Pending changes in the rules governing use of healthcare information are a potential minefield, according to Patricia Faley, vice president of ethics and consumer affairs at the Direct Marketing Association.
The revisions to the Health Insurance Portability and Accountability Act of 1996 (HIPPA) are so complex that many healthcare providers have hired chief privacy officers just to deal with them, Faley said.
Entities covered under the rule include:
-
Health plans, healthcare clearinghouses and healthcare providers.
-
Business associates, including service bureaus, software and database vendors and pharmaceutical manufacturers.
Faley cautioned that the complicated rule may make it difficult for DMA members to determine if they need to comply.
“It is not immediately apparent to most marketers as to whether they’re covered under the rule or not,” Faley said. “They really need to dig in and talk to their attorneys. The rule is often counterintuitive.”
A date of April 14, 2003 has been set for compliance. Small health plans (those with annual receipts of $5 million or less) have until April 14, 2004, according to the DMA.
The information protected includes name, specific dates (such as birth date and date of death), Social Security number, medical record numbers, photographs, city, ZIP code and other geographic identifiers.
According to the rule, written permission must be obtained from individuals — by way of a signed authorization form — before health-related information is shared or used for marketing or fundraising. Covered entities must receive a written agreement from each of its business associates acting on its behalf prior to disclosing any protected health information.
Violators can be sentenced for up to 10 years in prison and fined up to $250,000 in criminal penalties. Civil penalties can be imposed that include $100 per violation and up to $25,000 per person, per year for each violation.
Network
