A new privacy rule took effect a few months ago that deals with medical records and personal health information. Though the law relates mainly to medical service providers, because of the way it is written those in the direct marketing community may be required to undertake controls to maintain confidentiality whenever they have access to medically related information, including the names and addresses of people receiving medical care.
Many in direct marketing are waking up to the restrictions the regulation places upon how business can be done and the potential civil and criminal penalties for noncompliance. Because the privacy rule requires those who have access to protected health information to enter into “business associate agreements” with medical providers, many service companies find themselves undertaking significant responsibilities related to safeguarding such information.
By now, the name Gramm-Leach-Bliley should ring a bell for everyone in DM, reminding them that consumers must be given the chance to opt out of having their personal financial information disclosed by financial institutions to third parties. But the privacy rule promulgated under the Health Insurance Portability and Accountability Act of 1996, which applies to medical information, goes much further than the GLB restrictions.
Though HIPAA generally applies only to healthcare providers and health plans, the rule covers businesses such as pharmacies, physicians and labs. HIPAA protects all individually identifiable health information gathered by a covered entity including name, birth date, telephone and Social Security numbers, city, ZIP code and demographic data.
Simply put, any entity covered by HIPAA cannot sell protected health information to any other third party for that party’s own purposes, and no marketing efforts are permitted unless authorized in writing by the individuals. For example, the restrictions would cover even a pharmacy’s customer list without identifying the particular prescriptions being obtained. Restrictions also exist on how the covered entity can use the data internally.
Written authorization required. Marketing for a third party is permitted only if the consumer affirmatively and in writing agrees to have his or her personally identifiable health information disclosed. The authorization must include permission allowing use of the health-related information for purposes other than treatment, payment or healthcare operations. It also must include a specific description of the information to be disclosed; the person who can make such a disclosure; to whom the information can be disclosed; the purpose of the disclosure; and an expiration date or event.
The authorization needs statements that it can be revoked and how that can be done; that once disclosed, the information may be redisclosed; that treatment cannot be conditioned upon receipt of the authorization; and that if the business will be paid for the marketing activity whether it will receive direct or indirect remuneration. Without such an authorization, third-party marketing is restricted almost to nonexistence under HIPAA.
Business associate agreements. If one of your list suppliers or a business to whom you supply services is considered a covered entity under HIPAA, you likely will be required to enter a “business associate” agreement. The business associate section was added to encompass businesses that are not directly subject to HIPAA but become liable because they contract with such covered businesses. Moreover, a party can be both a business associate and a covered entity.
The business associate agreement is a contract and should provide that the marketer may use the information from the supplier only in ways that comply with the opt-in authorization the consumer gave to the supplier. This contract should explain what uses of the information are permitted, and it will require the business associate to use appropriate safeguards to prevent unauthorized use or disclosure of the information and to report to the information source any improper use or disclosure of which it becomes aware.
Importantly for all business associates and for anyone whom they pass the information along to, these other parties must ensure that they agree to the same restrictions and conditions. If the provider becomes aware of a pattern or practice whereby a business associate is breaching or violating the obligations under the contract, or is misusing the information in any way, the supplier is required by law to take steps to stop the problem.
If such steps are unsuccessful, the supplier must terminate the contract or report the matter to the Department of Health and Human Services. If the contract is terminated, the recipient of the information must return or destroy the information received.
Where there will be a disclosure of information by the business associate, it is prudent for any “business associate” to ask the supplier to provide a copy of the authorization that he has used to gather the information. A proper authorization lowers the chances of complications arising down the road.
There is much to concern marketers, but there is good news as well. Though HIPAA will make life more complicated for DMers who use medical-related sources, it does not prevent them from continuing to market products and services to those people who are ideally interested and who provide the requisite authorization.