The HIPAA Privacy and Security Omnibus final rule should bring some long-awaited clarification and certainty to marketing, fundraising and other aspects of safeguarding and using health information.
Previously, consumers had a different viewpoint of what they were looking for in the interpretation of the regulation’s language and what industry was hoping for, according to Deven McGraw, director of health privacy project at the Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee.
“The initial set of rules was tilted toward meeting the needs of the industry. That appears to have significantly changed in the final rule,” she said in comments to Government Health IT.
In the final rule (PDF), the Health and Human Services Department said that communications subsidized by the manufacturer of a product or service is marketing, and the only exception is for communications about drugs and biologics that a patient is being treated with, including generics. The area in question had been marketing around population-based purposes.
“It’s a very good development for consumers, who when you survey them about their privacy concerns, marketing issues about their data is always really high on the list,” McGraw said.
[Q&A: Predicting a HIPAA cloud, BAA 'tipping point' come HIMSS13]
“It is very unnerving for people to get email or mail that indicates that someone knows what medication they are taking. Your threshold of what is sensitive to you is preserved in this rule because you have the right to opt in for communications if you want to get them,” she said.
The final rule, released Jan. 17, fills in gaps, clarifies and finalizes some changes to safeguard the privacy, security and enforcement of patient information. The modifications are in response to the 2009 HITECH Act in the stimulus law, which strengthened the Health Insurance Portability and Accountability Act (HIPAA). HHS’ Office of Civil Rights enforces HIPAA and oversees health information privacy.
Adam Greene, partner, Davis Wright Tremaine LLP, and former senior health IT and privacy adviser in the Office for Civil Rights, said that fundraising is one of the major changes in the final rule for providers and other covered entities, who will have a greater ability to use protected information for fundraising purposes, such as being able to consider outcomes.
“So if a person had a negative outcome, you’re not sending them a fundraising request,” he said. Or, “If you have a new cancer center, you can potentially focus on oncology department patients,” Greene said.
Under the previous HIPAA privacy rule, a hospital could only use limited demographic information about its patients for fundraising purposes, according to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips.
“Many of my hospital clients have had an interest in targeting fundraising based on the nature of the services a patient received or who their doctor was, and having doctors make personal appeals to the patients, or targeting, say, cancer fundraising at people who had been treated for cancer. They really were not permitted to do that under the prior rule,” he said.
Now that’s been loosened so that information about the type of department a patient was in within the hospital and who their physician was can be used for fundraising.
[See also: Omnibus HIPAA rule's impact on data breach notification]
“It will be interesting to see what, if anything, the patient reaction is. Right now patients shouldn’t be getting fundraising solicitation where they can see they’ve been targeted based on the nature of the services they got. I don’t know whether patients will have a negative reaction to getting solicitations that indicate fundraisers have looked at their data in more detail,” Belfort said.
Patients have the right to opt-out, and hospitals will have to include a notice on all fundraising communications that the patient has the right to opt-out of solicitations “so it may be that more patients exercise that right when they see that their information’s being looked at more carefully for fundraising purposes,” he said.
Greene added that a “significant” change in the final rule had to do with flexibility around research. It was not in language of the regulation but in the preamble that HHS is changing its interpretation. “A covered entity can rely on an authorization with respect to future research studies that have not yet been created, which represents a huge impact for the research community,” he said.
Overall, consumers will have greater privacy and security protections with the final rule. “The HIPAA protections travel along with the information a lot more than in the past in that business associates or subcontractors are subject to HIPAA. And we have certain restrictions, such as on the sale of protected health information,” Greene said.
“But,” he added, “I’m not going to suggest that on a day-to-day basis that this will have a huge impact on individuals. There is a lot here that are clarifications, like electronic access to information. With the clarification, it may be helpful for them to get an electronic copy of their information."
Related articles:
Quick parse: 4 parts to HIPAA final rule and privacy and security
Are providers ripe for a medical records heist?
Not merely lost: A look at what happens to stolen medical records
3 minute podcast: Micky Tripathi, CEO of the Massachusetts eHealth Collaborative explains the compelling reasons all hospitals should encrypt their data. 
Play in a new window
Q&A: On the delicate dance of data breach notification
