Home/red-rock-eater/Red Rock Eater Digest - Analysis of the Marketing Provisions of the HIPAA Privacy

Red Rock Eater Digest - Analysis of the Marketing Provisions of the HIPAA Privacywriting

militaryinternationalmediaprivacylaborlawcommercegovernment-infohealth
2001-01-02 · 9 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com:80/rre/2001/RRE.Analysis.of.the.Mark.html

Content

| | | | --- | --- | | Red Rock Eater Digest | Most Recent Article: Thu, 12 Jul 2001 |

``` ---

This message was forwarded through the Red Rock Eater News Service (RRE). You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html

---

Date: Wed, 03 Jan 2001 00:34:31 -0500 From: Robert Gellman Subject: HIPAA Marketing Rule

In debates over health privacy proposals, it was often said that video rental records had better privacy protection than medical records. Unfortunately, now that the final HIPAA privacy rules have been issued, it is still true that video rental records have better protections from marketing uses and disclosures than medical records.

The new HIPAA health privacy rules released at the end of December authorize health providers and health plans to use and disclose patient records for many marketing purposes without patient consent or authorization. Marketing permitted under the rule would far exceed current practices. The Clinton-Shalala marketing rule is the most anti-privacy proposal that I have seen in more than twenty years of work on health privacy policy.

Without the marketing language, the health privacy rules are a mixed bag, with things to like and some things to dislike. Janlori Goldman of the Health Privacy Project called the rules a "great victory for consumers." I disagree strongly. The marketing provision is so anti-consumer and anti-privacy that it outweighs any other positive features of the rest of the rules.

At the end of this message (below my signature) is a detailed analysis of the marketing rule. You are welcome to distribute this message and the analysis as you see fit.

Bob

---

  • + + + + + + + + + + + + + + + + + + + + + +- Robert Gellman +- Privacy and Information Policy Consultant +- 419 Fifth Street SE +- Washington, DC 20003 +- 202-543-7923 (phone) 202-547-8287 (fax) +- + + + + + + + + + + + + + + + + + + + + + +

    • Analysis of the Marketing Provisions of the HIPAA Privacy Rules

    By Robert Gellman Privacy and Information Policy Consultant rgellman@cais.com

    In debates over health privacy proposals, it was often said that video rental records had better privacy protection than medical records. Unfortunately, now that the final HIPAA privacy rules have been issued, it is still true that video rental records have better protections from marketing uses and disclosures than medical records.

    HIGHLIGHTS The rule contains the most sweeping authorization for theuse of patient information for marketing proposed in the last twenty years. The marketing rule was not in the draft rule published for comment. The rule expressly authorizes disclosures for marketingwithout patient consent. For example, information about a woman's pregnancy can be used by health providers or plans for marketing and disclosed to others for marketing. A woman could only object after the fact. All medical information held by providers and payers canbe used by them for marketing without affirmative patient consent or without the opportunity to opt-out in advance. All protected health information can be disclosed formarketing. The rule does not protect information about diagnoses, prescriptions, pregnancy, sexually transmitted diseases, mental health treatments, or confidential communications. Marketing to minors or using protected health information about minors is permitted. Patients have the right to opt-out of marketing only afterreceiving a marketing communication. If a family of four has a dozen doctors, clinics, health plans, hospitals, laboratories, pharmacies, pharmacy benefit managers, etc., the family may have to write 48 separate letters to opt-out of each organization's marketing activities. Patients do not have to be offered toll-free numbers toopt-out, the ability to opt-out online, or postpaid opt-out letters. A covered entity could require an individual to send a separate snail mail letter to opt out. Nothing in the rule says that a covered entity cannot charge patients who want to opt-out. HHS has defended the marketing rule by saying that itallows physicians to make recommendations to patients. However, the definition of marketing expressly excludes these recommendations. Therefore, a rule allowing broad uses and disclosures for marketing is not necessary to permit physicians to make treatment recommendations.

    QUOTE FROM THE PREAMBLE

    Any doubts about the sweeping scope of the marketing rule is put to rest by these words from the preamble to the rule (on page 82771 of the Federal Register notice):

    "However, the final rule permits an alternative arrangement: the covered entity can engage in health-related marketing on behalf of a third party, presumably for a fee. Moreover, the covered entity could retain another party, through a business associate relationship, to conduct the actual health-related marketing, such as mailings or telemarketing, under the covered entity's name."

    This language says expressly that marketing is permissible for a fee, that marketing is permissible on behalf of third parties, and that telemarketing is permissible.

    DETAILS OF THE HIPAA MARKETING RULE

    A covered entity does not need patient authorization if it uses or discloses protected health information for marketing under any of these conditions -

    1) in a face-to-face encounter with an individual. The encounter does not have to involve a provider. For example, a marketer could knock on the door of a pregnant woman and try to sell her a product or service. Face to face marketing using medical information might also be done be for cars, vacations, magazines, or other products or services unrelated to health.

    2) if the marketing concerns products or services of nominal value. For example, a hospital might use or disclose a list of patients with a particular diagnosis if the purpose were to distribute a 25-cents off coupon for a product that costs a dollar. The marketing could be for products or services unrelated to health.

    3) if the marketing concerns the health-related products and services of the covered entity or of a third party and the communication meets the applicable conditions (see below).

    CONDITIONS FOR HEALTH-RELATED MARKETING

