The Privacy Provisions of the Health Insurance Portability and Accountability Act (HIPAA)
In August 2002, the U.S. Department of Health and Human Services revised the December 2000 rule that implements the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Under the Rule, new requirements will be placed on health care providers (covered entities.) Among them is that, with limited exceptions, covered entities must receive written, explicit authorization from an individual to use or disclose protected health information for marketing or fundraising.
When do I have to be in compliance with the Act and Rule?
Most covered entities have until April 14, 2003 to comply. Small health plans – those with annual receipts of $5 million or less – have until April 14, 2004.’
What new legal documents will be developed under HIPAA?
Covered entities may have to develop the following new legal documents:
- Authorization Forms – to obtain written permissions from patients to authorize covered entities to use or disclose health information ;
- Notice of Privacy Practices – to provide patients notice regarding disclosure and use of information; and
- Business Associate Agreements – to assure that business associates also comply with the rule.
What information is protected?
Personally identifiable health information held or disclosed by a covered entity in any form including orally, written and electronically.
- Specific dates – birth, admission, discharge, death
- Telephone number
- Social Security number, medical record number
- City, zip code, and other geographic identifiers
What are “covered entities?”
- Health plans — HMOs, insurers, Medicare and Medicaid;
- Health care clearinghouses – billing services, repricing companies, community health management information systems and “value added” networks and switches; and
- Health care providers - medical or health service provider and any other person or organization who furnishes, bills, or is paid for health care in electronic form (e.g., insurers, physicians, hospitals, labs and pharmacies).
What is meant by “business associates” and are they covered by the Rule?
Business associates perform functions or services for the covered entity that involve the use of protected health information. They may include: direct marketers, pharmaceutical manufacturers, medical equipment suppliers, software and database vendors and suppliers. A covered entity can also be a business associate to other covered entities.
The Rule places restrictions on disclosures of protected health information from covered entities to business associates, and on disclosures and uses of protected health information by business associates.
What are the new requirements for covered entities and business associates?
The covered entity must receive a written agreement from each of its business associates prior to disclosing any protected health information.
The covered entity is required to:
- Bind the business associate to adhere to the Final Rule, and require its contractors/agents who receive protected health information to follow the Rule, as well;
- Ensure that the business associate adheres to permitted and required uses as set forth in the contract; and
- Safeguard the information from unauthorized use or disclosure.
The business associate is required to:
- Inform the covered entity if there is any unauthorized use or disclosure; and
- If feasible, return the protected health information to the covered entity upon termination of the contract between them.
If a covered entity knows that the business associate has violated any of the rules requirements, they must ensure that the breach is rectified, the contract is terminated, or the U.S. Department of Health and Human Services is informed, if the contract cannot be terminated.
1. Under HIPAA, covered entities must obtain written permission from individuals – by way of a signed authorization form – before they use or share health-related information for marketing and certain other purposes. What is an authorization form?
An authorization form is a written permission from the patients that allows use or disclosure of their protected health information for purposes other than treatment, payment or health care operations. See question #4 about contents of authorization forms.
2. What is the definition of health care operations?
Health care operations include but are not limited to the following:
- Certain fundraising activities for the covered entity’s own benefit;
- Quality assessment and improvement activities;
- Insurance underwriting, premium rating, and related insurance activities;
- Business planning, development and management activities;
- Licensing and audits;
- Evaluating health care professionals and plans; and
- Training health care professionals
3. Can health care providers and health plans condition treatment/service on obtaining authorization?
No. Providers and health plans may not condition treatment, enrollment in a health plan, benefits eligibility, or payment on obtaining patient authorization.
4. What must be included in the consent form?
Authorization forms are a specific and comprehensive type of written permission that should be written in plain language. The following elements must be included in an authorization form:
- A specific description of the information to be used or disclosed;
- Who (by name or class of persons) is authorized to make the requested use or disclosure of information;
- Who the covered entity is disclosing the information to;
- What the purpose is regarding use or disclosure of the information;
- An expiration date or event;
- How the individual can revoke authorization, including the exceptions and the ability to exercise that right (An individual may revoke authorization at any time, but it must be in writing);
- A statement that information used or disclosed under the authorization may also be redisclosed and no longer protected by the Final Rule;
- A statement that the covered entity will not condition treatment or payment on the individual’s authorization; and
- The form must be signed and dated by the individual or by the individual’s representative.
5. Can more than one authorization be obtained on one form?
Yes. More than one authorization may be obtained on one form. Again, it is important to note that treatment or enrollment in a plan cannot be conditioned upon receiving authorization.
6. Can the authorization be included with other documentation?
No. The authorization needs to be conspicuous and separate from any other document, including any other written legal permission from the individual.
