Solutionreach is committed to helping you remain compliant with the objectives of HIPAA, the TCPA and CASL. We have taken precautions to ensure the highest standards of integrity when it comes to the Solutionreach Platform and maintaining complete confidentiality regarding the patient data entrusted to us by you.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to improve the efficiency of the health care industry while ensuring the security and confidentiality of patient health information. HIPAA generally applies to “covered entities” (including any health care provider) and "business associates" (any third party engaged by a covered entity to help carry out its health care activities and functions.) Thus, under HIPAA, you are a covered entity and Solutionreach is your business associate.
HIPAA privacy regulations require that you and your business associates develop and follow procedures that ensure the confidentiality and security of your patients’ protected health information (PHI) whenever it is transferred, received, handled, or shared. This requirement applies to all forms of PHI, whether on paper, in oral communications, or in electronic format. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
As your business associate, Solutionreach follows detailed policies governing the protection of your patients’ PHI, including employing administrative, physical, and technical safeguards as required by HIPAA rules and regulations. You can be confident that we will protect your patient data to help you stay compliant.
Providers may be concerned that cloud-based platforms are more vulnerable to internet-based attacks, but—with the proper security measures in place—cloud-based solutions carry no more threat of data breach than on-site data storage. In fact, a quality cloud-based software can be more secure because it is more closely monitored; small businesses like healthcare practices can’t typically afford to staff team members responsible for managing the security of their server. The encrypted data stored within the Solutionreach platform is constantly monitored by experts who are committed to keeping your data safe. With the peace of mind that comes with choosing Solutionreach, some of the complexity involved in staying compliant with HIPAA regulations is alleviated.
There are some instances where HIPAA requires that you obtain prior authorization from the patient when using their PHI for marketing purposes. HIPAA defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
However, HIPAA offers an exemption that allows covered entities to communicate about their own products and services. So, messages you send to patients about products and services are not considered “marketing” under the HIPAA definition so long as they are products and services provided by you.
The Telephone Consumer Protection Act (TCPA) is a federal law that regulates the way consumers are contacted by telephone, fax and text message. These regulations apply to the text and automated landline messages you are able to send through the Solutionreach Platform to communicate with your patients. We have built our platform to support your compliance with the TCPA.
The TCPA requires that companies obtain consent from consumers prior to sending any sort of text or automated telephone messages. As a HIPAA covered entity, requirements for how that consent is obtained are different depending on whether your messaging only contains health-related information or if it includes marketing-focused content. We have broken the TCPA regulations apart below to help you understand what the restrictions are and how Solutionreach helps you stay compliant with them.
Consent for Informational Health Care Messages:
For HIPAA covered entities sending informational only health-related messages, the patient’s consent can be written, electronic or verbal. With these guidelines, you are able to send your patients informational messages about their health care. Appointment reminders, follow-up care outreach/recall/recare reminders, eyewear notifications (where applicable), and other similar health care messages without marketing content fall within the informational health-related information category.
The Solutionreach Platform includes default templates that meet the requirements for information-only content. However, Solutionreach messages can be personalized by you and your staff, so we encourage you to educate yourself on TCPA guidelines by visiting the U.S. Federal Communications Commission website prior to making any modifications to the default templates.
Consent for Marketing-Focused Messages:
The Solutionreach Platform can also be used to send or automate marketing-focused messages, which fall under tighter TCPA regulations. Messages with any sort of marketing content require that your patient provide your practice with “express written consent”, which may be obtained in an electronic format.
To help you remain TCPA compliant, the platform includes features that permit you to obtain that consent for any text message marketing you conduct so that marketing-focused messages are only delivered to patients who have given appropriate consent.
The TCPA requires that you honor patient requests to opt-out of future telephone, fax, or text messages. The Solutionreach Platform allows you to honor these requests on an individual basis. A patient may also opt-out of text messages at any time by replying with the word STOP to any text message sent through the Solutionreach platform.
