[Med-privacy] "The Privacy Lawyer: HIPAA: Who Can You Trust?"
pmarshall
pwm@comcast.net
Tue, 05 Oct 2004 11:27:51 -0700
This is a multi-part message in MIME format.
--------------070406050406050809020605
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
http://www.informationweek.com/shared/printableArticleSrc.jhtml?articleID=47902848
--------------070406050406050809020605
Content-Type: text/html;
name="www.informationweek.com/shared/printableArticleSrc.jhtml?articleID=47902848"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
filename="www.informationweek.com/shared/printableArticleSrc.jhtml?articleID=47902848"
Content-Base: "http://www.informationweek.com/shared/
printableArticleSrc.jhtml?articleID
=47902848"
Content-Location: "http://www.informationweek.com/shared/
printableArticleSrc.jhtml?articleID
=47902848"
<html>
<head>
<title>The Privacy Lawyer: HIPAA: Who Can You Trust?</title>
</head>
<body bgcolor=3D"#ffffff" onload=3D"javascript:parent.mainFrame.focus();"=
>
<!-- http://as.cmpnet.com/html.ng/affiliate=3Diwk&pagepos=3Dtop&site=3D=
btg&articleid=3D47902848&server=3Datg&target=3D/shared/printableArticleSr=
c.jhtml&country=3Dunited_states -->
<IFRAME WIDTH=3D"728" HEIGHT=3D"90" MARGINWIDTH=3D"0" MARGINHEIGHT=3D"0" =
HSPACE=3D"0"VSPACE=3D"0" FRAMEBORDER=3D"0" SCROLLING=3D"no"SRC=3D"http://=
pbid.pro-market.net/engine?site=3D102746+page=3D$737$+space=3D7876+size=3D=
728x90+linktarget=3D$_top$+rnd=3D(chqRqd,bawfzKdbbxWgr)">
<!-- For non MSIE browsers that support JS -->
<SCRIPT> document.write("<SCR"+"IPT SRC=3D\"http://pbid.pro-market.net/en=
gine?site=3D102746+page=3D$737$+space=3D7876+size=3D728x90+linktarget=3D$=
_top$+mimetype=3Djs+rnd=3D(chqRqd,bawfzKdbbxWgr)\"></SCR"+"IPT>");
</SCRIPT>
<!-- For non MSIE browsers that does not support JS -->
<NOSCRIPT>
<A HREF=3D"http://pbid.pro-market.net/engine?site=3D102746+page=3D$737$+s=
pace=3D7876+size=3D728x90+rnd=3D(chqRqd,bawfzKdbbxWgr)+link" TARGET=3D"_t=
op">
<IMG SRC=3D"http://pbid.pro-market.net/engine?site=3D102746+page=3D$737$+=
space=3D7876+size=3D728x90+mimetype=3Dimg+rnd=3D(chqRqd,bawfzKdbbxWgr)" W=
IDTH=3D"728" HEIGHT=3D"90" BORDER=3D"0">
</A>
</NOSCRIPT>
</IFRAME><img src=3D"http://as.cmpnet.com/event.ng/Type=3Dcount&AdID=3D15=
444&FlightID=3D1453&TargetID=3D147&Segments=3D96,1411,2549,2690,3108,3448=
&Targets=3D147,2164,2625,2878&Values=3D34,46,51,63,77,82,91,100,140,203,2=
22,227,283,442,646,656,774,1184,1311,1388,1405,1431,1716,1767,1785,1901,1=
925,1970,2299,2310,2326,2352,2678&RawValues=3D&random=3DchqRqd,bawfzKdbbx=
Wgr" width=3D1 height=3D1 border=3D0>
=20
<p>
<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" class=3D"elfixo" =
width=3D"100%">
<tr valign=3Dbottom><td>
<a href=3D"/"><img src=3D"http://i.cmpnet.com/infoweek/new/informationwe=
ek_logo-LD.gif" width=3D237 height=3D58 border=3D0 alt=3D"InformationWeek=
"></a>
=20
</td>
</tr></table>
<p>
<font size=3D"5">The Privacy Lawyer: HIPAA: Who Can You Trust?</font>
<p>
<font size=3D"4">Exceptions under HIPAA regulations leave a door open for=
marketing using individual's personal information.</font><br>
<p>
<font size=3D"2" face=3D"geneva,arial,helvetica">By=20
=20
Parry
=20
Aftab,
=20
=20
=20
=20
=20
=20
<!-- remove http:// substring (if present) from the url -->
=20
=20
=20
=20
=20
<a href=3D"http://www.informationweek.com" target=3D"_blank">InformationW=
eek</a>
=20
=20
<br>
<!-- <VALUEOF PARAM=3D"element.publish_date" DATE=3D"MMM d, yyyy (hh:mm)"=
/> -->
=20
Oct. 4, 2004
=20
<br>
=20
URL:
<a href=3D/story/showArticle.jhtml?articleID=3D47902848>
http://www.informationweek.com/story/showArticle.jhtml?articleI=
D=3D47902848
</a><br><br>
=20
=20
</font>
<P>
<!-- ARTICLE BODY -->
HIPAA, the Health Insurance Portability and Accountability Act of 199=
6, is a federal law that sets standards for health-information privacy an=
d security and for the electronic exchange of health information. Physic=
ians and pharmacies, as well as other health-care providers and facilitie=
s, all must follow the law to protect prescription information and medica=
l treatments as private patient health information.
