Subscribe with Bloglines The Privacy Lawyer: 10/01/2004 - 11/01/2004

Sunday, October 31, 2004

The underlying story of a cyberstalking....this is the case where he merely got probation!

It started in 1998 with e-mail from someone claiming to be an old friend. This e-mail launched a reign of terror that lasted 5 years and left a bright, energetic and capable woman feeling powerless and alone. The barrage of e-mails numbered in the hundreds, with many including pornographic images and sexually-explicit language. “J” was a victim of Cyberstalking. She is also a municipal employee, which made it much easier for her to be cyberstalked.

Her stalker's "MO" was specific. She would get an email from a stranger claiming to know her. The e-mail would include references to personal details of her life to prove that they were associated. These details included her real name, address, phone number, employer, and even who held her mortgage. Typically for a cyberstalker, when she didn’t respond the tone would become hostile and abusive.

But the cyberstalking wasn’t limited to e-mail. Her stalker would go into chatrooms at night posing as her and engaging in cybersex. Then he would solicit offline contact with other men (still pretending to be “J”), giving out her name and phone number.

He escalated the campaign when he posted a message on an adult message board, pretending to be “J” asking men to call her at work to arrange for sexual encounters. (This is a common tactic, when the stalker enlists the help of others without their knowledge. It’s called “Third Party Stalking.”) Instead of receiving one call from one man, she was now receiving many calls from many men. The posting had the effect of putting her number on the world’s biggest men’s room wall. Most of “J’s” cyberstalking occurred in the workplace. And, to up the ante, he began to get her co-workers involved, by sending them sexually explicit images and messages while posing as “J” .

The most discouraging part for “J” and most cyberstalking victims is that they can’t make it stop. She also was frustrated when no one else could help her make it stop, either. She didn’t know where to turn. Unfortunately, she hadn’t found WiredSafety’s Net Patrol team. My online safety organization, has a special team to handle Cyberstalking reports (without charge). It is the largest Cyberstalking help team in the world, assisting more than 1000 victims of Cyberstalking each month through our comprehensive information, education and help services. Reader’s Digest wrote about our work in “Angels Online” when we were known by the name “Cyberangels.” (Since someone else has now started to use that name online, it makes it harder for victims to find us when we changed our name to Many still visit the old site, looking for our help and aren’t aware that they are dealing with another group.)

As is usually the case, law enforcement wouldn’t get involved as cyberstalking laws are new and often misunderstood. (Our division tries to help in this area as well, and works directly with law enforcement agencies when they need training and assistance in handling cyberstalking cases.) Even when the laws are understood and law enforcement knows how to conduct a cyberforensics investigation, cyberstalking is often only a misdemeanor with fines under $1000 and only optional jailtime.

“J” had been told that no laws had been broken. And in 1998, this was true. The first Cyberstalking law was adopted in California in 1998. It took these six years before most of the states have adopted Cyberstalking laws, or adapted their existing stalking legislation to accommodate online attacks.

While many workplace Cyberstalking cases involve similar risks, there are special risks “J” faced as a municipal employee which made her a much easier target. And understanding those risks will help all government employers, IT experts and employees protect themselves and others in their workplace.

As she so eloquently explains, “The problem with being a government servant is that by the very nature of the job, you must be visible. This is especially true for me. I am a public relations specialist for [a municipality]. I must be visible within the community. People must know my name, and must be able to contact me in order for me to effectively perform my job.” Many governmental agencies also use a predictable e-mail format, that includes the employee’s name, such as, or, etc. And many names and related contact information are searchable on the agency’s home page directory. These, when combined, make governmental employees much easier to target.

“J” doesn’t blame her employer (whose IT head has been very helpful in her case), but believes that all governmental employers have a higher level of responsibility to protect their employees from harassment. “If you're going to put your employees in the public eye and ask them to make themselves available to the community, governments must recognize this special burden and put policies in place that protect those who work for them.”

If you are a vitcim of cyberstalking, visit and report it. One of their trained volunteers will help you.

Sadly, once again a judge doesn't understand the seriousness of cyberstalking!-komo 4 news | Man Gets Probation For Stalking Seattle Woman Online

komo 4 news | Man Gets Probation For Stalking Seattle Woman Online The story of Joelle is long and sad. But it is even sadder that she can't get justice from the courts. This man deserves to be in jail. Instead, he walks away free. Something has to change!