You are obligated to identify your practice by name and telephone number in all text messages that are sent to patients. The Solutionreach Platform enforces this rule by requiring you to include identifying tokens in all text message templates. You will not be able to send any text messages that do not contain complete and proper identification.
For more information about your responsibilities under the TCPA, please visit the U.S. Federal Communications Commission website.
Canada’s Anti-Spam Legislation (CASL) is a Canadian federal law that regulates commercial electronic messages ("CEMs"). The legislation applies to any electronic message that encourages participation in a commercial activity and may include messages to email addresses, social media accounts, and text messages to cell phones. You can visit the Government of Canada’s website to learn more about CASL.
It is your responsibility to comply with all aspects of CASL as it relates to sending messages to your patients. The Solutionreach Platform is designed with this in mind, and it includes safeguards and features that, if used appropriately, will help you stay compliant.
Read the following sections to understand the various regulations and how Solutionreach helps you remain compliant with CASL.
In order to lawfully send CEMs to patients after July 1, 2014 you will need to have the necessary consent. Under CASL, consent can be either express or implied.
You may already have a practice of obtaining express consent (either oral or written) to send messages to your patients, but even if you have not collected express consent to send messages to your patients you may still benefit from implied consent under CASL.
CASL allows for implied consent to send CEMs where there is an "existing business relationship" between the sender and the recipient. This relationship derives from the purchase of a product, goods, or service within the past two years or an inquiry about products or services within the past six months.
Therefore, as long as you are using the SR Platform to communicate with your bona fide patients (as intended) then you are likely to have an "existing business relationship" for the purposes of CASL based on that patient relationship.
Under implied consent derived from an established business relationship, you are able to send messages to your patients, including appointment reminders, follow-up care outreach/recall/recare reminders, eyewear notifications (where applicable), and other similar messages – whether express consent for receiving messages has been obtained or not.
If you do not have an established business relationship with a particular patient, do not send messages to that individual.
CASL requires you to honor patient requests to opt-out or unsubscribe from future messages, so every message sent to patients using the Solutionreach Platform includes an opt-out or unsubscribe mechanism:
Text Messages from Solutionreach:
The instruction “Reply STOP to Opt-out” appears on each message you send. The recipient need only reply with the word STOP to any text message received and future text messages will stop.
Email Messages from Solutionreach:
For email messages, the “unsubscribe” link appears in the footer of each message you send. The recipient need only click the link to unsubscribe from future messages.
There are tools built in to the platform that will allow you to honor opt-out or unsubscribe requests on an individual patient basis. If a patient contacts you to request that you stop sending messages then you can do so by either disabling the types of messages received and/or disabling the patient’s devices to which messages are sent.
In this regard, the Solutionreach Platform is extremely customizable to accommodate patient preferences. Be sure to honor any patient opt-out requests within 10 days in order to comply with CASL.
CASL requires you to identify yourself in all messages you send to patients. The Solutionreach Platform will enforce this rule by requiring you to include identifying tokens in all message templates. These tokens will automatically display your contact information in the messages you send. You will not be able to send any messages that do not contain complete and proper identification.
The Solutionreach Platform is designed to give you the most functionality possible when it comes to communicating and engaging with your patients. As such, the platform allows you some flexibility in the messaging content you create, but you will be asked to confirm and verify that your message content meets certain requirements. It is also your responsibility to promptly respond to and immediately honor all patient requests to opt-out or unsubscribe from future email or text messages.
For more information about your responsibilities under the CASL, please visit the Government of Canada’s website at http://fightspam.gc.ca/.
Please note that, while we are dedicated to giving you tools that will help you stay compliant with HIPAA and TCPA regulations, the information we provide is not legal advice. You are responsible for ensuring the compliance of your patient messages. We encourage you to seek out competent legal counsel for specific direction and guidance.
We have provided the following information to help you understand what your responsibilities are, and how the Solutionreach service aids you in remaining compliant with these objectives.