However, as noted in the previous question, more than one authorization may be obtained on one form. For example, an authorization for the disclosure of the individual’s demographic information for both marketing and fundraising purposes would be permitted. A health care provider could not, however, refuse to treat an individual because the individual refused to authorize disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.
1. What is considered “marketing” under HIPAA?
Marketing is defined as a communication about a product or service that encourages recipients to purchase or use the product or service. This includes instances when a third party pays a covered entity to disclose protected health information that enables the third party to use the information for its own marketing purposes. It also includes instances where an affiliate communicates about its own product or service encouraging recipients to buy or use that product or service. The definition does not limit the type or means of communication that is considered marketing.
2. Can covered entities market without an authorization?
It depends. A covered entity may not use or disclose protected health information for a marketing purpose without an authorization unless the communication falls into one of the limited exceptions (see next question for a list of exceptions).
3. What types of marketing communications are allowable without authorization?
The following marketing activities are allowable without authorization:
- Face-to-face encounters with individuals
- When the marketing communication is in the form of a promotional gift of nominal value (e.g., calendars, pens);
- Communications with the individual to describe the health benefits of a product or service, such as informing individuals about:
(1)services and payment options available by a health plan,
(2)names or types of providers that offer different services,
(3)whether a specific provider participates in a network, and
(4) whether and what portion of payment will be provided by a specific provider, and
(5) health-related products or services available only to a health plan participant that are not part of the plan benefits but add value to it. This one is known as the exception for “VAIS” or value-added items or services.
- Communications regarding treatment, case management or care coordination, and recommending alternative treatments, therapies, health care providers, or settings of care to the individual. This allows activities such as referrals, prescription reminders, appointment notifications, disease management and wellness programs, and recommendations and other communications that address how a product or service may relate to the individual’s health.
4. What must be included in the marketing authorization?
In addition to other authorizations (see question in “Authorization Forms” section above), an authorization for marketing must include a statement that the covered entity will be paid for the marketing activity if the marketing involves direct or indirect remuneration by a third party.
5. What marketing activities require an individual written authorization, and can protected health information be used to seek authorization?
All marketing activities that do not fall under one of the exceptions require patient authorization.
Covered entities may use protected health information to solicit authorizations from individuals. For example, Physician A may generate a mailing list of his or her patients and send an authorization form to them for marketing or other purposes covered under the Rule.
6. What are the main challenges for third-party marketers under HIPAA?
Third-party marketer’s main challenges are that the:
- Offer a truly “special discount” to a health plan on health-related items or services (not mere pass-throughs of discounts or items that are available to the public at large) in order to obtain protected health information under the VAIS exception to the authorization requirement; or
- Persuade a covered entity to obtain the patient’s authorization before disclosing protected health information to the third-party marketer. (Keep in mind that covered entities might not want to obtain patient authorizations – it could be considered burdensome to receive individual authorizations and maintain additional paperwork.)
7. What happens to information that is obtained prior to the effective date of the Rule – April 14, 2003?
Covered entities may continue to rely on existing consents, authorizations and/or relevant legal permissions for information obtained prior to the effective date of the Rule. However, covered entities must receive the new authorization forms for any protected health information that is received or created after April 14, 2003, and that will be used or disclosed for purposes other than treatment, payment, or health care operations.
1. What are the patient’s rights under HIPAA?
Under HIPAA, patients have the right to:
- Receive a privacy notice to inform them about how protected information will be used and disclosed;
- Request that uses and disclosure of protected information be restricted (covered entities are not required to always agree to restrictions);
- Inspect, copy and amend their medical records (providers are allowed to charge a reasonable fee for copying expenses);
- Get an accounting of the disclosure of their protected information for the past six years; and
- File a complaint.
2. Can individuals bring a private cause of action against a covered entity?
No. A private cause of action is not authorized by the Rule.
3. Are there other actions an individual can take to file a complaint against a covered entity’s failure to comply with the regulation?
Individuals can file a complaint against covered entities that they believe have not complied with the regulation. The complaint should be filed with the U.S. Department of Health and Human Services (DHHS).
The complaint must:
- Be filed within 180 days of when the complainant knew that a violation had occurred (unless the Secretary of DHHS waives time limit for good cause);
- Be written and submitted via U.S. postal mail or electronically; and
- Include the name of the covered entity and a description of the alleged relevant violations.
The covered entity must:
- Provide compliant records and compliance reports to DHHS; and
- Cooperate with complaint investigations and compliance reviews.
1. What enforcement regulations are created by the Rule?
DHHS’ Office of Civil Rights (OCR) is the governmental body that has the enforcement responsibility. Violators can be sentenced for up to 10 years in prison and fined up to $250,000 in criminal penalties for failure to comply. In addition, civil penalties can be imposed that include $100 per violation and up to $25,000 per person, per year for each violation.
