The Maze of New Health Privacy Rules

This is the first of a two-part series.

Many readers of DM News may be happy to see Bill Clinton leave the White House. During the past few years, President Clinton placed a strong emphasis on privacy. He pushed for stronger bank privacy laws, signed into law a Children’s Online Privacy Protection Act and stopped a bill on the use of Social Security numbers because it lacked enough restrictions.

Before you cheerfully wave goodbye to Clinton, take a closer look at the last major privacy action of his administration. In December, the Department of Health and Human Services issued health privacy rules under the Health Insurance Portability and Accountability Act. You won’t believe the rules on marketing.

First, a bit of background. HIPAA has a long history. It became law in 1996, and the part of the law relevant here is the Administrative Simplification title. The idea was to make electronic healthcare transactions more uniform, more efficient and less expensive. The law directed the department’s secretary to issue standards for electronic transactions, for security and for identification of providers, employers and health plans.

As HIPAA was going through Congress, some worried that increased electronic activity for healthcare without privacy protections would make patients nervous. However, writing a health privacy law is hard.

During my years on Capitol Hill, I managed two separate attempts to pass a health privacy bill. Each time, I worked for two years on the legislation, but we were never able to overcome the substantive and political differences.

The same difficulties confronted those writing HIPAA, but Congress took the easy way out. The law directed the secretary of the Department of Health and Human Services to write health privacy rules. However, the bill’s authors suffered from the delusion that Congress might still be able to pass its own law, so they delayed the secretary’s rule-making authority for three years. If Congress was unable to act by mid-1999, the secretary was directed to issue rules.

Predictably, Congress failed to enact the law, so the secretary began the rule-making process in 1999. The final rules were published Dec. 28. You can find them at Be warned. The rules and the accompanying preamble are hundreds of pages.

The rules are also exceedingly complex, with details for privacy advocates and the health industry to like and to hate. Some advocates welcomed the rule, while others were less pleased. The industry seemed mostly unhappy about the rule, in part because of a lack of uniformity. The law did not allow the secretary to pre-empt stronger state laws, so nationwide health companies will still have to comply with 50 state laws.

Industry also grumbled about the seemingly expensive administrative requirements in the rule. Like the financial privacy rules under Gramm-Leach-Bliley, the health rules offer virtual privacy rights that tend to evaporate when examined closely. Also like the bank privacy rules, the health rules impose more costs on record keepers than the virtual rights may be worth to consumers.

One lesson here is that an industry that fails to clean its own privacy house may end up with a lousy and expensive privacy law that does not remove the pressure from consumers for more privacy.

For marketers, however, the health privacy rules offer a real prize. Just about all health information can be used for marketing by healthcare providers and by health plans. Further, if a provider or plan can do something with patient information, the provider or plan also can allow others to do it.

The guts of the marketing rules are in section 164.514(e). The section allows the use or disclosure of patient data for marketing without affirmative patient consent (opt in) or without negative patient consent (opt out). The information can be used for face-to-face marketing. It also can be used for marketing concerning products or services of nominal value.

A third category of permissible marketing uses is limited to health-related products or services, but that is not much of a limit.

Of course, some conditions apply to marketing. The source of the data must be disclosed, as well as any financial arrangement for the use of the list. The health plan or provider also must determine that the product or service would be beneficial. If someone was targeted based on a health condition, the communication must explain how the selection was made. Finally, an opt out must be offered.

How onerous are these conditions? Imagine that you run a laboratory that does pregnancy tests. Here is a short statement that meets the disclosure requirement for marketing to pregnant women: “We learned about your pregnancy from the XYZ Laboratory, which was compensated for the information. The XYZ Labs agreed that our diaper service was the best and safest way to care for your new baby. You can opt out of receiving offers like this by writing a letter to the address on the letterhead.”

By the time that your copywriters are finished massaging the disclosures, they will have a cheerier look and feel.

The real message is not that there are conditions, but that anyone providing or paying for healthcare can use patient information for marketing. Depending on your perspective, this is either an exciting new business opportunity or a massive new invasion of privacy.

Next: More of the terms and conditions for healthcare marketing under HIPAA.

• Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture. His e-mail address is [email protected]

Related Posts