or misleading header information do not count towards the $2 million cap.)
• Three times the amount of statutory damages for willful, knowing, or aggravated violations
• Attorney’s fees and costs
CAN-SPAM Act
• Limited application to informational messages
• Does not prohibit all unsolicited commercial email, but does have specific content and opt-out requirements for most emails in addition to prohibition on misleading transmission information
• Prohibits the sending commercial messages to certain wireless email domain addresses, unless the recipient gives express prior authorization (opts-in), which can be written or oral • The FCC maintains a list of domain names for wireless
messaging services posted at https://www.fcc.gov/domain-name-downloads
CAN-SPAM Requirements
• Prohibits fraudulent or misleading transmission information for informal and commercial messages
• The "From" line must identify the business as the sender.
• Provide the recipient with enough information to understand who is sending the message
• Additional requirements for commercial messages:
• The message must include complete and accurate transmission and header information
• Clear identification that the message is an advertisement or solicitation
• Cannot use deceptive subject heading
• Include the sender's valid physical postal address
• Opt-out mechanism
Opt-Out Requirements • The message must include either an email address or other online
mechanism that the recipient may use for this opt out
• The mechanism must not require the recipient to:
• Do anything more than reply to the email or visit a single web page to opt out
• Make any payment or submit any personal information, including account information (other than email address), to opt out
• The opt-out mechanism must work for at least 30 days after the email is sent
• Must honor opt-out requests within 10 days
• Opt-outs do not expire
HIPAA: Emails or Texts
OCR HIPAA Privacy FAQ 570
HIPAA: Emails or Texts
OCR HIPAA Security FAQ
Patient Reviews and Testimonials
• FTC has issued Guidelines Concerning the Use of Endorsements and Testimonials in Advertising intended to help advertisers comply with the FTC Act and minimize the risk of FTC enforcement action
• FTC will treat a consumer’s statements as an endorsements if, viewed objectively, it appears that the relationship between the advertiser and the speaker is of a type that the speaker's statement can be understood to be sponsored by the advertiser
• An advertiser may be liable for an endorser's statements, even if the advertiser:
• Did not authorize the consumer's statements
• Had no ability to control the consumer's statement
• Relevant facts to determine if endorsement is sponsored vary and cannot be fully set out, but include:
• Whether the speaker is compensated by the advertiser or its agent.
• Whether the product or service in question was provided for free by the advertiser.
• The terms of any agreement.
• The length of the relationship.
• The previous receipt of products or services from the same or similar advertisers, or the likelihood of future receipt of products or services.
• The value of the items or services received
Patient Reviews and Testimonials
• Must disclose any material connection between an advertiser and an endorser
• Must ensure that claims in endorsement are truthful
• FTC advises advertises to:
• Ensure that endorsers make the disclosures
• Make certain that employee postings that mention company products on social media include disclosure of the employment relationship
• Monitor to ensure that endorsers and employees make the appropriate disclosures
• Ensure that the disclosure is clear and conspicuous
• Avoid encouraging endorsements that use features – such as "likes," "pins," or "shares" – that do not allow for clear and conspicuous disclosures if the absence of that disclosure would be misleading
• Take appropriate steps if an endorser does not make the disclosure
Patient Reviews and Testimonials
Patient Reviews and Testimonials
• HIPAA applies!
• Follow all HIPAA marketing requirements when soliciting and posting testimonials
• For any patient testimonial, you must have an agreement and authorization form signed by your patient
• Patient does not waive HIPAA rights by posting online
• There is no HIPAA exception for responding to an online patient complaint
TCPA • What does the TCPA place restrictions or prohibitions on?
• Calls that violate a consumer’s request not to receive calls • Telemarketing calls to residential landlines • Telemarketing and information calls and texts to wireless lines • Times calls and texts can be made
• What do the prohibitions depend on? • Equipment used to make the calls or texts – ATDS v. manual • Form of consent – prior express v. prior written • Content of the call – marketing v. information
• Who Enforces the TCPA? • FCC • States • Private right of action
TCPA Litigation on the Rise • Consumers can sue and win without showing harm even when
good faith mistake
• Class actions are increasingly popular
• Injunctive relief which can disrupt business practices
• Penalties of $500 per call/text and $1,500 per call/text for willful violations plus attorneys’ fees
• Common misconceptions:
• TCPA doesn’t cover calls to patients from HIPAA covered entities
• TCPA only applies to telemarketing calls
• Mostly compliant is okay
Key Definitions • Automatic telephone dialing system (ATDS) - Equipment that has
“capacity” to: • Store or produce numbers to be called, using a random or
sequential number generator • Dial those numbers
• Equipment is ATDS not just based on present capacity but also on potential future capabilities
• May includes predictive dialers not only when they call numbers
randomly/sequentially but also when they call from fixed customer list
• Many patient engagement tools are currently considered ATDS • FCC is expected to look at/further refine the definition of ATDS
again
TCPA Required Consent
Call/text to: Using: Message: Required Consent:
Cell phone ATDS or pre-recorded/ artificial voice
Informational Prior express
Cell phone ATDS or pre-recorded/ artificial voice
Marketing Prior written
Residential landline
Pre-recorded/ artificial voice
Marketing Prior written
Cell or residential landline
Manual with live caller
Informational or marketing
None
Prior Express Consent
• Written
• Oral (ensure you can prove)
• Implied by consumer providing his/her number (risky)
• Scope of consent is key issue
• Case-by-case determination
Prior Express Written Consent • What is required for valid prior express written consent?
• Clear and conspicuous consent to receive prerecorded or autodialed calls/texts
• Specifically name the company to whom consent is provided
• Specify the consumer’s phone number
• State consent is not required as a condition of purchasing products/services
• Signed by consumer (electronic or handwritten)
• How can written consent be obtained? • Web form
• Texting to short code
• Paper
CTIA Requirements
• Disclose name, product, short code
• Obtain separate written consent for unrelated messages
• Obtain user-initiated written consent
• Confirm web-form subscription with double opt-in
• Specify if recurring messaging (ex. 3msg/wk)
• Disclose inherent cost “Msg & data rates may apply” adjacent to the call to action
• Provide easy access to terms and conditions and privacy policy (ex. Hyperlinks)
• Instruct how to get help and how to stop (opt-out) from the handset
TCPA and Healthcare Safe Harbor • There are TCPA carve-outs and safe harbors for certain calls
subject to HIPAA, but they are much narrower than most people think
• Only calls that are exigent and made for a health care treatment purpose fall within the safe harbor, specifically: • Appointment and exam confirmation and reminders
• Wellness checkups
• Hospital pre-registration instructions
• Pre-operative instructions
• Lab results
• Post-discharge follow-up intended to prevent readmission
• Prescription notifications
• Home healthcare instructions
TCPA and Healthcare Safe Harbor • The calls/texts must be only for the reasons listed previously
and must met the following strict conditions:
• Must be informational only
• Must have obtained express consent (written not required)
• Must meet HIPAA consent/authorization requirements
• Must be free to recipient of the call (usually the patient)
• Must be sent only to the number provided by the patient
• Must state the name and contact information of the provider
• Must be from a HIPAA covered entity/business associate
• Must be concise (cannot exceed 1 minute or 160 characters)
• Cannot exceed 1 call/text per day or 3 calls/texts per week
• Must include easy means to opt-out
• Must honor opt-out requests immediately