Health Privacy Rules Won't Satisfy EUThis is the second of a two-part series.
In my last column, I began an examination of the new health privacy rules issued by the federal government in December. The rules were issued under the authority of the Health Insurance Portability and Accountability Act.
To recap briefly, the HIPAA privacy rules allow patient information to be used by any health provider or health plan for marketing. The rules do not require affirmative patient consent or even that patients be offered an opt-out in advance. Opt-out rights are created only after a patient has received a marketing solicitation.
Under HIPAA, if a provider or plan can do something with information, the provider or plan also can disclose the information to someone else to do it for them. So if a hospital wants to send a marketing notice to its diabetic patients, it can hire another company - and disclose patient information to that company - under some conditions.
The HIPAA marketing rules say that a provider cannot just give a list to any third party. To make a disclosure of patient information for marketing, the disclosure can be made only to a business associate. Essentially, a business associate is an independent entity working for a hospital or health plan that obtains patient data. Examples of business associates include lawyers, accountants and bill collectors. A list broker can be a business associate, too.
The business associate concept says that it is OK to disclose records for an approved purpose as long as the associate treats the records under the same general principles as the original record keeper. As long as a business associate recipient provides appropriate security and uses or discloses the records only in proper ways, just about anyone can be a business associate. With a little care, a hospital could tell marketers about treatments, prescriptions and diagnoses.
One potential complication is the accounting requirement. The HIPAA privacy rules require that a disclosure history be maintained sometimes. Disclosures for marketing fall under the accounting requirement. Thus, any disclosures to business associates or by business associates must be recorded, and the details of the disclosures must be available to patients on request.
Keeping track of disclosures presents some difficulty and expense, and the burden might diminish the sharing of patient information. However, for some disclosures done for marketing purposes, it may be possible to avoid the accounting requirement through careful reading and application of the rules.
On the international front, the HIPAA privacy rules have interesting implications. In the preamble, the Department of Health and Human Services asserts that anyone complying with its privacy rules will meet the European Union "safe harbor" requirements as well. A company that wants to import personal information from Europe can meet the European Union's requirement for data exports by agreeing to the safe harbor principles that the EU negotiated with the Department of Commerce.
Does HIPAA satisfy safe harbor? I strongly doubt it. The reason is the marketing rule. Under safe harbor principles, data subjects must be given an opportunity to opt out of marketing disclosures.
The principles show a clear preference for giving data subjects opt-out rights before any marketing uses. However, the principles also suggest some flexibility in the timing of the opt-out, and the possibility of opt-outs after the fact is recognized when advance opt-outs are impractical.
Some might argue that the Department of Health and Human Services rules - with opt-out being required only after the fact - could fit under this general framework. However, the information at stake here is health data, and health data are sensitive data under the safe harbor framework.
For sensitive data, the safe harbor principles state that extraneous uses - such as for marketing - must be opt-in. None of the exceptions applies to the marketing of health data.
I offer two conclusions about the HIPAA privacy rules and the safe harbor requirements. First, the department's assertion that its rules meet safe harbor standards is just plain wrong. It isn't even a close call. I feel confident in suggesting that European Union data protection authorities will be appalled by the use of health records for marketing without the affirmative consent of data subjects.
Second, the department and the federal government made a mistake in asserting that the HIPAA privacy rules meet safe harbor requirements. It is patently clear that the rules are deficient on the marketing side. By arguing that the health rules are adequate, the government has only undermined its own credibility in ongoing data protection discussions with the European Union.
The HIPAA health privacy rules are perhaps the most complex privacy rules ever adopted in the United States. They make the Gramm-Leach-Bliley financial privacy rules look like an elementary school textbook. The HIPAA rules will also have consequences for organizations outside the healthcare business. For example, employers offering health insurance to their employees will have to pay attention because the way they use and process healthcare claims may have to change.
So even if you do not have an interest in using health records for marketing, you will have to learn about HIPAA after all. But don't be mad at Bill Clinton. Marketers have easier access to health records than a hospital fundraiser and even a patient's next of kin. The rules even allow marketing activities that are prohibited under the Direct Marketing Association guidelines.
Don't get too excited, however. The rules don't take effect until 2003.