With less than a month left until the HIPAA Omnibus Final Rule of 2013 is implemented, it’s time for Covered Entities (CE’s) and Business Associates (BA’s) to get cracking on meeting the new or updated requirements, if they haven’t done so already.
In this post, we’ll be going over three very important updates regarding the use of Protected Health Information (PHI) involving:
- marketing of PHI,
- fundraising using PHI, and
- the sale of PHI
What defines marketing using PHI?
It is considered marketing if the CE (or a BA) receives financial remuneration for communicating about health-related services or products to patients. Under the 2013 HIPAA Omnibus Final Rule, the CE must have the patient’s authorization for such communications. Furthermore, the CE must disclose the fact that they have received financial remuneration for marketing the product or service before the communication actually occurs. As with every rule, however, there are exceptions. For example, patient authorization for the use of PHI for marketing is not necessary in the following cases:
- if the CE engages in a face-to-face communication with the patient,
- if the CE provides a promotional gift of nominal value to the patient,
- for drug refill reminders, and
- for communications about programs sponsored by the government.
The sale of PHI is allowed only after the patient’s authorization
The sale of PHI is defined as a disclosure of PHI by a CE or a BA which directly or indirectly receives remuneration from or on behalf of the recipient of the PHI, in exchange for the PHI. Any PHI ownership transfer, licensing, or lease agreement would all constitute the sale of PHI. A CE or a BA may not sell PHI without a patient authorization except when certain conditions apply:
- The PHI is being disclosed in accordance with the requirements of the Privacy Rule and remuneration is limited to the cost of preparing and transmitting the PHI – no profit is permitted.
- The disclosure is for:
- treatment and payment
- public health information
- legal requirements
- sale or merger of a CE where the new entity is a CE
And if you are asking for an authorization for the sale of PHI, the authorization must indicate if the CE is receiving remuneration for the sale of the PHI.
Patients can opt-out of fundraising communications
The use and disclosure of certain elements of PHI for fundraising purposes is permitted by the 2013 HIPAA Omnibus Final Rule. This information includes:
- demographic information of the patient,
- information about the patient’s physician,
- the department the patient visited,
- the outcome of the treatment and
- status of the patient’s health insurance.
The 2013 HIPAA Omnibus Final Rule also states that the CE is required to provide options for the patient that wishes to opt-out of any fundraising communications, whether those occur through phone calls or mailings. The method to opt-out can be chosen by the CE, however it cannot cause a burden on the patient choosing to stop the fundraising communication. Some examples of appropriate opt-out methods for patients that a CE can offer are:
- providing a toll-free number that the patient can call,
- providing the patient with a pre-paid post card that the patient would simply fill out and drop in the mailbox, or
- providing the patient an opt-out capability through email
Also note that the CE must state, in the Notice of Privacy Practices, that it will be participating in fundraising communications with the patient, and that the patient can opt-out of them if he or she chooses.
To recap, Covered Entities and Business Associates should understand:
- that they must gain patient authorization before marketing PHI and disclose the fact that they have received financial remuneration,
- that the sale of PHI can only occur after the patient’s authorization, and
- that they must provide the patient with opt-out capability for fundraising communications that would not cause a burden on the patient.
September 23, 2013 is just a few weeks away, so now is the time for CE’s and BA’s to actively review and update their policies to ensure compliance with the new 2013 HIPAA Omnibus Final Rule.