The Privacy Lawyer: HIPAA: Who Can You Trust? - InformationWeek
04:18 PM

The Privacy Lawyer: HIPAA: Who Can You Trust?

Exceptions under HIPAA regulations leave a door open for marketing using individual's personal information.

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law that sets standards for health-information privacy and security and for the electronic exchange of health information. Physicians and pharmacies, as well as other health-care providers and facilities, all must follow the law to protect prescription information and medical treatments as private patient health information.

But HIPAA is one of the most confusing of all privacy laws and, when marketing issues are involved, one of the most controversial and complicated. HIPAA rules have been amended several times over the course of its development and each amendment has created new controversies. Hundreds of pages of commentary resulted in thousands of pages of comments and concerns from advocacy groups, as well as security, health care, and privacy professionals. These concerns were addressed in some respects when the final HIPAA Privacy Rule became effective in April 2003.

The HIPAA marketing rules were modified in the final Privacy Rule, making them slightly more comprehensible. (The entire Privacy Rule can be found here.)

But the holes in the marketing restrictions are big enough to drive an entire health-care marketing industry through. Under HIPAA's current rules, marketing is defined as making "a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." If the marketing uses protected health information (personally identifiable to the patient), it generally requires the patient's prior written authorization.

Because of the strict requirement of obtaining the patient's prior written authorization, exceptions to the definition of marketing are crucial to marketers. As a result, "marketing" expressly excludes several very broad categories of communications, considered to be "communications that enhance the individual's access to quality health care." The broadest exceptions relate to information about or recommendations of treatment, case management, coordination of care, and new or alternative therapies or services.

The three key exceptions to the definition of marketing include:

  • The case management or care coordination exception, which covers information provided to individual patients for furthering or managing the treatment of an individual, such as directing or recommending alternative treatments, therapies, health-care providers or care facilities;
  • The health-related or value-adding exception, which covers information about entities participating in, services provided, and benefits covered by a provider network or health plan, which also includes replacements to and enhancements of coverage under the plan but doesn't include communications of discounts or other items which are available to the general public; and
  • The communications that "promote health in a general manner" exception, which covers newsletters and other general-circulation information promoting health, as long as they don't endorse a specific product or service.
  • If communications qualify under one of the exceptions, these activities may be conducted either by an entity regulated by HIPAA--a pharmacy, doctor, etc.--or via a business associate, which requires a confidentiality agreement.

    1 of 2
    Comment  | 
    Print  | 
    More Insights
    Newest First  |  Oldest First  |  Threaded View
    How Enterprises Are Attacking the IT Security Enterprise
    How Enterprises Are Attacking the IT Security Enterprise
    To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
    Register for InformationWeek Newsletters
    White Papers
    Current Issue
    2017 State of IT Report
    In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Flash Poll