Revisions to an existing rule governing health information will take effect this spring. One change requires certain entities to obtain an individual’s explicit written authorization to use or disclose protected health information for marketing or fundraising.
The rule, which implements the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPPA), is extremely complex, so complex in fact that many health care providers have hired chief privacy officers just to deal with the revisions, said Pat Faley, the Direct Marketing Association’s vice president of ethics and consumer affairs.
Entities covered under the rule include:
* "covered entities" or health plans, health care clearinghouses and health care providers, and,
* business associates which include direct marketers (such as service bureaus and software and database vendors and suppliers), pharmaceutical manufacturers and medical equipment suppliers that perform functions or services for the covered entity that involve the use of protected health information.
Faley cautioned that the complicated rule may make it difficult for DMA members to determine if need to abide by the requirements of the rule.
"It is not immediately apparent to most marketers as to whether they’re covered under the rule or not," Faley said. "They really need to dig in and talk to their attorneys. The rule is often counterintuitive."
A date of April 14, 2003 has been set for compliance. Small health plans, those with annual receipts of $5 million or less, have until April 14, 2004, according to the DMA.
The information protected includes name, specific dates—such as birth date, admission or discharge dates and the date of death—social security number, medical record number, photographs, city, Zip code and other geographic identifiers.
According to the rule, written permission must be obtained from individuals—by way of a signed authorization form—before health-related information is shared or used for marketing or fundraising. Covered entities must receive a written agreement from each of its business associates acting on its behalf prior to disclosing any protected health information.
In addition, patients have to right to receive a privacy notice, request that the use of their information be protected, inspect their medical records, receive an accounting of the disclosure of their protected information and file a complaint.
And the fines for violating the rules are stiff.
Violators can be sentenced for up to 10 years in prison and fined up to $250,000 in criminal penalties. Civil penalties can be imposed that include $100 per violation and up to $25,000 per person, per year for each violation.
The DMA is conducting a seminar on the revisions to HIPPA this spring as part of its Corporate Responsibility Series, which began last year. No date has been set.