The Privacy Lawyer: Cybercrimes, identity theft and phishing...Oh! My!!

The Privacy Lawyer: Cybercrimes, identity theft and phishing...Oh! My!!Information about how piracy is used to lure people into sharing their financial information online to be stolen by cybercrooks and identity thieves. Give the recent busts of the US Secret Service, this is a good reminder.

Focus on Diversity: Blind & visually impaired tech pros see the way

Focus on Diversity: Blind & visually impaired tech pros see the wayA great piece about people with physical challenges and how they don't let them get in the way. It features one of our advisory board members for our accessibility issues, Michael Burks.

Thursday, October 28, 2004

US Secret Service announces major identity theft ring arrests....ShadowCrew

ShadowCrewAnd take over their website with announcements of the bust. :-)
Few appreciate how much the USSS does to help protect us from high tech crimes. Congrats! Another down, more to go!


RFID and US Passport controversy -RFID Journal - RFID Solution Secures Passports

RFID Journal - RFID Solution Secures Passports: How wide a range could a passport RFID be read? According to this article: "The IFI chips operate at 13.56 MHz, have a read range of 0 to 4 inches (0 to 10 cm) and conform to the ICAO 9303, ISO 144443 and ISO 7816-4 standards, says Inside's Vian."

RFID and US Passport controversy-U.S. State Dept. to test RFID-enabled passports

U.S. State Dept. to test RFID-enabled passportsDave (n May) said that the RFID is designed to hold our image. He also states that the data will of course be encrypted. Stabd by for more....

RFID and US Passport controversy: Buzzworthy: RFID in passports Buzzworthy: RFID in passportsOne more

RFID and US Passport controversy- Schneier on Security: RFID Passports

Schneier on Security: RFID PassportsAnother blog on my way to understanding the issues.

The RFID Passport Controversy - The RFID Weblog - "Implementation and Application of RFID technology "

The RFID Weblog - "Implementation and Application of RFID technology " One of my readers brought the issue of RFID being enbedded in US passports to my attention. As I look into the issue and try to sort the real from the bogus, I thought I would post the places I looked.

Wired News: American Passports to Get Chipped

Wired News: American Passports to Get ChippedHow real is the risks of your personal information being grabbed by identity thieves through the RFID addition to US passports? I'd like ot learn more about this. one of my readers referred this to me.
e-mail me directly at if you have more information.

Tuesday, October 26, 2004

InformationWeek > E-Mail > The Privacy Lawyer: The Checklist For Cybercommunications > October 25, 2004

InformationWeek > E-Mail > The Privacy Lawyer: The Checklist For Cybercommunications > October 25, 2004How to avoid problems by thinking before clicking "send."

Thursday, October 21, 2004

iMediaConnection: What a Teen Consumer Wants

iMediaConnection: What a Teen Consumer WantsI chaired a panel at IAPP's SF meeting in June, 2004. I brought a group of my elite teenangels ( with me and the results of a poll we had taken about teens and online marketing and trust. Alan Chapell wrote a recent article about their thinking and the thinking of other teens he had encountered on marketing.
Good reading and smart thinking for marketers.

Monday, October 18, 2004

11th Circuit decision on child porn possession and interstate commerce

The 11th Circuit sadly concluded that the conviction of a convicted child pornography possessor had to be overturned. He was found to have more than 140 images of child pornography on a CD. But becasue they could not be traced to actual Internet download, the court of appeals determined that the appropriate test for interstate commerce (and therefore, federal action) had not been met.

When the Internet is implicated, the requisite test is satisfied.

Unfortunately, if other courts of appeal follow this decision, and at least for the duration in the 11th Circuit, if someone trades in child pornography and keeps the images on a CD, rather than on his computer's hard drive, and manages to either remove traces of the downloads from his computer hard drive or transfers them from another computer with Internet access, federal child pornography charges cannot be brought.

Luckily, most states outlaw child pornography possession. Until this decision is reviewed by the U.S. Supremem Court (assuming an appeal is sought), prosecutors may be better off charging the perpetrators with violation of federal and state laws.

I do not yet know if this particular man can be charged with state child pornography possession claims, or whether he walks free.

it's not always easy working within a constitutional system when you want to put the bad guys in jail and throw away the key.

