Will HIPAA Prompt Greater Scrutiny of Sensitive Consumer Data?
The regulations take effect April 12 for most entities and one year later for smaller healthcare providers with annual receipts of $5 million or less.
"In connection with the industry's list practices, I suspect the direct impact of HIPAA will be non-existent or minimal," said D. Reed Freeman, an attorney at Collier Shannon Scott PLLC, a Washington law firm specializing in advertising, marketing, e-commerce and privacy.
But the act could raise different issues about collection and use of other types of data, he said.
The changes to HIPAA were passed in August and apply to healthcare providers, health plans and healthcare clearinghouses as well as their business associates. The privacy provision states that those covered by the regulations need written permission before releasing an individual's personally identifiable information for marketing or fundraising. Under HIPAA such information includes name, address, Social Security number, birth date, date of death and medical record date.
The Direct Marketing Association released a fact sheet last month to help marketers determine whether new privacy provisions of HIPAA apply to their business practices. Regarding list activities, the DMA offered an example of how list compilation would not be regulated.
"A list compiler collects health-related data volunteered by consumers on a survey," the DMA said. "The list compiler then rents lists to providers of health insurance plan benefits for their marketing campaigns. The list compiler does not need to enter into a business associate contract because it is not acting on behalf of a covered entity at the time of data collection. Therefore, the information is not protected health information."
Though Freeman said the DMA's assessment is accurate, he wonders whether HIPAA might lead to scrutiny of other types of data collection and use that are not regulated under it.
"HIPAA may be a red herring that leads to other privacy concerns," he said.
He compared the use of surveys for collecting ailment data with the recent string of student list cases in which the Federal Trade Commission said data collectors needed to specify that survey data would be used for marketing purposes. Though the student data issue may have been touchier because minors were involved, he said, any data of sensitive nature could become an issue.
"The real issue is list companies' collection, use, compiling, renting and trading [of] information that is sensitive in nature, which can include medical, financial, marital status, ethnicity and sexual orientation," Freeman said.
He cautioned marketers to be upfront when collecting data. When you are going to use information for marketing, you have to say so, and you should disclose how the information would be used, he said.
But as for HIPAA specifically, Freeman said list companies had little to worry about.
"HIPAA covers health plans, healthcare providers and healthcare clearinghouses," he said, "and you're not going to get a list from one of those entities without an agreement as to how you can handle the list."
However, the DMA fact sheet did offer an example of HIPAA's marketing implications for a teleservices company hired by a hospital to encourage former patients who previously donated blood to donate again. That hospital would need patient authorizations because it must disclose patients' protected data to the teleservices company.
The DMA fact sheet on HIPAA can be found at www.the-dma.org/library/privacy/hipaafaqs.shtml.