Welcome to “A Moment of Privacy,” a newsletter brought to you by the Privacy and Data Security Practice Group at Proskauer Rose LLP.
“A Moment of Privacy” addresses one legal development each month in the area of privacy and data security law. We answer the questions our clients are asking, in a way that we hope gives practical information to our readers. If you send us your question, you may find your answer in an upcoming newsletter.
And now for this month’s question:
Q: My company uses individual health information for marketing and fundraising purposes. Does the recently enacted economic stimulus legislation, H.R. 1 (111th Cong. 1st Sess. Feb. 17, 2009), contain provisions that regulate this type of marketing? What are these provisions?
A: H.R. 1 makes several changes to the provisions on marketing and fundraising that are contained in the current version of the Privacy Rule last modified in 2002 pursuant to the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Part 164. The changes are intended to significantly narrow the circumstances under which a HIPAA-covered entity (such as most health care providers) may receive payment from a third party (such as a pharmaceutical company) for a communication to a patient that encourages the patient to purchase or use a product or service. They also require covered entities to provide patients a way to opt-out of fundraising communications.
The current Privacy Rule
Under the current Privacy Rule, an individual’s information may be used without prior authorization for a wide variety of activities that are defined as “health care operations,” and the definition of “health care operations” includes “contacting of health care providers and patients with information about treatment alternatives” and “fundraising for the benefit of the covered entity.” 45 C.F.R. § 164.501 (definition of “health care operations”). This broad definition of “health care operations” in the current rule allows HIPAA covered entities to use the health information they have about patients for such purposes and to derive an economic benefit for doing so.
The core definition of “marketing” in the current Privacy Rule encompasses communications that encourage the purchase or use of a product or service. 45 C.F.R. § 164.501 (definition of “marketing”). Such activities are subject to various limitations, including a patient authorization requirement. But that definition also includes three carve-outs excluding certain types of communications from the definition of “marketing.” The three carve-outs from the definition of “marketing” are, in brief summary: (1) communications made to describe a health-related product or service that is included in a plan of benefits provided by the covered entity making the communication; (2) communications made “for treatment of the individual”; and (3) communications made for case management purposes or to recommend alternative treatments, therapies, health care providers or settings of care to the individual. The exclusion of these carve-outs from the definition of “marketing” has the effect of allowing such communications without prior authorization of a patient.
The changes made by H.R. 1 include the following:
Marketing Communications
First, § 13406(a) clarifies that any communication that falls within the Privacy Rule’s definition of “marketing” will not be considered “health care operations” (as to which prior authorization would not be required) unless the communication falls within one of the carve-outs from the definition of “marketing” described above.
Second, § 13406(a) states a general rule that if payment is received for a communication, even when it falls within one of the carve-outs, the communication shall not be considered “health care operations.”
Third, Section 13406(a) outlines three qualifications to the above general rule that, taken together, permit covered entities to receive payments for certain communications included in the marketing “carve out” and nonetheless remain within the definition of “health care operations.”
In summary, no patient authorization is required if the communication concerns a “drug or biologic” that is currently being prescribed for the recipient of the communication, and the payment is “reasonable in amount” (as defined in regulations to be promulgated by the Secretary of Health and Human Services). In all other circumstances where payment is received, patient authorization, including disclosures to the patient concerning the payment, must be obtained. If the communication is made by a business associate of the provider, a contract or other agreement between the provider and the business associate that otherwise satisfies the requirements of the Privacy Rule must be in place.
Fundraising
Section 13406(b) addresses the use of patient information for fundraising purposes. While communications of a covered entity for fundraising purposes are currently included in the definition of “health care operations” in the Privacy Rule, § 13406(b) of H.R. 1 requires providers that send fundraising communications to include in every such communication an opportunity for recipients to opt-out of future fundraising communications. The new rule also prescribes the nature of the opt-out that must be provided, and delineates the protections that are applicable to patients who choose to exercise the right to opt-out.
Effective Date
Under § 13406(c), the provisions in § 13406(a) and (b) applicable to written communications become effective 12 months after the date of enactment, that is,
Feb. 17, 2010.
Have a question? E-mail Kristen J. Mathews at kmathews@proskauer.com.