The Privacy Lawyer: HIPAA: Who Can You Trust? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:18 PM

The Privacy Lawyer: HIPAA: Who Can You Trust?

Exceptions under HIPAA regulations leave a door open for marketing using individual's personal information.

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law that sets standards for health-information privacy and security and for the electronic exchange of health information. Physicians and pharmacies, as well as other health-care providers and facilities, all must follow the law to protect prescription information and medical treatments as private patient health information.

But HIPAA is one of the most confusing of all privacy laws and, when marketing issues are involved, one of the most controversial and complicated. HIPAA rules have been amended several times over the course of its development and each amendment has created new controversies. Hundreds of pages of commentary resulted in thousands of pages of comments and concerns from advocacy groups, as well as security, health care, and privacy professionals. These concerns were addressed in some respects when the final HIPAA Privacy Rule became effective in April 2003.

The HIPAA marketing rules were modified in the final Privacy Rule, making them slightly more comprehensible. (The entire Privacy Rule can be found here.)

But the holes in the marketing restrictions are big enough to drive an entire health-care marketing industry through. Under HIPAA's current rules, marketing is defined as making "a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." If the marketing uses protected health information (personally identifiable to the patient), it generally requires the patient's prior written authorization.

Because of the strict requirement of obtaining the patient's prior written authorization, exceptions to the definition of marketing are crucial to marketers. As a result, "marketing" expressly excludes several very broad categories of communications, considered to be "communications that enhance the individual's access to quality health care." The broadest exceptions relate to information about or recommendations of treatment, case management, coordination of care, and new or alternative therapies or services.

The three key exceptions to the definition of marketing include:

  • The case management or care coordination exception, which covers information provided to individual patients for furthering or managing the treatment of an individual, such as directing or recommending alternative treatments, therapies, health-care providers or care facilities;
  • The health-related or value-adding exception, which covers information about entities participating in, services provided, and benefits covered by a provider network or health plan, which also includes replacements to and enhancements of coverage under the plan but doesn't include communications of discounts or other items which are available to the general public; and
  • The communications that "promote health in a general manner" exception, which covers newsletters and other general-circulation information promoting health, as long as they don't endorse a specific product or service.
  • If communications qualify under one of the exceptions, these activities may be conducted either by an entity regulated by HIPAA--a pharmacy, doctor, etc.--or via a business associate, which requires a confidentiality agreement.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    1 of 2
    Comment  | 
    Print  | 
    More Insights
    State of the Cloud
    State of the Cloud
    Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
    Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
    Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
    How Startup Innovation Can Help Enterprises Face COVID-19
    Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
    Enterprise Guide to Robotic Process Automation
    Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
    Register for InformationWeek Newsletters
    Current Issue
    IT Careers: Tech Drives Constant Change
    Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll