DRAFT

Version 5: 3/1/14

Per January 23, 2014 Rule

HIPAA COW

PRIVACY NETWORKING WORKGROUP

USE/DISCLOSURE OF PROTECTED HEALTH INFORMATION

FORMARKETING PURPOSES

Disclaimer

This Use/Disclosure of Protected Health Information for Marketing Purposes Policy is Copyright  by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Use/Disclosure of Protected Health Information for Marketing Purposes Policy is provided “as is” without any express or implied warranty. This Use/Disclosure of Protected Health Information for Marketing Purposes Policy is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Policy and Procedure. Therefore, this document may need to be modified in order to comply with Wisconsin/State law.

* * * *

State Preemption Issues:
Sections 341.17(9)(c)3, 343.235(3(b)and 343.24(4)(c)(2) Wis. Stats. state that insurers (including disability and long-term care insurers) who have received personal identifier information from the Department of Transportation to pay claims or benefits and are prohibited from disclosing the personal identifier information to any party for marketing purposes.

Policy:

It is the policy of [PROVIDER/PLAN] to secure an authorization to use or disclose protected health information (“PHI”) for marketing purposes as defined in and in compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996. [45 CFR 164.501, 164.508(a)(3)]

Definitions (45 CFR 164.501):

Marketingmeans to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

Marketing does not includea communication made:

  1. To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity's cost of making the communication.

NOTE: permissible costs are only those costs of labor, supplies, and postage to make the communication. Where financial remuneration received in exchange for making a communication generates a profit or includes payments for other costs, such financial remuneration is not reasonable. See 78 Fed. Reg.5597 for a discussion of reasonable costs.

  1. For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
  2. For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
  3. To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
  4. For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activitiesdo not fall within the definition of treatment.

Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

NOTE: Financial remuneration does not include non-financial benefits, e.g., in-kind benefits, provided to [PROVIDER/PLAN] in exchange for making a communication about a product or service. Financial remuneration includes when a business associate (including a subcontractor), as opposed to [PROVIDER/PLAN], receives financial remuneration from a third party in exchange for making a communication about a product or service. Direct payment means financial remuneration that flows from the third party whose product or service is being described directly to [PROVIDER/PLAN]. Indirect payment means financial remuneration that flows from an entity on behalf of the third party whose product or service is being described to [PROVIDER/PLAN].

78 Fed. Reg.5595-96.

The following situations are exceptions or exclusions to or do not meet the definition of marketing[1]:

  1. [PROVIDER/PLAN]can convey information to beneficiaries and members todescribe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of [PROVIDER/PLAN], including: the entities participating in a health care provider network or health plan network, health insurance products offered by [PROVIDER/PLAN]that could enhance or substitute for existing health plan coverageand health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits. 45 CFR 164.501 (see 78 Fed. Reg. 5593 for a discussion of this exclusion). For example, if a child is about to age out of coverage under a family’s policy, this provision will allow the plan to send the family information about continuation coverage for the child. This does NOT extend to excepted benefits such as accident-only policies or to other lines of insurance.
  2. [PROVIDER/PLAN]may make communications that are merely promoting good health and not about a specific product or service does not meet the definition of “marketing.” So mailings reminding women to get an annual mammogram, or with information about how to lower cholesterol, about new developments in health care or about health or “wellness” classes, support groups and health fairs are permitted and not considered marketing.45 CFR 164.501 (see 78 Fed. Reg. 5597 for a discussion of this exemption).
  3. [PROVIDER/PLAN]may make communications about government-sponsored programs do not fall within the definition of marketing. There is no commercial component to communications about benefits available through public programs. [PROVIDER/PLAN]is permitted to use/disclose PHI to communicate about eligibility for Medicare, Medicaid, or CHIP.See 78 Fed. Reg. 5597.
  4. [PROVIDER/PLAN]may make communications in newsletter format without authorization so long as the content of such newsletter does not fit the definition of “marketing.”
  5. [PROVIDER/PLAN]may makecommunications for treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual (to the extent these activities did not constitute treatment). 45 CFR 164.501 (see 78 Fed. Reg. 5593 for a discussion of this exclusion).
  6. [PROVIDER/PLAN]may make communications promoting health in general and that do not promote a product or service from a particular provider, such as communications promoting a healthy diet or encouraging individuals to get certain routine diagnostic tests, such as annual mammograms, do not constitute marketing and thus, do not require individual authorization. See 78 Fed. Reg. 5597.

Procedure for Authorization to Use or Disclose PHI for Marketing Purposes:

1. [PROVIDER/PLAN] will obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of a:

  1. face-to-face (i.e., in person, not via phone, mail, or email) communication with the patient; or
  2. a promotional gift of nominal value provided by [PROVIDER/PLAN].
  1. If the marketing involves [PROVIDER/PLAN] (or [PROVIDER/PLAN]’s business associate or subcontractor) receiving financial remuneration by a third party, the authorization will state that such remuneration is involved. Please see the HIPAA COW WI Authorization form for additional requirements for a valid authorization.

