New HIPAA Rules Affect Healthcare Marketers
By Donna Loyle
New federal regulations will impact the marketing practices of healthcare organizations such as health insurers, hospitals, pharmaceutical companies, pharmacies and others.
Final modifications to the Health Insurance Portability and Accountability Act (HIPAA), released in August and that go into effect April 14, 2003, further limit the use of patients' personal health information (PHI) in promotional campaigns. PHI includes, among other data, a patient's name, address, diagnosis, tests undergone and test results.
Beginning in April, covered entities—which include healthcare providers, health plans and healthcare clearinghouses—must obtain a patient's prior written authorization to use the consumer's PHI for marketing purposes.
"The final HIPAA regulations state that there can be no third-party marketing without written authorization from patients regarding their PHI," says Helen Mac Murray, an attorney who heads the national regulatory practice unit of the Ohio-based Kegler, Brown, Hill and Ritter law firm.
One of the exceptions to the prior authorization rule, she notes, is a communication, including a mailing, in which a gift of nominal value (e.g., a notepad or pen) is offered.
List Sales Prohibited
The final rule also prohibits healthcare marketers from selling lists of patients and enrollees to third parties such as list brokers, or from disclosing PHI to a third party for marketing purposes, without patients' prior written consent.
For example, hospitals no longer will be permitted to sell patients' PHI to list brokers without the patients' consent. "If a hospital makes a significant amount of money selling such information," says Mac Murray, "it would be wise to have patients sign a consent form ahead of time."
Under the new rules, doctors, health plans and other covered entities are permitted, however, to communicate with patients about treatment options or their own health-related products and services.
For instance, health plans can inform patients of additional plan coverage and value-added items and services, such as available discounts for prescription drugs or eyeglasses.
The new rules make one point very clear: Healthcare organizations no longer can use business associate agreements to circumvent the law's marketing prohibition. For example, pharmacies no longer can sell PHI to a business that wants to market its products under a business associate agreement with that pharmacy.
The news wasn't all gloomy for healthcare businesses, however. The hybrid entity clause allows covered entities to designate only certain components of their business as subject to HIPAA compliance.
"By declaring your company a hybrid entity," says Mac Murray, "you can carve out or create a healthcare component in which you may limit where HIPAA applies within your organization. However, you must put in safeguards for those areas that cross over, such as accounting and legal services, to ensure you remain HIPAA-compliant when necessary."
One more new rule: If yours is a covered entity, you must have a privacy officer. "You can give that person additional duties," Mac Murray says, "but you must designate one person in your company to be in charge of HIPAA compliance."