Exceptions under HIPAA regulations leave a door open for marketing using individual's personal information.
But maintaining privacy gets tricky when there's an arrangement between a regulated entity and any other entity when personal patient health information is disclosed in exchange for direct or indirect remuneration. If an entity covered under HIPAA pays a business associate to conduct marketing, and that associate isn't encouraging the patient to use or purchase its own products, the communication isn't considered marketing and doesn't require the patient's authorization. A health-care provider, for example, can mine data (directly or through a "business associate") looking for all patients on high-blood-pressure medication, and accept payment by a drug manufacturer or similar product- or service-provider to market that organization's product or service to patients through a third-party business associate. While personal data is never in the possession of the product or service provider, they can still reach targeted patients with their messages.
The Department of Health and Human Services has a list of frequently asked questions about HIPAA. Its question "Can a doctor or pharmacy be paid to make a prescription-refill reminder without a prior authorization under the HIPAA Privacy Rule?" discloses that a pharmacist or a physician may be paid by a drug company to recommend alternative treatments, and may use a third-party "business associate" to send prescription reminders or the alternative treatment recommendations on their behalf. (See this Health and Human Services link.)
When it comes to HIPAA, the devil is in the details. Getting as close to the marketing line as possible without going over it can mean big savings to marketers. If the communication is deemed to be "marketing" under HIPAA, the patient's written authorization must be obtained and must contain specifics of the kind of marketing proposed as well as a disclosure of any remuneration directly or indirectly accruing to the covered entity. That means no blanket authorizations can be collected from the patient. This makes the process costly and time-consuming. It also makes it less effective for the marketer.
But failing to respect the patient and their health information can be even more costly. HIPAA recognizes this when it advises, although it doesn't require, the covered entity to disclose all remuneration arrangements. And if patients believe that their trusted health-care provider is selling their personal health information to others, the provider won't be trusted for long. While defining the exceptions narrowly may be more costly in the short run, it may be far less costly from a customer relationship perspective in the long run.
The entire text of HIPAA regulations can be found here.
Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. She hosts the Web site aftab.com and blogs regularly at theprivacylawyer.blogspot.com.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.