As I frequently lecture others, we should find ways to get the results we need within the parameters of the constitution. we can usually do that. Monday morning quarter-backing is easy. But we need ot make sure that we have covered all bases when these criminals are charged so they don't walk away on a technicality.

the court expressed that it was saddened to reach this decision.


Monday, October 11, 2004

Sometimes you just need to get away...Parry's Blog about a great country inn in England, Lygon Arms

Parry's Blog

Thursday, October 07, 2004

Blogs,...and the good old days.

Although I am considered by some as one of the early Internet policy experts and an early adopted of the power of the Net to create and empower large groups of people (especially volunteers), I was actually very late to the Net. I only began using it in 1993, and started using AOL before I even knew the other technologies existed.

In 1994-5 I began running the legal discussions boards at AOL. I was an unpaid volunteer, but did it because as a board host, I received AOL without charge. (It cost by the minute then.)I had board editing tools, where I could add new discussion boards, delete and edit others' posts, pretty much do what I wanted. It was a blast. I could start a special discussion and promote others. I was able to leave my mark on what we were doing, and it worked. Our area became very popular, and eventually Court TV cam to me and asked me to replicate this for them, which is how the Court TV Law Center was formed. We were all unpaid volunteers and early pioneers of providing professional information to consumers without charge as a public and Internet service. It was why the net was born. People helping each other, sharing what they know and can was fun and exciting.

Then I became mainstream. The media started following our discussions and judges would cite to our posts in their decisions. The law journals were all over whatever we did. But the more mainstream I became, the more I lost touch with the fun part of the Internet, everyone else.

I began Internet safety volunteer groups and ran them entirely online. But posting was work, not fun. And I spent time online because I had to, not because I wanted to. Instead of devoting time to jokes and learning about others, I was fielding hundreds and sometimes thousands of daily e-mails from people who wanted my advice, wanted to share their thoughts with me, wanted my help.

I knew about blogs, which hearkened back to the good old days when I began using the Net and AOL. But dismissed them. "Who had time for blogging?" I wondered. Eugene Volokh, now well known in the blogging circles, was one of those who hung out together with me in lawyers-only networks. We would chat about law, love and policy. Movies, music and infidelity. Being able to discourse with so many bright and well-informed people (even if they all were lawyers :-)) was so much fun.

I couldn't get enough. When in Moscow, in my now former husband's inner office, I unplugged a red phone to the Kremlin to use the special phone access to reach Counsel Connect and send posts from there. I understand Yeltsin's staff got a busy signal one time, and I denied knowing why :-).

It's truly sad when I look at 1993 and see it as the good old days. But much as changed. Now, instead of posting on AOL, I am interviewed on the Today Show or by the New York Times or People Magazine. And my e-mail responses are as short as possible to conserve my typing energy. (Everyone who reads this blog knows I cannot type or spell :-))

After a conference in June, 2004 I decided it was time to start blogging. It didn't take long for my blog to get noticed. (It doesn't hurt that I am a columnist for :-)) it's all about sharing our thoughts and ideas and opinions.

I am starting to enjoy this. It brings me back to the good old days.

I still can't type, or spell, but I am having lots more fun while doing it. :-)


Wednesday, October 06, 2004 careful about throwing the baby out with the bathwater

Few online technologies push our outrage button as much as spyware does. I have used this term in many different ways over the years, starting with my condemnation of monitoring technologies as parental controls. Then as the technologies became better designed to allow advertisement targeting and delivery of pop-ups, my definition changed.

By then I was supporting the use of monitoring technologies in the workplace and, in some cases, in the home to help protect children. So the technologies I liked became "monitoring technologies" and the ones I didn't now became "spyware."

I condemned all "spyware" and complained about consents hidden deeply within the terms of use or download licensing text that none of us read. And everyone I spoke with agreed with me. The thought of this technology infuriated me.

I didn't care if it was a clear consent, or if it supported the services I was using for free because of this support. I hated the thought of it. And didn't think much past the visceral reaction of being "spied" upon.

I deleted all services using "spyware." These included sidestep and weatherbug. I didn't care if there was a tangible value to having a company know what I was searching for and provide me with convenient information. I was ruthless. I used several different spyware removal applications and even did some awareness messaging in the media on how to remove them. I used the googol toolbar to block pop-ups.

More than spam, this was the scourge of cyberspace.

