On July 14, 2010 the US Department of Health & Human Services’ (HHS) Office for Civil Rights proposed significant changes to the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules (the Proposed Rule). Many of these changes are required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in early 2009 as part of the federal stimulus bill. Other changes are of a "technical and conforming nature" and are designed to improve the overall "workability and effectiveness" of the HIPAA Privacy and Security Rules. A high-level summary of these changes was provided in the first of this three-part alert series.
This Alert, part three of our series, describes a number of provisions in the Proposed Rule that will impact uses and disclosures of protected health information (PHI) for marketing purposes. HHS is specifically soliciting comments on these proposals (with comments due by September 13, 2010). In addition, there are steps covered entities and business associates can take to prepare for these anticipated changes. If your organization is a covered entity or a business associate, you can begin to create a strategy for addressing these changes including assessing your marketing policies and procedures.
Proposed Revisions to Marketing Provisions
Under current HIPAA rules, a covered entity may use or disclose PHI for treatment, payment or health care operations without obtaining an individual’s authorization. However, a covered entity must obtain an authorization for any use or disclosure of PHI for marketing purposes, except for face-to-face communications or promotional gifts of nominal value provided by the covered entity. In this context marketing means "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." If the marketing involves remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. These requirements and the definition of marketing do not change under the Proposed Rule. In drafting the Proposed Rule, HHS applied its understanding that Congress intended to limit a covered entity’s ability to send communications that are motivated more by commercial gain than for the individual’s health care benefit, even though the communication may be about a health-related product or service. To accomplish this, HHS proposes the following:
- To define financial remuneration as "direct or indirect payment from or on behalf of a third party whose product or service is being described." Financial remuneration would not include payment for the treatment of an individual.
- To exclude from the definition of "marketing" communications by a health care provider for treatment purposes including case management or care coordination and communications about alternative treatments or settings of care. However, if this type of communication is in writing and the provider receives financial remuneration in exchange for the communication, the provider’s notice of privacy practices (NPP) must disclose such remuneration and an individual’s right to opt out of receiving such communications.
- To allow refill reminders or other communications about a drug or biologic that is currently being prescribed for the individual so long as any financial remuneration received by the covered entity in exchange for the communication is reasonably related to the cost of making the communication.
- To classify certain health care operations communications as marketing if the covered entity receives financial remuneration in exchange for the communications. Health care operations subject to this provision include (1) describing a health-related product or service that is provided by the covered entity or (2) communications about case management or care coordination, contacting individuals with information about treatment alternatives and related functions to the extent these activities do not fall within the definition of treatment.
HHS has specifically requested comments on several aspects of the marketing provisions including the scope of the refill reminder exception (i.e., whether communications about drugs related to the one currently being prescribed should be included) and the types and amount of costs that should be allowed in determining costs reasonably related to refill reminder communications. HHS is also seeking public comment on (1) whether the opt-out should prevent all future subsidized treatment communications or just those dealing with the particular product or service described in the current communication and (2) the practicality of requiring health care providers intending to send subsidized treatment communications to provide an individual with the opportunity to opt out of receiving such communications prior to the first communication.
Squire Sanders lawyers have significant experience in HIPAA compliance efforts including privacy and security assessments. We routinely advise clients on matters related to HIPAA policies and procedures and business associate agreements. We continue to monitor the proposed changes to HIPAA and are available to assist clients in structuring their privacy and security practices to comply with these changes. For more information on how we can help you, please contact your principal Squire Sanders lawyer or one of the lawyers listed in this Alert.