DMA Fact Sheet Decodes HIPAA Provisions
Under the new rules, healthcare providers, health plans and healthcare clearinghouses need written permission before releasing an individual's personally identifiable information for marketing or fundraising. The rule also applies to business associates of covered entities.
The regulations take effect April 12 for most entities and one year later for smaller healthcare providers with annual receipts of $5 million or less.
The fact sheet gives examples of marketing activities that would fall under HIPAA and therefore require authorization. One example was a teleservices company hired by a hospital to encourage former patients who previously donated blood to donate again. Authorizations are needed in this situation because the hospital must disclose patients' protected data to the teleservices firm.
The DMA also gave an example of a marketing activity that would not fall under HIPAA: list compilation.
"A list compiler collects health-related data volunteered by consumers on a survey," the DMA said. "The list compiler then rents lists to providers of health insurance plan benefits for their marketing campaigns. The list compiler does not need to enter into a business associate contract because it is not acting on behalf of a covered entity at the time of data collection. Therefore, the information is not protected health information."
The fact sheet is on the DMA's Web site, www.the-dma.org/library/privacy/hipaafaqs.shtml.