Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Department of Health and Human Services promulgates rules and regulations to regulate the privacy and security of medical information. The purpose of the law is to improve portability of health insurance coverage, reduce healthcare fraud and abuse and to protect individual privacy of personal health records.
Please note that after HIPAA went into effect, several sets of regulations were promulgated, two rules are key for marketers—the “Privacy Rule” and the “Security Rule”. The Privacy rule creates national standards to protect the privacy of personal information, while the Security Rule governs the security of electronic healthcare information. Each must be reviewed by organizations that are using health information of individuals.
To view the entire rule and related materials, see http://www.hhs.gov/ocr/hipaa
HHS announced changes in January, 2013, called the “omnibus” rule, to provide the public with increased control over personal health information as a result of enhanced enforcement by the Health Information Technology for Economic and Clinical Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 and other rulemaking proceedings since 2009.
The omnibus final rule is comprised of some of the following additional requirements for your “protected health information” (PHI):
For the changes related to HITECH, September 23, 2013 (covered entities, business associates, and subcontractors.)
Covered entities should develop the following legal documents through their legal counsel, and review additional requirements that may impact them, their business associates and subcontractors:
To view a sample agreement, go to this link: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Examples (not an exhaustive list):
Under the omnibus rule business associate include:
Under HIPAA, covered entities must obtain written permission from individuals – by way of a signed authorization form – before they use or share health-related information for marketing and certain other purposes.
An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or “health care operations,” or to disclose protected health information to a third party specified by the individual. Such specific purposes include for marketing purposes, disclosure of psychotherapy notes (where appropriate), disclosures of the sale of protected health information.
Health care operations include but are not limited to the following:
No. Providers and health plans may not condition treatment, enrollment in a health plan, benefits.
Yes. More than one authorization may be obtained on one form, but the “authorization” cannot be expanded. Again, it is important to note that treatment or enrollment in a plan cannot be conditioned upon receiving authorization.
No. The authorization needs to be conspicuous and separate from any other document, including any other written legal permission from the individual.
However, as noted in the previous question, more than one authorization may be obtained on one form. For example, an authorization for the disclosure of the individual’s demographic information for both marketing and fundraising purposes would be permitted. A health care provider could not, however, refuse to treat an individual because the individual refused to authorize disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.
Marketing is defined as a communication about a product or service that encourages recipients to purchase or use the product or service. This covers the planned use or disclosure of protected health information “PHI” for marketing purposes. To view the full set of marketing FAQs, go here:http://www.hhs.gov/ocr/privacy/hipaa/faq/marketing/index.html
All subsidized communications (receipt of financial remuneration in exchange for the communication) are marketing and they will need an advance authorization.
The following communications activities are allowable without authorization so long as there is no financial remuneration from a third party in exchange for making the communication. Examples:
In addition to other authorizations (see question in “Authorization Forms” section above), an authorization for marketing must include a statement that the covered entity will be paid for the marketing activity if the marketing involves direct or indirect remuneration by a third party.
Permitted fundraising activities include appeals for money, sponsorships of events, etc. They do not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales…) Covered entities are allowed to use or disclose to a business entity or institutionally-related foundation limited protected health information (demographic and dates of care) about an individual for that entity’s fundraising without authorization.
The covered entity’s fundraising materials must include an opt-out notice that is clear and conspicuous, and if it is over the phone an opt-out disclosure must be made (channel neutral disclosures). If the individual does opt-out, no more fundraising communications across all marketing channels may be sent.
Under HIPAA, individuals have the right to:
No. A private cause of action is not authorized by the Rule.
Individuals can file a complaint against covered entities that they believe have not complied. The complaint should be filed with the U.S. Department of Health and Human Services (DHHS). Here is the complaint portal: https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf
See this link for additional consumer rights information:
The privacy notice requirements under HIPAA and related regulations are complex. Here are some key highlights:
An individual has the right to notice regarding the uses and disclosures by a covered entity of protected health information. Covered entities must have and distribute a notice of its privacy practices (“NPP”) The NPP must describe the uses and disclosures of protected health information, the covered entity’s legal duties and privacy practices with respect to protected health information, and the individual’s rights with regard to protected health information.
The NPP must contain a statement indicating most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information for marketing purposes, and states that other uses and disclosures not described in the NPP will be made only with authorization by the individual. If the entity plans to do fundraising, that must also be included in the privacy notice and the opportunity to opt-out.
The NPP should also inform individuals of their right to restrict disclosures of protected health information when the individual has paid out of pocket for the health care product or service.
A business associate does not need to provide a separate notice. But a covered entity must ensure through its contract with the business associate that the business associate’s uses and disclosures of protected health information and other actions are consistent with the covered entity’s privacy policies, as stated in covered entity’s notice. Also, a covered entity may use a business associate to distribute its notice to individuals.
Please note that the Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of protected information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice.
When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rule’s requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revision.
The NPP (above) should include a notice of the right of affected individuals to be notified in the event of a breach whereby the protected information is impermissibly used or disclosed to provide helpful context should a breach occur in the future.
The HITECH Act requires covered entities to provide notification to affected individuals, the Secretary of HHS, and the media (if more than 500 residents of the State or jurisdiction are impacted) following discovery of the breach. A breach is to be treated as discovered if any person (other than the individual committing the breach) that is an employee knows or should have known about the breach.
The notice should be sent within 60 days after it was discovered. The notice to the individual should include:
A business associate is required to notify the covered entity (or all covered entities if they are multiple) of the breach of unsecured protected health information so that the covered entity can notify affected individuals. This should occur not later than 60 days following discovery of the breach.
Please note that law enforcement may require a delay prior to breach notification.
DHHS’ Office of Civil Rights (OCR) is the governmental body that has the enforcement responsibility. Violations range in the amount from $100 – $50,000 dependent on the type of violation, for a maximum of $1.5 million in a calendar year.
As a business associate of a covered entity, your organization will need to take the following actions:
No. Although there are similarities between HIPAA and DMA’s Health Marketing Guidelines, HIPAA is law and The DMA’s Guidelines are not, and in some areas HIPAA requires more than The DMA Guidelines.