Legal

Compliance and Patient Communications

Email, Postcards and Letters: Health care providers are permitted to communicate with their patients electronically (including email), as long as reasonable precautions and safeguards are taken to limit unintentional disclosure [45 C.F.R § 164.530(c)]. MedEx utilizes the patient contact information your practice management software provides - please ensure you have your patients correct contact information on file.

Phone Calls and Answering Machine Messages: A Covered Entity or a Business Associate may leave a message on an answering machine, with a family member, or with another person who answers the phone when the patient is not home, so long as a reasonable precaution is taken to limit the amount of information disclosed in such a non-personal interaction [45 C.F.R § 164.510(b)(3)]. MedEx provides a reminder message without going into the details about the "Why".  MedEx does not provide any treatment-specific information in these calls.


Physical and Technical Compliance

We are committed to privacy.  Our name reflects this commitment - we employ the same internet encryption protocols required of financial institutions.  Our "bank" doesn't hold your money, but something we consider equally valuable - your patient's protected health information (PHI). 

The PHI data shared with MedEx is limited to demographic data, individual messaging preference data and calendar/scheduling data.  This information is compiled by the subscriber's practice management software and delivered over an encrypted Internet connection to MedEx’s secure, HIPAA, HITECH and PCI-compliant ecosystem, where all data operations are performed. Access to the MedEx ecosystem by end users is only permitted using SSL and other advanced encryption protocols from predetermined IP addresses.  Regular HIPAA audits and HIPAA compliance experts on staff ensure your data are closely managed and compliant.  Our servers are constantly surveilled for any threat to the MedEx ecosystem and your patients' PHI.   MedEx communicates message responses back to subscribers using the same secure encryption protocols via our IP-address restricted API.  The association of MedEx messages to a given patient's PHI and their responses to MedEx messages is only available from within the subscriber's practice management software.  The public-facing web servers at MedExBank.com also employ 2048 bit encryption/SSL but only display messaging templates and subscription information for a registered practice. 

MedEx does not retrieve, store or process your financial data.  Payment details, including credit card information, are not stored in the MedEx ecosystem but are directly processed by our third party, PCI-compliant vendor, PayPal.  PayPal reports to MedEx when a payment has been successfully completed. MedEx records this and flags the subscription as active.


TCPA and Consent

The Telephone Consumer Protection Act rules protect consumers from telemarketing messages.  Appointment confirmations, treatment plan notifications and other types of messaging are deemed by the FCC to be “health care messaging,” or “informational messaging”.  These types of messages are allowed, since the new rules were implemented in 2013.  In exempting this type of messaging, the FCC stated there is efficient and thorough oversight in HIPAA so as to “already safeguard consumer privacy” and that it did not “need to subject these calls to its consent, identification, opt-out, and abandoned call rules” (77 FR 34240).

We require your office to obtain consent from your patients for each type of messaging we will provide.  Practice Management software often includes this feature as part of the standard demographic forms.  Some offices include a blanket statement in their HIPAA/Privacy policies to patients.  No matter what decision a patient makes regarding communication preferences, they can change their mind...  Throughout the process of messaging your patients,  MedEx is committed to honoring any patient opt-out request.  Each SMS, email and automated phone message includes an option for the patient to opt-out of receiving that type of notification.  We deliver these replies/opt-out requests through our secure API connection to your practice management software and update the patient's new preferences automatically.