<P>
But HIPAA is one of the most confusing of all privacy laws and, when mark=
eting issues are involved, one of the most controversial and complicated.=
HIPAA rules have been amended several times over the course of its devel=
opment and each amendment has created new controversies. Hundreds of page=
s of commentary resulted in thousands of pages of comments and concerns f=
rom advocacy groups, as well as security, health care, and privacy profes=
sionals. These concerns were addressed in some respects when the final HI=
PAA Privacy Rule became effective in April 2003.=20
<P>
The HIPAA marketing rules were modified in the final Privacy Rule, making=
them slightly more comprehensible. (The entire Privacy Rule can be found=
<a href=3D"http://www.hhs.gov/ocr/hipaa/privruletxt.txt" TARGET=3D"_blan=
k">here</a>.)=20
<P>
But the holes in the marketing restrictions are big enough to drive an en=
tire health-care marketing industry through. Under HIPAA's current rules,=
marketing is defined as making "a communication about a product or servi=
ce that encourages the recipients of the communication to purchase or use=
the product or service." If the marketing uses protected health informat=
ion (personally identifiable to the patient), it generally requires the p=
atient's prior written authorization.=20
<P>
Because of the strict requirement of obtaining the patient's prior writte=
n authorization, exceptions to the definition of marketing are crucial to=
marketers. As a result, "marketing" expressly excludes several very broa=
d categories of communications, considered to be "communications that enh=
ance the individual's access to quality health care." The broadest except=
ions relate to information about or recommendations of treatment, case ma=
nagement, coordination of care, and new or alternative therapies or servi=
ces.=20
<P>
The three key exceptions to the definition of marketing include:
<P>
<li>The case management or care coordination exception, which covers info=
rmation provided to individual patients for furthering or managing the tr=
eatment of an individual, such as directing or recommending alternative t=
reatments, therapies, health-care providers or care facilities;</li>=20
<P>
<li>The health-related or value-adding exception, which covers informatio=
n about entities participating in, services provided, and benefits covere=
d by a provider network or health plan, which also includes replacements =
to and enhancements of coverage under the plan but doesn't include commun=
ications of discounts or other items which are available to the general p=
ublic; and</li>
<P>
<li>The communications that "promote health in a general manner" exceptio=
n, which covers newsletters and other general-circulation information pro=
moting health, as long as they don't endorse a specific product or servic=
e.</li>=20
<P>
If communications qualify under one of the exceptions, these activities m=
ay be conducted either by an entity regulated by HIPAA--a pharmacy, docto=
r, etc.--or via a business associate, which requires a confidentiality ag=
reement.
=20
But maintaining privacy gets tricky when there's an arrangement betwe=
en a regulated entity and any other entity when personal patient health i=
nformation is disclosed in exchange for direct or indirect remuneration. =
If an entity covered under HIPAA pays a business associate to conduct mar=
keting, and that associate isn't encouraging the patient to use or purcha=
se its own products, the communication isn't considered marketing and doe=
sn't require the patient's authorization. A health-care provider, for exa=
mple, can mine data (directly or through a "business associate") looking =
for all patients on high-blood-pressure medication, and accept payment by=
a drug manufacturer or similar product- or service-provider to market th=
at organization's product or service to patients through a third-party bu=
siness associate. While personal data is never in the possession of the p=
roduct or service provider, they can still reach targeted patients with t=
heir messages.