And then, while searching for reduced airfares, tiring of clicking on the sites I use, one after another, I reloaded sidestep. I clicked on the one button and twenty different fare choices appeared. I promised myself I would delete it right away, but didn't. I meant to, but found that it was convenient. Not all the time, but enough to outweigh my concerns.

Then, as the weather started changing, I downloaded weatherbug. I got it with yahoo messenger, which I was testing, and let it remain, while I deleted all the other applications that came along with yahoo's IM. I meant to remove it, but having the temperature on my desktop (even though my office outside door is ten steps from my desk) was convenient.

The more I thought about it, the more clear the issue became. It was pop-ups that I objected to. And some "adware" (when I like it it becomes adware, rather than spyware, which I still reserve for the ones I can't stand) I understood to be reliable, and the companies behind them trustworthy.

And, as a privacy professional that writes about policy, protection and consumers, it took me until now to decide that not all "spyware, monitoring, adware" applications were bad. But if it took me these many years to get to this position, how does Congress or state legislatures stand a chance?

No one has bothered to educate the consumers about convenience and the benefits of some of these applications and the difference between the good guys and the bad guys. Instead we all react viscerally to the thought of being "spied on." and we associate all of these applications with porn and multi-level marketing schemes. Those I will call "Pornware" and can find no legitimate reason for their not being regulated differently.

let's be careful not to throw out this entire new technology with the pornware water. Let's educate the consumers about some of the benefits of push-technologies. Let's trust them to tell government what they want and what the object to.

Maybe self-regulatory guidelines, rather than hard legislation is the better approach. And if it's too late for that, we should look hard and deep at the issue. Convenience, child protection, workplace risk management are valid reasons and should have valid applications to do their job, without being lumped together with the porn marketing abuses of the world.

my 2 cents.

Australian Crimestoppers Sweep of Child Molester Suspects

Several years ago, a wonderful advertising agency in New Jersey came to me, asking how they can help us deliver the messages of safe and secure surfing. After sitting with me for awhile, they learned that the one issue nearest and dearest to my heart is that of online child exploitation.

I first began my work in the area of online safety after having seen an image of a 3-1/2 year old little girl being graphically raped. John Hynes and his partner Andy Korn decided that they would take up the challenge of building an awareness campaign around this subject. They donated all their time and out of pocket costs and convinced others to do the same. The result of this incredible team is the Behind Every Picture There's Pain" poster, which is being used with's permission by the Australian law enforcement groups as the core of their awareness campaign and the theme of this crackdown on cybercriminals.

Congratulations to the incredible men and women of Australian law enforcement and the people who helped us create this noderful message that will remind everyone that we are not only talking about images, we are talking about children's abuse.

Sunday, October 03, 2004

Privacy...What does it mean to you?

One of the first things you learn as a lawyer is that a "rose" may not always mean the same thing to everyone. "Privacy" is one of those words.

Several years ago, Microsoft held the first cybersecurity and privacy summit, inviting the top 100 experts from around the world to two days of discussions, policy-debate and playing with slinkies and playdough with other high-powered experts.

I was asked to pull together a powerpoint on the definitions of privacy, the language of privacy. I thought it was one of the easier tasks being delegated. Until I started pulling it together. As privacy lawyer and Internet security expert, I thought everyone understood the meaning of the familiar terms the same way. Until I started asking them.

One of the biggest problems we face as privacy professionals is that we hang out together too often. Maybe only online, or at conferences we are running or keynoting or when we are speaking at panels, but we tend to hang out together. And like all cliques, have our own private language that all insiders understand.

Toss in the security people, and you lose most privacy professionals. I was able to hold my own because of the unique work I do with cybercrime fighting and prevention as the head of a large charity, So, I could handle most translations for our group. Most, but not all.

As a consultant, workshop leader and lawyer, I am generally contacted these days to help create policy that complies with laws, rules and best practices. I am brought in after the company has decided what it needs. And, while i am happy to do that, the real problem is helping companies figure out what they need, and why. Figuring out how to deliver it is much easier.

I recently wrote an article about RFID for information week's new rfid website. I cautioned early adopters of this technology to figure out why they want or need it. The problems they face by adopting it must be outweighed by the benefits. And problems include customer perceptions, fears and opinions.

