Privacy Law and Policy Reporter
In debates over health privacy proposals, it was often said that video rental records had better privacy protection than medical records. Unfortunately, now that the final US Health Insurance Portability and Accountability Act (HIPAA) privacy rules have been issued (see <http://www.aspe.hhs.gov/admnsimp/>), it is still true that video rental records have better protections from marketing uses and disclosures than medical records.
The rule contains the most sweeping authorization for the use of patient information for marketing proposed in the last 20 years. The marketing rule was not in the draft rule published for comment.
The rule expressly authorizes disclosures for marketing without patient consent. For example, information about a woman’s pregnancy can be used by health providers or plans for marketing and disclosed to others for marketing. A woman could only object after the fact.
All medical information held by providers and payers can be used by them for marketing without affirmative patient consent or without the opportunity to opt out in advance.
All protected health information can be disclosed for marketing. The rule does not protect information about diagnoses, prescriptions, pregnancy, sexually transmitted diseases, mental health treatments, or confidential communications. Marketing to minors or using protected health information about minors is permitted.
Patients have the right to opt out of marketing only after receiving a marketing communication. If a family of four has a dozen doctors, clinics, health plans, hospitals, laboratories, pharmacies, pharmacy benefit managers, and so on, the family may have to write 48 separate letters to opt out of each organization’s marketing activities.
Patients do not have to be offered toll-free numbers to opt out, the ability to opt out online, or postpaid opt-out letters. A covered entity could require an individual to send a separate ‘snail mail’ letter to opt out. Nothing in the rule says that a covered entity cannot charge patients who want to opt out.
The Department of Health and Human Services (HHS) has defended the marketing rule by saying that it allows physicians to make recommendations to patients. However, the definition of marketing expressly excludes these recommendations. Therefore, a rule allowing broad uses and disclosures for marketing is not necessary to permit physicians to make treatment recommendations.
Any doubts about the sweeping scope of the marketing rule are put to rest by these words from the preamble to the rule (on page 82771 of the Federal Register notice):
‘However, the final rule permits an alternative arrangement: the covered entity can engage in health related marketing on behalf of a third party, presumably for a fee. Moreover, the covered entity could retain another party, through a business associate relationship, to conduct the actual health-related marketing, such as mailings or telemarketing, under the covered entity’s name.’
This language says expressly that marketing is permissible for a fee, that marketing is permissible on behalf of third parties, and that telemarketing is permissible.
A covered entity does not need patient authorization if it uses or discloses protected health information for marketing under any of these conditions :
The conditions that apply to the last category of marketing offer some limited protections. The communication must identify the covered entity as the party making the communications. If the information were given to a business associate, the business associate might have to say that it was the covered entity. This may actually hide the fact that the information had been shared with another entity. Or the information might be presented in another way (for example, ‘Now that you are pregnant, your doctor asked us to tell you about our diaper service.’). Because any covered entity can use data for marketing, the source of the data might be a laboratory or other indirect provider that a patient would not even recognize.
The communication must prominently disclose whether the covered entity was being paid directly or indirectly. This can be done easily (for example,‘The XYZ diaper company is paying us to mail this offer to you, but we think the offer is so wonderful that we would have done it anyway had we thought of it first ourselves.’)
The third condition is that the patient must be given an opportunity to opt out of receiving future communications. There are several problems here. An opt-out is not required for newsletters or general communications distributed to a broad cross section of individuals. However, it is not clear what a broad cross-section means. A hospital being paid to send a promotion for a drug manufacturer could avoid offering an opt-out if the communication were to a broad enough group. For example, a promotion for a drug of interest only to diabetics would not have to offer an opt out if the promotion went to all hospital patients.
It is not clear what is meant by ‘opting out’. Would a patient opting out of a promotion for a diabetes drug also have to opt-out separately of promotions for heart, kidney, and cancer drugs or promotions for other third parties? Would opt outs cover institutions, business associates, indirect providers and hybrid entities or would separate opt-outs be required?
The rule does not specify an opt out procedure. An 800-number for opting out is not required. No online opt-out is required. No postpaid opt-out card/letter is required. Patients could be required to write a ‘snail mail’ letter for each provider, health plan, insurance company, pharmacy, pharmacy benefit manager, laboratory, x-ray facility, clinic, and other facility (for example, ‘If you want to opt out of future promotions, write a letter containing your name, address, health plan, SSN, medical record number, the names of your doctors at our hospital, the clinics you attend, and send it to us at XXX.’).
Perhaps the worst opt-out feature is that the rule does not provide for opting in or even advance opting out. An individual acquires the right to opt out only after receiving a marketing communication.
Other conditions apply if a covered entity uses or discloses protected health information to target communications based on health status or condition. The entity must determine that the product is beneficial to the targeted individuals. The rule does not require a determination by a treating physician or health professional; an administrator can presumably make the determination. A study that shows any potential benefit, no matter how small or questionable, might be enough to justify a determination. For example, the rule might permit the marketing of vacation packages to patients with a variety of ailments or as a preventative measure.
A second condition is that the communication must explain why the individual has been targeted and why the product or service would be beneficial. This condition actually runs the risk of further invading the privacy of marketing subjects. Imagine marketing condoms to a teenager who was treated for syphilis. The promotion would have to say that the teenager was selected because she or he was sexually active and condoms will prevent a recurrence of the disease. What happens if the teenager’s parent opens the letter first? A woman who had an abortion that her family did not know about might receive a solicitation for family planning services that referred to her abortion.
A third condition is that a covered entity must make reasonable efforts to ensure that opt-outs will be honored. This condition is useful, but the rule does not require anyone to make reasonable efforts to provide easy, free and alternative method to opt out. The rule does not say anywhere that a patient must be able to opt out without paying a fee.
The rule suggests that information cannot be disclosed to a third party without consent. That is true, but it is misleading. A disclosure for marketing can be made to a business associate, and anyone can become a business associate by signing a contract with a covered entity. Patient records can be disclosed, for example, to a telemarketing firm if the firm becomes a business associate. The telemarketer can then market any health related product or service, including a product or service of a company that is not a business associate.
The general privacy rules attach to business associates who receive disclosures from covered entities. This is a good thing, but the fact remains that broad scale marketing using patient information is permitted. Business associates could be allowed to make disclosures to other business associates.
The information of a consumer who responds to a promotion might not be covered by the privacy rule. A consumer who responds to a marketing solicitation might be disclosing name, address, and diagnosis to a third party not covered by the rule. Further use of the information would therefore be unrestricted.
Another consequence of the marketing rule involves remedies available to individuals whose records are misused. The final rule removed the requirement that patients be identified as third party beneficiaries under any contracts with business associates. Thus, if a marketer or business associate of a hospital misuses health information disclosed to the marketer, a patient would have no clear right to sue under the HIPAA scheme. The legal conclusion on this point would vary from state to state, and a great deal of uncertainty about third party beneficiary law and health privacy remains. Nevertheless, it is possible that no remedy would be available.
The Video Privacy Protection Act does not allow video operators to disclose the names of movies that an individual rented without affirmative consent. The HIPAA health privacy rules allow use and disclosure of any protected health information for many marketing purposes without the affirmative consent of the individual.
The Video Privacy Protection Act allows video operators to disclose the categories of movies rented (not actual titles) only if an individual was given an opportunity in advance to opt out. The HIPAA health privacy rules allow disclosure of any protected health information for many marketing purposes without mandating an opting out in advance.
Robert Gellman Privacy and Information Policy Consultant <firstname.lastname@example.org>