Examples that do not require authorization:

  1. A hospital sent flyers to its patients announcing the opening of a new wing where the funds for the new wing were donated by a third party, since the financial remuneration to the hospital from the third party was not in exchange for the mailing of the flyers. See 78 Fed. Reg. 5593 for a discussion of this example.
  2. If a third party provides financial remuneration to a covered entity to implement a program, such as a disease management program, the covered entity could provide individuals with communications about the program without obtaining individual authorization as long as the communications are about the covered entity’s program itself. See 78 Fed. Reg. 5596 for a discussion of this example.
  3. A health care provider could, in a face-to-face conversation with the individual, recommend, verbally or by handing the individual written materials such as a pamphlet, that the individual take a specific alternative medication, even if the provider is otherwise paid by a third party to make such communications. See 78 Fed. Reg. 5596 for a discussion of this example.
  4. Communications about the generic equivalent of a drug being prescribed to an individual. See 78 Fed. Reg. 5596 for a discussion of this example.
  5. Communications encouraging individuals to take their prescribed medication. See 78 Fed. Reg. 5596 for a discussion of this example.
  6. Communications regarding all aspects of a drug delivery system, including, for example, an insulin pump, where an individual is prescribed a self-administered drug or biologic. See 78 Fed. Reg. 5596 for a discussion of this example.
  7. Communications where the materials describing a member-exclusive value added health product or service were provided by the entity to the health plan or its business associate and no payment was made by the entity relating to the mailing or distribution of the materials. See 78 Fed. Reg. 5597 for a discussion of this example.
  8. If a third party provides financial remuneration to a covered entity to send refill reminders, the covered entity can provide communications if the financial remuneration covers only the cost of drafting, printing, and mailing the refill reminder. See 78 Fed. Reg. 5597 for a discussion of this example.
  9. Refill reminder communications by a pharmacy to individuals only when they visit the pharmacy (in face to face encounters) even if the pharmacy receives financial remuneration above and beyond what is reasonably related to the pharmacy’s cost of making the communication. See 78 Fed. Reg. 5597 for a discussion of this example.

The following are examples of situations that require authorization:

  1. The final Omnibus Rule prohibits a covered entity to sell lists of patients or enrollees to third parties or to disclose PHI to a third party for the independent marketing activities of the third party without patient authorization. See 78 Fed. Reg. 5594 for a discussion of this example. For example, a pharmaceutical company cannot pay a provider for a list of patients with a particular condition or taking a particular medication and then use that list to market its own drug products directly to those patients.
  2. Authorization would be required prior to a covered entity making a communication to its patients regarding the acquisition of, for example, new state of the art medical equipment if the equipment manufacturer paid the covered entity to send the communication to its patients. See 78 Fed. Reg. 5593 for a discussion of this example.
  3. It would not require authorization if a local charitable organization, such as a breast cancer foundation, funded the covered entity’s mailing to patients about new state of the art mammography screening equipment. See 78 Fed. Reg. 5593 for a discussion of this example.
  4. Communications made over the phone (as well as all communications sent through the mail or via email) do not constitute face-to-face communications, and as such, these communications require individual authorization where the covered entity receives remuneration in exchange for making the communications. See 78 Fed. Reg. 5596 for a discussion of this example.

Considerations for Procedure:

  • Implement a tracking process for authorizations received from patients permitting the receipt of marketing communications. Investigate the organization’s EHR capability to include a field dedicated to recording the authorization toreceive marketing communications. If EHR does not have capability, determine a tracking process for those individuals authorizing the receipt of marketing communications prior to distribution of the communications.
  • Traindepartments responsible for distribution of patient communications on marketing policy.
  • Consider creating a centralized review approval process requiring the Privacy Officer signature prior to distribution of communications.
  • Implement a process for obtaining patient authorization.
  • Establish a cooperative working relationship with a third party if involved in any aspect of marketing and distribution of communications.
  • Ensure that marketing is addressed in the Business Associate Agreement.
  • Include marketing reference in the Notice of Privacy Practices. Please see the HIPAA COW Notice Policy for provider or health plan for sample marketing language.

References:

  • 45 CFR 164.501and 164.508(a)(3)
  • Modifications to the HIPAA Privacy, Security, Enforcement, and BreachNotification Rules Under the Health Information Technology for Economicand Clinical Health Act and the Genetic Information Nondiscrimination Act;Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5565 (Jan. 25, 2013) (amending 45 CFR Parts160 and 164) (aka Omnibus Final Rule) (available
    hipaa/administrative/omnibus/)
  • The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.
  • “Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act,” American Health Information Management Association, January, 2013.

.

Current Version: 3/1/14

Prepared by: / Content Changed:
Carrie Aiken, CHC
Julie Albright, RHIA
Cathy Boerner, JD, CHC
Laura Galloy, JD, LLM
Chrisann Lemery, MSE, RHIA, CHPS, FAHIMA
Karen Navarro
Meghan C. O'Connor, JD
Betty Rockendorf, MS, RHIA, CHTS-IM, CHPS
Judy Titera, MBA, CIPP US/IT/CIPM / Substantial changes made due to Omnibus Rule changes in marketing definition and preamble comments.
**You may request a copy of the all the changes made in this current version by contacting administration at .
Reviewed by: Privacy Networking Group

Original Version: 1/22/04

Prepared by: / Reviewed by:
Gail Coleman, Elder Care of Dane County / Susan Manning, JD, RHIA

 Copyright HIPAA COW

Page 1

[1] Please note, the preamble to the Omnibus Rule notes that future guidance to address examples and situations that fall within and outside the marketing authorization exception is forthcoming. See 78 Fed. Reg. 5596.