    The conditions that apply to the last category of marketing offer some limited protections. The communication must identify the covered entity as the party making the communications. If the information were given to a business associate, the business associate might have to say that it was the covered entity. This may actually hide the fact that the information had been shared with another entity. Or the information might be presented in another way ("Now that you are pregnant, your doctor asked us to tell you about our diaper service."). Because any covered entity can use data for marketing, the source of the data might be a laboratory or other indirect provider that a patient would not even recognize.

    The communication must prominently disclose whether the covered entity was being paid directly or indirectly. This can be done easily. ("The XYZ diaper company is paying us to mail this offer to you, but we think the offer is so wonderful that we would have done it anyway had we thought of it first ourselves.")

    The third condition is that the patient must be given an opportunity to opt-out of receiving future communications. There are several problems here. An opt-out is not required for newsletters or general communications distributed to a broad cross section of individuals. However, it is not clear what a broad cross-section means. A hospital being paid to send a promotion for a drug manufacturer could avoid offering an opt-out if the communication were to a broad enough group. For example, a promotion for a drug of interest only to diabetics would not have to offer an opt-out if the promotion went to all hospital patients.

    OPT-OUT SHORTCOMINGS

    It is not clear what is meant by opt-out. Would a patient opting out of a promotion for a diabetes drug also have to opt-out separately of promotions for heart, kidney, and cancer drugs or promotions for other third parties? Would opt-outs cover institutions, business associates, indirect providers and hybrid entities or would separate opt-outs be required?

    The rule does not specify an opt-out procedure. An 800-number for opt-outs is not required. No online opt-out is required. No postpaid opt-out card/letter is required. Patients could be required to write a snail mail letter for each provider, health plan, insurance company, pharmacy, pharmacy benefit manager, laboratory, x-ray facility, clinic, and other facility. ("If you want to opt-out of future promotions, write a letter containing your name, address, health plan, SSN, medical record number, the names of your doctors at our hospital, the clinics you attend, and send it to us at ... .").

    Perhaps the worst opt-out feature is that the rule does not provide for opt-in or even advance opt-out. An individual acquires the right to opt-out only after receiving a marketing communication.

    RULES FOR MARKETING BASED ON HEALTH STATUS

    Other conditions attach if a covered entity uses or discloses protected health information to target communications based on health status or condition. The entity must determine that the product is beneficial to the targeted individuals. The rule does not require a determination by a treating physician or health professional. An administrator can presumably make the determination. Any study that shows any potential benefit, no matter how small or questionable might be enough to justify a determination. For example, the rule might permit the marketing of vacation packages to patients with a variety of ailments or as a preventative measure.

    A second condition is that the communication must explain why the individual has been targeted and why the product or service would be beneficial. THIS CONDITION ACTUALLY RUNS THE RISK OF FURTHER INVADING THE PRIVACY OF MARKETING SUBJECTS. Imagine marketing condoms to a teenager who was treated for syphilis. The promotion would have to say that the teenager was selected because s/he was sexually active and condoms will prevent a recurrence of the disease. What happens if the teenager's parent opens the letter first? A woman who had an abortion that her family did not know about might receive a solicitation for family planning services that referenced her abortion.

    A third condition is that a covered entity must make reasonable efforts to ensure that opt-outs will be honored. This condition is useful, but the rule does not require anyone to make reasonable efforts to provide easy, free, and alternative opt-out methods. The rule does not say anywhere that a patient must be able to opt-out without paying a fee.

    The rule suggests that information cannot be disclosed to a third party without consent. That is true, but it is misleading. A disclosure for marketing can be made to a business associate, and anyone can become a business associate by signing a contract with a covered entity. Patient records can be disclosed, for example, to a telemarketing firm if the firm becomes a business associate. The telemarketer can then market any health-related product or service, including a product or service of a company that is not a business associate.

    The general privacy rules attach to business associates who receive disclosures from covered entities. That is a good thing, but the fact remains that broad scale marketing using patient information is permitted. Business associates could be allowed to make disclosures to other business associates.

    The information of a consumer who responds to a promotion might not be covered by the privacy rule. A consumer who responds to a marketing solicitation might be disclosing name, address, and diagnosis to a third party not covered by the rule. Further use of the information would therefore be unrestricted.

    REMEDIES

    Another consequence of the marketing rule involves remedies available to individuals whose records are misused. The final rule removed the requirement that patients be identified as third party beneficiaries under any contracts with business associates. Thus, if a marketer or business associate of a hospital misuses health information disclosed to the marketer, a patient would have no clear right to sue under the HIPAA scheme. The legal conclusion on this point would vary from state to state, and a great deal of uncertainty about third party beneficiary law and health privacy remains. Nevertheless, it is possible that no remedy would be available.

    VIDEO PRIVACY ACT (for comparison)

    The Video Privacy Protection Act does not allow video operators to disclose the names of movies that an individual rented without affirmative consent. The HIPAA health privacy rules allow use and disclosure of any protected health information for many marketing purposes without the affirmative consent of the individual.

    The Video Privacy Protection Act allows video operators to disclose the categories of movies rented (not actual titles) only if an individual was given an opportunity in advance to opt-out. The HIPAA health privacy rules allow disclosure of any protected health information for many marketing purposes without mandating an advance opt-out.

    January 2, 2001 ##### ```