You’re going to want to block out a few hours for quiet reading and concentration. Healthcare marketing and communications professionals will want to (carefully) read all 563 pages of the Final HIPAA Omnibus Rule. It becomes effective next month, with a compliance date of September 23rd of this year–with increased fines for non-compliance.
How will you measure up? “Marketing” has been redefined, and some activities by healthcare entities—insurance companies, hospitals, providers and others—may need to change. And the rights of patients regarding the use and disclosure of their personal information by their healthcare provider, insurer or a third-party business have been strengthened.
Under HIPAA, a patient’s written authorization is required before a hospital or health plan can market products or services that are outside of the patient’s treatment or benefit plan. Hospitals can communicate with patients about health services that are included in, or add value to, the member’s plan.
The expansion of the Health Insurance Portability and Accountability Act of 1996 clarifies marketing, fundraising and other aspects of safeguarding and using health information. Some of the significant changes include:
- Applying all of the Security Rule standards and implementation specifications and certain Privacy Rule provisions directly to business associates;
- Adding “subcontractors” to the definition of “business associate” and requiring business associates to enter into written contracts with subcontractors that are substantially similar to business associate agreements;
- Revising the definition of “marketing” in the Privacy Rule to delineate which specific activities constitute marketing of Protected Health Information (PHI);
- Requiring covered entities to obtain authorization from an individual for any disclosure of the individual’s PHI in exchange for direct or indirect remuneration (with a few exceptions such as exchanges for public health activities).
It’s important to note that we are not providing legal advice here, and you may want to seek qualified legal counsel for your questions. In general, the final Health and Human Services Department rule says that “communications subsidized by the manufacturer of a product or service is marketing, and the only exception is for communications about drugs and biologics that a patient is being treated with, including generics.” And as you can appreciate, that’s just the simplified definition.
For more information, the Ohio based law firm of Bricker & Eckler provides the complete text of the HIPAA Privacy Regulations and a section-by-section compilation of the documentation as it appeared in the Federal Register. Included is Privacy of Individually Identifiable Health Information: Definitions: Marketing, available online here.
We’ll be bringing you more on this topic with additional posts in this series. And we’d like to hear how the Final Rule will change your marketing plan.The HHS News Release and Final Rule [PDF] are available here.