[Med-privacy] marketing rules
pmarshall
pwm@comcast.net
Thu, 04 Nov 2004 11:26:50 -0800
The Privacy Lawyer: HIPAA: Who Can You Trust?
Exceptions under HIPAA regulations leave a door open for marketing using
individual's personal information.
By Parry Aftab, InformationWeek
<http://www.informationweek.com/;jsessionid=ODZG3P2PIZY2AQSNDBCCKH0CJUMEKJVN>
Oct. 4, 2004
URL:
http://www.informationweek.com/story/showArticle.jhtml?articleID=47902848
<http://www.informationweek.com/story/showArticle.jhtml?articleID=47902848>
HIPAA, the Health Insurance Portability and Accountability Act of 1996,
is a federal law that sets standards for health-information privacy and
security and for the electronic exchange of health information.
Physicians and pharmacies, as well as other health-care providers and
facilities, all must follow the law to protect prescription information
and medical treatments as private patient health information.
But HIPAA is one of the most confusing of all privacy laws and, when
marketing issues are involved, one of the most controversial and
complicated. HIPAA rules have been amended several times over the course
of its development and each amendment has created new controversies.
Hundreds of pages of commentary resulted in thousands of pages of
comments and concerns from advocacy groups, as well as security, health
care, and privacy professionals. These concerns were addressed in some
respects when the final HIPAA Privacy Rule became effective in April 2003.
The HIPAA marketing rules were modified in the final Privacy Rule,
making them slightly more comprehensible. (The entire Privacy Rule can
be found here <http://www.hhs.gov/ocr/hipaa/privruletxt.txt>.)
But the holes in the marketing restrictions are big enough to drive an
entire health-care marketing industry through. Under HIPAA's current
rules, marketing is defined as making "a communication about a product
or service that encourages the recipients of the communication to
purchase or use the product or service." If the marketing uses protected
health information (personally identifiable to the patient), it
generally requires the patient's prior written authorization.
Because of the strict requirement of obtaining the patient's prior
written authorization, exceptions to the definition of marketing are
crucial to marketers. As a result, "marketing" expressly excludes
several very broad categories of communications, considered to be
"communications that enhance the individual's access to quality health
care." The broadest exceptions relate to information about or
recommendations of treatment, case management, coordination of care, and
new or alternative therapies or services.
The three key exceptions to the definition of marketing include:
# The case management or care coordination exception, which covers
information provided to individual patients for furthering or managing
the treatment of an individual, such as directing or recommending
alternative treatments, therapies, health-care providers or care facilities;
# The health-related or value-adding exception, which covers information
about entities participating in, services provided, and benefits covered
by a provider network or health plan, which also includes replacements
to and enhancements of coverage under the plan but doesn't include
communications of discounts or other items which are available to the
general public; and
# The communications that "promote health in a general manner" exception,
which covers newsletters and other general-circulation information
promoting health, as long as they don't endorse a specific product or
service.
If communications qualify under one of the exceptions, these activities
may be conducted either by an entity regulated by HIPAA--a pharmacy,
doctor, etc.--or via a business associate, which requires a
confidentiality agreement. But maintaining privacy gets tricky when
there's an arrangement between a regulated entity and any other entity
when personal patient health information is disclosed in exchange for
direct or indirect remuneration. If an entity covered under HIPAA pays a
business associate to conduct marketing, and that associate isn't
encouraging the patient to use or purchase its own products, the
communication isn't considered marketing and doesn't require the
patient's authorization. A health-care provider, for example, can mine
data (directly or through a "business associate") looking for all
patients on high-blood-pressure medication, and accept payment by a drug
manufacturer or similar product- or service-provider to market that
organization's product or service to patients through a third-party
business associate. While personal data is never in the possession of
the product or service provider, they can still reach targeted patients
with their messages.
The Department of Health and Human Services has a list of frequently
asked questions about HIPAA. Its question "Can a doctor or pharmacy be
paid to make a prescription-refill reminder without a prior
authorization under the HIPAA Privacy Rule?" discloses that a pharmacist
or a physician may be paid by a drug company to recommend alternative
treatments, and may use a third-party "business associate" to send
prescription reminders or the alternative treatment recommendations on
their behalf. (See this Health and Human Services link
<http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_adp.php?p_sid=nXx*q7mh&p_lva=&p_faqid=285&p_created=1040405601&p_sp=cF9zcmNoPTEmcF9ncmlkc29ydD0mcF9yb3dfY250PTEwJnBfc2VhcmNoX3RleHQ9cGhhcm1hY2llcyZwX2NhdF9sdmwxPX5hbnl_JnBfY2F0X2x2bDI9fmFueX4mcF9wYWdlPTE*&p_li=>.)
When it comes to HIPAA, the devil is in the details. Getting as close to
the marketing line as possible without going over it can mean big
savings to marketers. If the communication is deemed to be "marketing"
under HIPAA, the patient's written authorization must be obtained and
must contain specifics of the kind of marketing proposed as well as a
disclosure of any remuneration directly or indirectly accruing to the
covered entity. That means no blanket authorizations can be collected
from the patient. This makes the process costly and time-consuming. It
also makes it less effective for the marketer.
But failing to respect the patient and their health information can be
even more costly. HIPAA recognizes this when it advises, although it
doesn't require, the covered entity to disclose all remuneration
arrangements. And if patients believe that their trusted health-care
provider is selling their personal health information to others, the
provider won't be trusted for long. While defining the exceptions
narrowly may be more costly in the short run, it may be far less costly
from a customer relationship perspective in the long run.
The entire text of HIPAA regulations can be found here
<%20http://www.hhs.gov/ocr/combinedregtext.pdf>.
Parry Aftab is a cyberspace lawyer, specializing in online privacy and
security law, and she's also executive director of WiredSafety
<http://www.wiredsafety.org>. She hosts the Web site aftab.com and blogs
regularly at theprivacylawyer.blogspot.com
<http://theprivacylawyer.blogspot.com>.
Continue to the sidebars:
"States' Perspective On Health-Care Privacy
<http://www.informationweek.com/story/showArticle.jhtml?articleID=47902854>"
"What Does The HIPAA 'Marketing' Provision Mean To Consumers?
<http://www.informationweek.com/story/showArticle.jhtml?articleID=47902851>"
------------------------------------------------------------------------