<P>
The Department of Health and Human Services has a list of frequently aske=
d questions about HIPAA. Its question "Can a doctor or pharmacy be paid t=
o make a prescription-refill reminder without a prior authorization under=
the HIPAA Privacy Rule?" discloses that a pharmacist or a physician may =
be paid by a drug company to recommend alternative treatments, and may us=
e a third-party "business associate" to send prescription reminders or th=
e alternative treatment recommendations on their behalf. (See this Health=
and Human Services <a href=3D"http://answers.hhs.gov/cgi-bin/hhs.cfg/php=
/enduser/std_adp.php?p_sid=3DnXx*q7mh&p_lva=3D&p_faqid=3D285&p_created=3D=
1040405601&p_sp=3DcF9zcmNoPTEmcF9ncmlkc29ydD0mcF9yb3dfY250PTEwJnBfc2VhcmN=
oX3RleHQ9cGhhcm1hY2llcyZwX2NhdF9sdmwxPX5hbnl_JnBfY2F0X2x2bDI9fmFueX4mcF9w=
YWdlPTE*&p_li=3D" TARGET=3D"_blank">link</a>.)=20
<P>
When it comes to HIPAA, the devil is in the details. Getting as close to =
the marketing line as possible without going over it can mean big savings=
to marketers. If the communication is deemed to be "marketing" under HIP=
AA, the patient's written authorization must be obtained and must contain=
specifics of the kind of marketing proposed as well as a disclosure of a=
ny remuneration directly or indirectly accruing to the covered entity. Th=
at means no blanket authorizations can be collected from the patient. Thi=
s makes the process costly and time-consuming. It also makes it less effe=
ctive for the marketer.
<P>
But failing to respect the patient and their health information can be ev=
en more costly. HIPAA recognizes this when it advises, although it doesn'=
t require, the covered entity to disclose all remuneration arrangements. =
And if patients believe that their trusted health-care provider is sellin=
g their personal health information to others, the provider won't be trus=
ted for long. While defining the exceptions narrowly may be more costly i=
n the short run, it may be far less costly from a customer relationship p=
erspective in the long run.
<P>
The entire text of HIPAA regulations can be found <a href=3D" http://www.=
hhs.gov/ocr/combinedregtext.pdf" TARGET=3D"_blank">here</a>.
<P>
<I>Parry Aftab is a cyberspace lawyer, specializing in online privacy and=
security law, and she's also executive director of <A HREF=3D"http://www=
=2Ewiredsafety.org" TARGET=3D"_blank">WiredSafety</A>. She hosts the Web =
site aftab.com and blogs regularly at <A HREF=3D"http://theprivacylawyer.=
blogspot.com" TARGET=3D"_blank">theprivacylawyer.blogspot.com</A>.</I>
<P>
<CENTER>Continue to the sidebars:<BR>
<B>"<A HREF=3D"http://www.informationweek.com/story/showArticle.jhtml?art=
icleID=3D47902854">States' Perspective On Health-Care Privacy</A>"<br /><=
br />
"<a href=3D"http://www.informationweek.com/story/showArticle.jhtml?articl=
eID=3D47902851">What Does The HIPAA 'Marketing' Provision Mean To Consume=
rs?</a>"</B></CENTER>
<P>
<hr align=3D"center" noshade width=3D"150">
<P>
To discuss this column with other readers, please visit the <a href=3D"ht=
tp://www.informationweek.com/forum/informationweek">Talk Shop</a>.
<P>
To find out more about Parry Aftab, please visit her <a href=3D"http://ww=
w.informationweek.com/LP/columnists/parryaftab.jhtml">page</a> on the <a =
href=3D"http://www.informationweek.com/LP/">Listening Post</a>.
