Supreme Court Ruling in Facebook Case: The ImplicationsAttorney Paul Hales on What Healthcare Organizations Need to Know
A recent Supreme Court ruling in a Facebook case offers important lessons to the healthcare sector, says regulatory attorney Paul Hales.
The case centered on a dispute between Facebook and Noah Duguid - who received repeated cell phone text alerts from the social media platform warning him about logins to his account from an unknown device or browser - despite Duguid not ever having a Facebook account.
The court's April 1 decision in the Facebook v. Duguid case involved a legal dispute centering on the Telephone Consumer Protection Act. Among other things, the act restricts certain communications made with an automatic telephone dialing system, or ATDS.
The TCPA defines “autodialers” as equipment with the capacity “to store or produce telephone numbers to be called, using a random or sequential number generator” and to dial those numbers.
The TCPA was passed by Congress in 1991 to crack down on nuisance telemarketing robocalls, as well as potentially dangerous autodial calls that can tie up emergency phone lines.
Duguid alleged in his lawsuit against Facebook that the company's repeated text alerts about unauthorized logins to his nonexistent Facebook account violated the TPCA. But the Supreme Court disagreed, deciding that TCPA only applies to an ATDS that can generate random telephone numbers. Software that sends text messages from a database - including a healthcare provider’s list of patient contact information - is not considered an ATDS, the Supreme Court ruled, Hales says.
The court's decision in the Facebook case has implications for HIPAA-covered entities that send out electronic text messages, Hales points out in an interview with Information Security Media Group. Although text messages offering appointment reminders are not prohibited under TCPA, "covered entities are still responsible for complying with HIPAA," which requires safeguarding the protected health information contained in the messages, he says.
"If you're a healthcare provider sending unencrypted text messages to patients with information like, 'You have an appointment' - well, that means if you're using a system that doesn’t generate random telephone numbers to send a message, you're not subject to TCPA … but you are still subject to HIPAA," he says.
"HIPAA's transmission security standard requires providers to implement security measures to guard against unauthorized access of electronic PHI that's being transmitted over an electronic network," he points out. That includes an addressable implementation specification that says healthcare providers and business associates should encrypt PHI "whenever deemed appropriate," he notes.
The 2013 HIPAA Omnibus Rule says providers can communicate with patients using unencrypted email if they follow a three-step process, according to Hayes.
"That starts with the duty to inform the patient about the risk that unencrypted email could be read by someone else. Second, providers need to follow the patient's preference. So if they prefer unencrypted email, they have the right to do so. The third step is to document this."
In this interview (see audio link below photo), Hales also discusses:
- Why the Supreme Court ruled against Duguid in his dispute against Facebook;
- Why the TCPA matters to healthcare sector entities in their compliance with HIPAA requirements;
- Issues involving identifiable patient information in text messages.
Hales, a health information and privacy attorney, is principal at Hales Law Group. He's also a principal health information consultant with ET&C Group LLC, an international HIPAA compliance consultancy.