When I first heard about the Albertson's case brought by The Privacy Rights Clearinghouse (which I keep in high regard), my first reaction was shock. How dare a trusted pharmacy allow drug manufacturers to pay them to send out marketing in the pharmacists' name? I was convinced that HIPAA precluded that kind of marketing. But I was wrong.

HIPAA allows it. As long as you don't share the personal information about your healthcare customers and patients with the manufacturer or health care services company that is looking to market their goods and services, and only use a middleman contractually bound to keep the personal information separate, you're okay. It's only when the personal information goes to the manufacturer or services company itself that the law requires prior consent from the patient.

When I first read the complain filed by the privacy rights clearinghouse, I misunderstood the charges, It appeared to me on a quick read that Albertsons had shared the patient information with the manufacturers. They apparently hadn't, since if they had a violation under HIPAA would have been part of the claims.

The Albertsons case became a case because California's state HIPAA equivalent was amended in January 2004 to preclude the use of any personal information for any marketing, even those marketing practices permitted by HIPAA. While their practices may violate that state law, we should all step back and ask we care?

I asked one of my important focus-group members, my 25-year old daughter. She told me that she wouldn't pay any attention to anything she got from her pharmacist. She had no idea who they were. She used a location of a national chain, had her prescriptions called in and she picked them up at a drive-through window. The daughter of a pharmacist (turned doctor) and the granddaughter and also niece of a pharmacist didn't consider pharmacists healthcare professionals, but rather considered them to be business men and women.

She couldn't understand why everyone was so upset about the marketing practices where prescription refill reminders and new alternative therapies and healthcare practices were being sent to her under her pharmacists name, even if they were being paid to do so by the drug manufacturers.

When I took it a step further and asked her how she would feel about her doctor (not her dad), sending her a letter that appeared to be signed by him or her, recommending a drug or alternative therapy for which they had been paid. That got her attention. She (and others I have polled) are concerned that their doctors may be selling out for much needed supplemental incomes.

so, what can we learn from this?

we need to figure out what people care about, what they know about and how we can improve the information we have about these two factors.

As a product of the 60's, I care more than my adult kids do. My 29-year old advertising executive son cares more about security than what he considers elusive issues of privacy. My daughter thinks that she has nothing to hide, so why worry?

when we step back from frightening claims, slippery slope arguments and hype, when we have a moment to consider without being bombarded with others' agendas, what do we care about? Why? And how can we share that with the legislators who matter and companies who need to think about why they are doing something and the eventual impact.

when I say "privacy" what does that mean to you? And what do you really care about?

think about it.


Parry's Blog - linking to a new article from Essense Magazine this month, featuring Parry and

Parry's BlogRaising tech savvy kids. it also discusses the privacy/kids tracking technologies for cell phones.

PATRIOT Act section 2709 ruling - ACLU vs. Ashcroft -

PATRIOT Act section 2709 ruling - ACLU vs. Ashcroft

Saturday, October 02, 2004

The Albertson's healthcare privacy issues: how much do you really care?

What Does the HIPAA “Marketing” Provisions Mean to You?

Still there after reading the HIPAA article? Few can make it this far, so congratulate yourself. This is tough stuff, and generally only of interest those in the healthcare industry. Few consumers themselves have been very interested in this law.

While many consumer and privacy advocacy groups have been vocal, the consumer pick-up has been minimal. How do you feel about your pharmacist or physician being paid to have others send your marketing messages or drug promotions? Does it make any difference if they can do it under your pharmacist’s or physician’s name? Are you worried that your pharmacy might be sending your alternative drug therapy recommendations without informing your physician? Or does the convenience of learning about alternative therapies or being reminded to renew your prescriptions outweigh your concerns?

Do you trust a contractor who has entered into an agreement not to divulge your personal health information not to betray that trust? Do you trust them more than if the drug manufacturer itself had possession of that information and agreed not to share it further?

Did you even know about this practice? I didn’t. When I first learned about The Privacy Rights Clearinghouse’s litigation, I was on the road without Internet access. My feelings about, as both a consumer and a privacy lawyer evoloved over a short period of time.

I was appalled that a drugstore chain would market to their customers allowing the drug manufacturers to deliver their messages couched as the pharmacists themselves. I was certain that HIPAA covered this and started making some phone calls to healthcare privacy experts I knew. That’s when I found out about the changes in the HIPAA rules since I had last researched this issue.

