Developers and HIPAA

Push Notifications

We have a communication platform where providers, patients, family members can connect and communicate securely. The patient can set their own preferences around how they receive notifications about types of messages, and from whom in the app. We would like to send the patient a push notification so they are aware there is a new message in the app. We can send a push notification that says" There is a new message in the APP and just points them to the app without saying what the message is" however with patient consent can we also send a push notification that shows the message or a part of it. An example of a message would be "Your appointment with Dr smith is scheduled for 2pm Friday" or "We have rescheduled the nutrition class to 2pm Thursday" or "Your lab results are available".

In a prior post on this site about unsecure text messages to/from a patient the response was as follows.................The HIPAA Requirement with which a covered entity must comply before sending an unencrypted electronic transmission to a patient over an electronic communications network - i.e. an unencrypted text message or email - is clear and unequivocal. The covered entity has a "Duty to Warn" the patient that there may be some level of risk that the information could be read by a third party. If the patient is notified of the risks and still prefers unencrypted text messages, the patient has the right to receive unencrypted text messages from the covered entity and covered entities are not responsible for unauthorized access of protected health information while in transmission or for safeguarding information once delivered to the patient. Protected health information is not confined to diagnostic, medical or sensitive information. The warning and patient consent must be documented in writing. See 78 Federal Register p. 5634, Jan. 25, 2013; 79 Fderal Register p. 7302, Feb. 6, 2014; 45 CFR § 164.312(e); 45 CFR §164.316 (b)(1)(ii); 45 CFR §164.530(j)(1). See also FCC Declaratory Ruling and Order, FCC 15-72, CG Docket No. 02-278, WC Docket No. 07-135, Paragraphs 146-148, pages 70-72 and footnote 369, page 57 - text messages to celll phones “must comply with HIPAA privacy rules”.

 

Does this also apply to push notifications? so if we provide the "Duty to Warn" and the patient accepts the risks and still prefers seeing the message content in the push notification that is acceptable?

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Developer of Mhealth apps (not mobile medical apps), Small company

Voting

3 votes
3 up votes
0 down votes
Question No. 86