=20
<!-- /ARTICLE BODY -->
<P>
=20
<!-- http://as.cmpnet.com/html.ng/affiliate=3Diwk&pagepos=3Dbottom&=
site=3Dbtg&articleid=3D47902848&server=3Datg&target=3D/shared/printableAr=
ticleSrc.jhtml&country=3Dunited_states -->
<table width=3D"468" border=3D"1" cellspacing=3D"0" cellpadding=3D"0" bgc=
olor=3D"#FFFFFF" bordercolor=3D"#FF0000">
<tr>
<td height=3D"60" valign=3D"TOP">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0" al=
ign=3D"center"><tr>
<td colspan =3D 2><div style=3D"font-size: 14px; font-weight: bolder; col=
or: silver; text-decoration: none; font-family: sans-serif; margin: 1px;"=
align=3D"left">FOCUS ON...<a href=3D"http://as.cmpnet.com/event.ng/Type=3D=
fourthclick&FlightID=3D27781&AdID=3D43673&TargetID=3D321&Segments=3D98,11=
6,626,1411,2397,2689,2715,3108,3448,4517&Targets=3D145,321,2026,2625,2878=
,3729&Values=3D34,46,51,63,77,82,90,100,140,204,222,227,283,442,646,656,7=
74,1184,1311,1388,1405,1431,1716,1767,1785,1901,1925,1970,2299,2310,2313,=
2326,2352,2678&RawValues=3D&Redirect=3Dhttp://www.techweb.com/focus/busin=
ess_and_finance-Operations_Research" title =3D "Go to the 'Operations Res=
earch' news page now">Operations Research</a></div></td><td rowspan=3D"2"=
colspan=3D"1" align=3D"center"><div style=3D"font-size: 10px; font-weigh=
t: bolder; color: silver; font-family: sans-serif; text-decoration: none;=
" align=3D"center">Brought to you by</div><a href=3D"http://as.cmpnet.com=
/event.ng/Type=3Dthirdclick&FlightID=3D27781&AdID=3D43673&TargetID=3D321&=
Segments=3D98,116,626,1411,2397,2689,2715,3108,3448,4517&Targets=3D145,32=
1,2026,2625,2878,3729&Values=3D34,46,51,63,77,82,90,100,140,204,222,227,2=
83,442,646,656,774,1184,1311,1388,1405,1431,1716,1767,1785,1901,1925,1970=
,2299,2310,2313,2326,2352,2678&RawValues=3D&Redirect=3Dhttp://www.techweb=
=2Ecom/focus/business_and_finance-Operations_Research"><img src=3D"http:/=
/img.cmpnet.com/tw/focus/informs_logo.jpg" border=3D0 alt=3D"" align=3D"t=
op"></a></td></tr>
<tr>
<td><img src=3D"http://img.cmpnet.com/tw/mediakit/blank.gif" border=3D0 a=
lt=3D"" width=3D3></td>
<td>
<div style=3D"font-size: 12px; font-family: sans-serif; font-weight: bold=
er; color: Black; text-decoration: none;" align=3D"left">
<img src=3D"http://img.techweb.com/portal/triangle_7.gif" border=3D0 alt=3D=
""><a href=3D"http://as.cmpnet.com/event.ng/Type=3Dfirstclick&FlightID=3D=
27781&AdID=3D43673&TargetID=3D321&Segments=3D98,116,626,1411,2397,2689,27=
15,3108,3448,4517&Targets=3D145,321,2026,2625,2878,3729&Values=3D34,46,51=
,63,77,82,90,100,140,204,222,227,283,442,646,656,774,1184,1311,1388,1405,=
1431,1716,1767,1785,1901,1925,1970,2299,2310,2313,2326,2352,2678&RawValue=
s=3D&Redirect=3Dhttp://www.scienceofbetter.org">Operations Research: The =
Science of Better</a></div>
<div style=3D"font-size: 12px; font-weight: bolder; color: Black; text-de=
coration: none;" align=3D"left">
<img src=3D"http://img.techweb.com/portal/triangle_7.gif" border=3D0 alt=3D=
""><a href=3D"http://as.cmpnet.com/event.ng/Type=3Dsecondclick&FlightID=3D=
27781&AdID=3D43673&TargetID=3D321&Segments=3D98,116,626,1411,2397,2689,27=
15,3108,3448,4517&Targets=3D145,321,2026,2625,2878,3729&Values=3D34,46,51=
,63,77,82,90,100,140,204,222,227,283,442,646,656,774,1184,1311,1388,1405,=
1431,1716,1767,1785,1901,1925,1970,2299,2310,2313,2326,2352,2678&RawValue=
s=3D&Redirect=3Dhttp://www.scienceofbetter.org">How busy executives make =
better decisions</a>
</div></td>
</tr>
</table>
</td>
</tr>
</table><img src=3D"http://as.cmpnet.com/event.ng/Type=3Dcount&AdID=3D436=
73&FlightID=3D27781&TargetID=3D321&Segments=3D98,116,626,1411,2397,2689,2=
715,3108,3448,4517&Targets=3D145,321,2026,2625,2878,3729&Values=3D34,46,5=
1,63,77,82,90,100,140,204,222,227,283,442,646,656,774,1184,1311,1388,1405=
,1431,1716,1767,1785,1901,1925,1970,2299,2310,2313,2326,2352,2678&RawValu=
es=3D&random=3DvcsuWr,bawfzKdbbNsta" width=3D1 height=3D1 border=3D0>
=20
=20
<P>
<FONT SIZE=3D"1" face=3D"geneva,ms sans serif,helvetica">Copyright ©=
2003 <A HREF=3D"http://www.cmpnet.com">CMP Media LLC</A></FONT>
</BODY>
</HTML>
=20
--------------070406050406050809020605--