Then I accessed the complaint filed, which made it appear that the patient/customer's personla healthcare information had been shared with the drug manufacturers. That made me angry!The more I thought about this, the more shocked I became. But following a careful review of what had actually happened, it came down to what really mattered to me and why.

1. I wasn't aware of the practive of pharmacies and physicians being paid to market to customers/patients to recommend alternative therapies. I knew that they had substantial sample programs and that durg manufacturers; deatil salespeople were notorious for providing theater or sporting events tickets to doctors and pharmacists. I knew that there were special vacation packages made available to pharmacies for sales of certain products. I had always brushed these off as being part of doing business, and in the case of physicians at least, not a big enough problem to worry about. I suspected that the physician's mal[practice and legal ethical concerns would outweight the small gratuities involved. And pharmacies, especially over the last 20 years when big chains gobbled up small neighborhood pharmacies, were more a business than a healtcare facitiy where the pharmacists had a relationship with their customers.

But learning that they were paid to allow a manufacturer to reach us through a third-party solicitor bothered me. How much were they paid? enough to overcome their ethical issues? I hope not.

2. The complaint made it appear that personal healthcare information had been shared with the drug manufacturers. I am sure that this was not intentional, but my initial reaction was based o that premise. I assume that the drug manufacturers never were given the personal contact information or helathcare information from the pharmacy in this case, or a HIPAA violation would have been alleged, which it was not.

3. I liked to know that my prescriptions need to be refilled, or that I need a new one, or that new or alterative therapies may work for me. That's a convenience that outweighs my concern about being marketed to by my healthcare professionals. I don't even care if they do this, allowing the manufacturer's message to come masked as my pharmacist. I don't give any more credance to my pharmacists' recommendations than to any other marketer (sadly).

4. But if anything comes to me, addressed as coming from my physician, I want to know that it is right for me, not just profitable for my doctor. This I consider a healthcare fiduciary duty issue, not a privacy one. It touches on malpractice and is, as I understand it, already heavily regulated by the state licensing boards.

5. The practice complained of is permitted nationally. The California state law in January just amended their state HIPAA to prevent marketing. So, a new law, a state law and not as emotionally charged as I had first thought. At least not among those I polled.

bottomline, we need to get our heads around these issues. we need to educate ourselves and each other. It's like ez pass. I hated the thought of being tracked when they first came out. But the convenince of it outweighed my concerns. I knew enough about the privacy laws to know what other protections existed and trust the law (sometimes).

And respecting customers' privacy is good for business. That, rather than regulations, will motivate most businesses. But they need to know what they are doing before they act...and think through the ramifications of those actions. Albertsons has some damage control, some serious damage control issues. But I am not sure that they truly violated their customer's trust. The law may have been broken, but we should use this as an opportunity to educate the public, not frighten them.

just my 2 cents.

What about patients with AIDS? Or HIV? Or cancer? Or [fill in the blank]? How often do we even think about how much information about us it out there? While most of us trust that our physicians and pharmacists won’t run a full-page ad disclosing our health conditions, what about our neighbor’s daughter who works there after school? Or the person from church who is standing next to us while the pharmacist explains the drug side-effects?
Do we really care if our information is shared with someone in order to sell us more medications or different ones? Or do we care that it is shared – period? Or is it that we worry that people know more about us than we think they do? Or that our pharmacist may be trying to sell us things that aren’t right for us? Or that our physicians are recommending drugs or treatments based on financial inducements? Or are we most concerned about not knowing who knows what, for how long they have known it, how they will use it, whether we have any choices in this and how well they will protect it?
I would like to get a reminder of a prescription refill, or suggestions about new medications or treatment options. But I want to know that my healthcare personal information is secure and private. I also want to know that any communications I receive from my physician or healthcare provider are based on my best interests, not how much they are paid to market products and services to me.
So, is this a privacy issue? Or is this a fiduciary and professional level of care issue? You decide. But the more we know about how things work the more we can make that decision for ourselves. It makes the difference between throwing these communications in the trash or acting on them. You decide.

HIPAA: healthcare privacy and marketing

When is Marketing Not “Marketing?”

