Marketing / Office / Staff

HIPAA and the "Marketing" Quandary

Gerard Clum, DC

April 14, 2003, is the implementation deadline for the privacy rule associated with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If you are a "covered entity," this rule will require a number of important changes in the practices and procedures related to your practice.

One of the more confusing aspects of HIPAA involves the concept of "marketing," and your ability to use protected health information (PHI) for marketing purposes. The privacy rule limits the uses of PHI by a covered entity. Protected health information includes data as basic as a patient's name and address. A quick reading of the privacy rule may lead you to the conclusion that you are prohibited from using basic patient data for newsletters and office event announcements, such as a patient appreciation day.

The issue of "marketing" has been consistently defined in the rule-making, but the approach to it has varied considerably over the past year. "Marketing" is defined in 45 CFR Part 164 at 164.501 as follows:

"To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service."

Early in 2002, "marketing" included an opt-out approach. PHI could be used to communicate with patients for marketing purposes, unless the patient opted-out of such opportunities. On Aug. 14, 2002, the final Privacy Rule was published; the opt-out approach was removed from the regulation and replaced with a requirement for "authorization." Specifically, the Privacy Rule requires an "authorization" for any use or disclosure not otherwise permitted under the regulation. In 45 CFR Part 164 (164.508), the subject "Use and disclosure for which an authorization is required" is addressed. The section states, "... a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing." The rule-making provides for several exceptions to the rule, including face-to-face communications with a patient or the provision of a gift of nominal value. Nominal value has been set in similar circumstances by the Office of the Inspector General (OIG) as a maximum of $10 per gift, with an annual total for such gifts of $50.

The rule, however cumbersome for a covered entity to deal with, seemed rather clear-cut. If you want to use PHI for anything that encourages the recipient of the communication to use the product or services being discussed, you must obtain an authorization from the patient for the use of his or her PHI.

On Dec. 3, 2002, the U.S. Office of Civil Rights (OCR) published a "guidance" relative to the "Standards for Privacy of Individually Identifiable Health Information." The guidance addressed the subject of marketing (pp. 65-76); it restated the definitions noted above, and offered a series of scenarios for each point being illustrated. Following the narrative portion of the guidance, a question-and-answer section addressed specific situations.

The guidance contained the following statement with respect to marketing:

"This exception to the marketing definition permits communications by a covered entity about its own products or services."

In the Q & A follow-up, a relevant question was posed:

"Is it 'marketing' for a covered entity to describe products or services that are provided by the covered entity to its patients, or to describe products or services that are included in the health plan's plan of benefits to members of the health plan?"

The response seems contradictory to the definitions provided in the regulation at 164.501 and the discussion of marketing at 164.508. The response included the following:

"No. The HIPAA Privacy Rule excludes from the definition of 'marketing' communications made to describe a covered entity's health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication."

The OCR provides several examples that help in the understanding of the exclusion:

"Thus, it would not be marketing for a physician who has developed a new anti-snore device to send a flyer describing it to all of her patients (whether or not each patient has actually sought treatment for snoring). Nor would it be marketing for an ophthalmologist or health plan to send existing patients or members discounts for eye-exams or eye-glasses available only to the patients and members."

Finally, on Feb. 5, 2003, at the National Conference on the HIPAA Privacy Rule on the campus of the University of California, San Diego, senior representatives of the OCR confirmed that a covered entity is free to communicate with patients about the services offered by the covered entity, without being subject to the restraints associated with marketing.

Therefore, it appears that under the HIPAA Privacy Rule, it is not considered marketing for a chiropractor, as a covered entity, to present information about chiropractic care and related services or products it provides. Moreover, based on the example offered by the OCR, the provision of discounts for care for established patients is an acceptable practice. This should be approached carefully with respect to prohibited inducements relative to Medicare patients that prohibit the provision of anything of greater than nominal value ($10.00) as an incentive to initiate care.

The question of marketing is one specific element in the wide range of issues associated with the HIPAA Privacy Rule. Practitioners are encouraged to familiarize themselves with the entire spectrum of HIPAA requirements, beginning with the question of whether they are in fact covered entities.

Gerard Clum, DC
President, Life Chiropractic College West

www.lifewest.edu

March 2003
print pdf