2. Does HIPAA supercede other relevant state and/or federal laws?
No. HIPAA does not pre-empt state or federal laws that provide greater protection to the confidentiality of health information. HIPAA establishes the floor for privacy protection of health-related information.
3. What steps do business associates need to take to comply with the Rule?
As a business associate of a covered entity, your company will need to take the following actions:
- Enter into new contracts with covered entities in which you agree to safeguard protected health information and assume responsibility for certain HIPAA requirements;
- If requested by the covered entity, modify procedures for storing patient information to enable tracking of data disclosures and accessing of records by patient;
- Develop a privacy notice describing the types of uses and disclosures of protected health information;
- If requested by the covered entity, adopt procedures for handling patient requests for correction of information;
- Adopt procedures for handling patient requests for correction of information;
- Enter into new contracts with subcontractors to ensure that they safeguard any protected health information you transfer to them;
- Train employees regarding privacy requirements and the safeguarding of protected health information;
- If requested, provide copies of its policies, procedures, and records for handling protected health information to the covered entity and/or the U.S. Department of Health and Human Services;
- Inform the covered entity if there is any unauthorized use or disclosure of protected health information; and
- If feasible, return the protected health information to the covered entity upon termination of the contract between them.
If I comply with DMA’s Health Data Marketing Guidelines, then am I in compliance with HIPAA?
No. Although there are similarities between HIPAA and DMA’s Health Marketing Guidelines, HIPAA is law and The DMA’s Guidelines are not, and in some areas HIPAA requires more than The DMA Guidelines. (See FAQ on DMA Health Data Marketing Guidelines and The DMA Guidelines for Ethical Business Practices for more information.)
1. A physician sends a letter to all of her patients, telling them of her new office location.
No authorization is required to use protected health information because, by describing the covered entity’s health service, the communication falls within an exception.
2. A company, acting on behalf of a network of hospitals, collects health-related data from consumers.
The company may need to enter into a business associate contract with the hospital network because it is acting on behalf of the network.
3. A list compiler collects health-related data volunteered by consumers on a survey. The list compiler then rents lists to providers of health insurance plan benefits for their marketing campaigns.
The list compiler does not need to enter into a business associate contract because it is not acting on behalf of a covered entity at the time of data collection. Therefore, the information is not protected health information.
4. A consumer responds to a solicitation by enrolling in a health insurance plan using his/her credit card. The credit card company identifies the name of the health plan in the consumer’s monthly billing statement.
The credit card company is not a business associate, because it is not acting on behalf of the health insurance company when it processes the financial transaction. However, the health plan, because it initiated such payments, may need to comply with HIPPA requirements, such as the requirements that it not disclose any more information to the credit card company than is reasonable necessary to conduct the payment transaction and that it inform the consumer of the creditor’s identity.
5. A pharmacy sends its customers a reminder to take their prescriptions. A pharmaceutical company pays for this mailing.
This is a treatment communication, which does not require an authorization. Remuneration is irrelevant, that is, receipt of remuneration does not transform a treatment communication into a commercial promotion requiring an authorization.
6. A health plan sends its customer a newsletter that includes ads for a pharmaceutical company’s blood pressure drug.
This would require the health plan customer to give authorization because it constitutes use of protected health information for a communication that encourages recipients to use a product.
7. A pharmacy sends its customers who are taking a prescription drug notice that it is now available in generic form.
This is a communication recommending an alternative treatment, which does not require an authorization.
8. A hospital sells its list of mothers who gave birth at their hospital to photographic studios.
This would require authorization from the mothers before the hospital could sell its list of names of patients to the photographic studio for the studio’s own independent marketing uses.
9. A hospital tells former heart patients of a new seminar on wellness.
Communications such as these, which promote health in a general manner and do not promote a specific product or service, fall within an exception to the definition of “marketing” and, therefore, do not require prior authorization.
10. A health plan sends to its members via mail a special discount opportunity to join a fitness club.
No authorization is required because this communication describes a health-related service available only to health plan members (i.e., a discount that plan members would not be able to obtain directly from the fitness club) that adds value to the plan benefits.
11. A teleservices company is hired by a blood bank to encourage former blood donors to donate again.
No authorization or business associate agreement is needed because the procurement or banking of blood is not considered to be a “health care” activity. The persons who donate blood are not seeking health care for themselves but are seeking to contribute to the health care of others. Consequently, blood banks are not considered to be health care providers, nor is the personal information they collect considered to be protected health information.
12. A teleservices company is hired by a hospital to encourage former patients who previously donated blood to donate again.
The hospital will need to obtain prior authorizations from the individuals because their names and related data is protected health information and the purpose for using the information – procurement of blood donations – does not constitute “treatment” (see scenario 11 above). The teleservices company will need to enter into a business associate contract because the hospital is disclosing to it names of patients, which is data that constitutes protected health information.