HIPAA (the Health Insurance Portability and Accountability Act of 1996, pronounced “hippa”) is a federal law which sets standards for health information privacy and security and for the exchange of electronic health information data. It is also one of the most confusing of all privacy laws and, when marketing issues are involved, one of the most controversial and complicated. It expressly covers physicians and pharmacies, as well as other health care providers and facilities. And prescription information and medical treatments are protected as private patient health information.

When HIPAA was first adopted it provided that Congress should set HIPAA rules within three years of its enactment. When Congress failed to act within that time, the Secretary of Health and Human Services became obligated to create the rules under HIPAA. The rules were amended several times over the years and each amendment created new controversies. Hundreds of pages of commentary resulted in thousands of pages of comments and concerns from advocacy groups, as well as security, healthcare and privacy professionals. These concerns were addressed in some respects when the final HIPAA Privacy Rule became effective in April 2003.

The HIPAA marketing rules were modified in the final Privacy Rule making them slightly more comprehensible. (The entire Privacy Rule can be found at http:// But the holes in the marketing restrictions are big enough to drive an entire healthcare marketing industry through.
Under HIPAA’s current rules “marketing” is defined as "mak[ing] a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." If the marketing uses protected health information (personally identifiable to the patient) it generally requires the patient’s prior written authorization.
Because of the strict requirements of obtaining the patient’s prior written authorization, exceptions to the definition of “marketing” are crucial to marketers. As a result “marketing” expressly excludes several very broad categories of communications. The key to understanding these exceptions is identifying “communications that enhance the individual's access to quality health care." The broadest exceptions relate to information about or recommendations of treatment, case management, coordination of care and new or alternative therapies or services.

The three key exceptions to the definition of “marketing” include:

· the “case management” or “care coordination” exception which covers information provided to individual patients for the purpose of furthering or managing the treatment of an individual, such as directing or recommending alternative treatments, therapies, health care providers or care facilities;
· the “health-related” or “value adding” exception which covers information about entities participating in, services provided and benefits covered by a provider network or health plan (which also includes replacements to and enhancements of coverage under the plan but does not include communications of discounts or other items which are available to the general public.); and
· the communications that “promote health in a general manner" exception which covers newsletters and other general circulation information promoting health, as long as they do not endorse a specific product or service.
If the communications qualify under one of the exceptions, these activities may be conducted either by the covered entity itself or via a “business associate” (which requires a confidentiality agreement be entered into).

It gets tricky when there is an arrangement between a covered entity and any other entity when personal patient health information is disclosed, in exchange for direct or indirect remuneration. Even if remuneration is paid, if a “business associate” is used and is not encouraging the patient to use or purchase its own products the communication is not “marketing” and does not require the patient’s authorization. But HIPAA does not permit the covered entity to disclose the patient’s personal health information to the company whose products or services are being promoted if remuneration is received.

The trick is to use a third-party direct marketing intermediary as the “business associate.” The healthcare provider mines the data (directly or through a “business associate”), and is paid by the drug manufacturer or similar product or service provider to market their products or services to the patients themselves through the “business associate.” While a data is never in the product or service marketers’ possession or control, they can reach these targeted patients with their messages anyway.

The Department of Health and Human Services has a frequently asked questions section about HIPAA. Its question “Can a doctor or pharmacy be paid to make a prescription refill reminder without a prior authorization under the HIPAA Privacy Rule?” discloses that a pharmacist or a physician may be paid by a drug company to recommend alternative treatments, and may use a third party “business associate” to send prescription reminders or the alternative treatment recommendations on their behalf.
When it comes to HIPAA, the devil is in the details. And complying with the details can be arduous and expensive. So getting as close to the “marketing” line as possible without going over it can mean big savings to marketers. If the communication is deemed to be “marketing” under HIPAA, the patient’s written authorization must be obtained and must contain specifics of the kind of marketing proposed as well as a disclosure of any remuneration directly or indirectly accruing to the covered entity. That means no blanket authorizations can be collected from the patient. This makes the process very costly and time-consuming. It also makes it less effective for the marketer.
But failing to respect the patient and their health information can be even more costly. HIPAA recognizes this when it advises, although does not require, the covered entity to disclose all remuneration arrangements. And if patients believe that their trusted healthcare provider is selling their personal health information to others, they will not be trusted for long. While defining the exceptions narrowly may be more costly in the short run, it may be far less costly from a customer relationship perspective in the long run.
The entire text of HIPAA regulations can be found at