HIPAA: healthcare privacy and marketing

When is Marketing Not “Marketing?”

HIPAA (the Health Insurance Portability and Accountability Act of 1996, pronounced “hippa”) is a federal law which sets standards for health information privacy and security and for the exchange of electronic health information data. It is also one of the most confusing of all privacy laws and, when marketing issues are involved, one of the most controversial and complicated. It expressly covers physicians and pharmacies, as well as other health care providers and facilities. And prescription information and medical treatments are protected as private patient health information.

When HIPAA was first adopted it provided that Congress should set HIPAA rules within three years of its enactment. When Congress failed to act within that time, the Secretary of Health and Human Services became obligated to create the rules under HIPAA. The rules were amended several times over the years and each amendment created new controversies. Hundreds of pages of commentary resulted in thousands of pages of comments and concerns from advocacy groups, as well as security, healthcare and privacy professionals. These concerns were addressed in some respects when the final HIPAA Privacy Rule became effective in April 2003.

The HIPAA marketing rules were modified in the final Privacy Rule making them slightly more comprehensible. (The entire Privacy Rule can be found at http:// www.hhs.gov/ocr/hipaa/privruletxt.txt.) But the holes in the marketing restrictions are big enough to drive an entire healthcare marketing industry through.
Under HIPAA’s current rules “marketing” is defined as "mak[ing] a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." If the marketing uses protected health information (personally identifiable to the patient) it generally requires the patient’s prior written authorization.
Because of the strict requirements of obtaining the patient’s prior written authorization, exceptions to the definition of “marketing” are crucial to marketers. As a result “marketing” expressly excludes several very broad categories of communications. The key to understanding these exceptions is identifying “communications that enhance the individual's access to quality health care." The broadest exceptions relate to information about or recommendations of treatment, case management, coordination of care and new or alternative therapies or services.

The three key exceptions to the definition of “marketing” include:

· the “case management” or “care coordination” exception which covers information provided to individual patients for the purpose of furthering or managing the treatment of an individual, such as directing or recommending alternative treatments, therapies, health care providers or care facilities;
· the “health-related” or “value adding” exception which covers information about entities participating in, services provided and benefits covered by a provider network or health plan (which also includes replacements to and enhancements of coverage under the plan but does not include communications of discounts or other items which are available to the general public.); and
· the communications that “promote health in a general manner" exception which covers newsletters and other general circulation information promoting health, as long as they do not endorse a specific product or service.
If the communications qualify under one of the exceptions, these activities may be conducted either by the covered entity itself or via a “business associate” (which requires a confidentiality agreement be entered into).

It gets tricky when there is an arrangement between a covered entity and any other entity when personal patient health information is disclosed, in exchange for direct or indirect remuneration. Even if remuneration is paid, if a “business associate” is used and is not encouraging the patient to use or purchase its own products the communication is not “marketing” and does not require the patient’s authorization. But HIPAA does not permit the covered entity to disclose the patient’s personal health information to the company whose products or services are being promoted if remuneration is received.

The trick is to use a third-party direct marketing intermediary as the “business associate.” The healthcare provider mines the data (directly or through a “business associate”), and is paid by the drug manufacturer or similar product or service provider to market their products or services to the patients themselves through the “business associate.” While a data is never in the product or service marketers’ possession or control, they can reach these targeted patients with their messages anyway.

The Department of Health and Human Services has a frequently asked questions section about HIPAA. Its question “Can a doctor or pharmacy be paid to make a prescription refill reminder without a prior authorization under the HIPAA Privacy Rule?” discloses that a pharmacist or a physician may be paid by a drug company to recommend alternative treatments, and may use a third party “business associate” to send prescription reminders or the alternative treatment recommendations on their behalf.
When it comes to HIPAA, the devil is in the details. And complying with the details can be arduous and expensive. So getting as close to the “marketing” line as possible without going over it can mean big savings to marketers. If the communication is deemed to be “marketing” under HIPAA, the patient’s written authorization must be obtained and must contain specifics of the kind of marketing proposed as well as a disclosure of any remuneration directly or indirectly accruing to the covered entity. That means no blanket authorizations can be collected from the patient. This makes the process very costly and time-consuming. It also makes it less effective for the marketer.
But failing to respect the patient and their health information can be even more costly. HIPAA recognizes this when it advises, although does not require, the covered entity to disclose all remuneration arrangements. And if patients believe that their trusted healthcare provider is selling their personal health information to others, they will not be trusted for long. While defining the exceptions narrowly may be more costly in the short run, it may be far less costly from a customer relationship perspective in the long run.
The entire text of HIPAA regulations can be found at http://www.hhs.gov/ocr/combinedregtext.pdf