Follow the Bouncing Ball: Marketing under the HIPAA Privacy Rule
The Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule will significantly affect how any health plan (or other covered health care entity) can use its member or patient information for marketing purposes. While the Final HIPAA Privacy Rule issued in August cut back on some of the more draconian potential effects of the Rule as proposed, the marketing provisions require study by any entity that engages in any kind of marketing using health care member information.
In addition, the breadth of the Rule is counter-intuitive, and may present particularly difficult education challenges within a health plan's corporate structure, as the Rule applies to a wide variety of practices that do not at first blush appear to be marketing at all. Moreover, because the Rule places so much emphasis on obtaining "authorizations" from members, it will be essential to develop effective authorization-tracking systems for use with marketing.
The First "Final" Rule
As published in December 2000, the Privacy Rule did not impose an absolute prohibition against using or disclosing Protected Health Information ("PHI") for marketing. Rather, the 2000 Privacy Rule generally provided that before a covered entity could use or disclose PHI for marketing purposes, it must obtain a prior written authorization, unless the disclosure fits one of the marketing exceptions. There were two key exceptions:
- Communications that fall within one of the exceptions to the marketing definition (for example, a communication by a covered entity for the purpose of describing entities participating in a health care network or for the purpose of determining the extent to which a product or service is provided by the covered entity or included in a plan of benefits); and
Marketing communications for which an authorization is not required [a marketing communication to the individual that concerns health-related products or services of the covered entity (or of a third party)] when the communication meets certain specified requirements (e.g., it describes how the individual may opt out of receiving such future communications).
The NPRM Changes
The March 2002 Notice of Proposed Rulemaking cut back significantly on the "marketing" that could be done without an authorization. In particular, the Department of Health and Human Services ("HHS") proposed to delete the category of marketing communications for "health related products or services of the covered entity or another third party," which, under the 2000 Privacy Rule, could be made without authorization as long as certain conditions were met.
HHS also proposed certain other "minor clarifications" to the marketing provisions. They revised the definition of marketing to focus on the effect of the communication, not the intent of the marketer. There also was a slight revision to the exceptions for the marketing communications in connection with treatment-related activities to bring the exception in line with terminology used elsewhere (to allow communications "for case management or care coordination for that individual, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to that individual").
The "Final" Final Rule
HHS, in the August 14, 2002 Final Rule, changed the rules again. In general, HHS adopted many of the changes proposed in the NPRM. There were two significant differences from the NPRM, however.
First, HHS was concerned that covered entities would disclose PHI to third parties, perhaps even for monetary payments, in the guise of "business associate" arrangements, and the third parties would use that PHI to market their own products as "alternative treatments." HHS seemed particularly concerned about pharmaceutical companies trying to market different drugs. HHS, in the 2002 Final Rule, precluded this practice by expressly prohibiting arrangements between a covered entity and another entity where, in exchange for remuneration, PHI would be disclosed for the other entity to make a communication about its own products or services that would encourage recipients of the communication to purchase or use that product or service. HHS views this provision as prohibiting the sale of patient lists.
In addition, the Final Rule broadens the types of communications that can be made without an authorization (although not going as far as to restore the general exception from the 2000 Final Rule for "health-related communications"). Instead, in addition to allowing communications for treatment, case management or care coordination, or to direct or recommend alternative treatments or settings of care, HHS now allows communications that describe:
A health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
The specific addition deals with two points-replacement or enhancement of a health plan, and "value added items or services."
For health plans, this final provision will allow plans to market a wide variety of "changes" to their products. Specific examples mentioned in the Final Rule are:
- Product upgrades (different deductibles, co-pay percentages, etc.)
Conversion or continuation policies (e.g., a child no longer covered by a parent's policy)
Guaranteed issue products
Prescription drug card programs
Also, HHS now allows marketing of certain "value added" items and services (e.g., discounts on eyeglasses or chiropractic visits), as long as these value-added items are "health-related" and are available only to members of an insurance plan. If these discounts apply to non-health areas (e.g., movie tickets), or are available to the general public (either from the covered entity or the service provider directly), then no marketing could occur without an authorization. (Query whether this provision places an obligation on a covered entity to ensure that no one else could get the same discount from the service provider?) In general, while the final changes do not allow unlimited marketing of "health-related" products or services, the Final Rule does allow much of the marketing that was allowed by the 2000 Final Rule, without the need for covered entities to establish an "opt-out" process.
Why Do These Provisions Matter?
The Scope of the PHI Definition
Protected Health Information ("PHI") is the term used to describe the type of information subject to the Privacy Rule. The majority view of health plans and industry analysts, and the likely view of HHS, is that the name and address of a member, standing alone, constitutes PHI under the Privacy Rule, even without a connection to health-related information. This would mean that where a name and address is "pulled out" from membership rosters, any use of the name and address would be considered use of PHI. While it is not necessarily intuitive that a name and address, standing alone, constitute health information, HHS likely will interpret and enforce the regulations under this interpretation.
Use and Disclosure
This Privacy Rule, unlike most other privacy rules [including the National Association of Insurance Commissioners ("NAIC") Model Statute for Insurance Information Privacy Protection and many state Gramm-Leach-Bliley ("G-L-B") laws], applies to both the "use" and the "disclosure" of PHI. Accordingly, the impact of the HIPAA Rule is disproportionately large because it applies to so many situations where a health plan "uses" its member lists to send marketing communications without "disclosing" PHI to anyone.
The Need for Authorizations
The Privacy Rule does not "prohibit" marketing communications. Instead, it simply places conditions on how and when such communications may be made. The most significant condition is that these communications may not be made without a prior written marketing authorization. This authorization must meet a variety of requirements. In general, covered entities will want to evaluate how best to obtain authorizations (and to track the members from whom authorizations have been received). Such authorizations for marketing may not be required from members, nor may any benefits be conditioned on executing an authorization.
In addition, there is no precise specification of how "broad" the authorization may be. It is probably possible to draft a marketing authorization (even at the time of enrollment) that would be sufficiently detailed to allow a covered entity to market anything it wanted at any time. In order to do this, however, the language would have to be sufficiently broad that it might "scare off" some members (and in the Final Rule Preamble HHS indicated skepticism that a "blanket" marketing authorization could meet the Rule's requirements for an authorization). Accordingly, the narrower the scope of the authorization, arguably the more members would execute the authorization. Is it possible to send out a request for authorization that identifies the product to be marketed, such as by asking, "can we get your permission in order to tell you about our great product?" This is certainly an area for creative thinking by covered entities.
Understanding and analyzing the ambiguities of this Rule will be critical, and educating the appropriate personnel on the significant analytical and operational changes required by this Rule will be difficult. Developing creative (and HIPAA-compliant) means of obtaining authorizations, tracking these authorizations and developing alternative marketing strategies all will be substantial challenges, with significant compliance requirements. The pressure to continue to do marketing under a strict regulatory regime (in an area where compliance considerations often have been ignored) may create significant tensions between business operations and the HIPAA requirements.
Despite the many positive changes of the Final Rule (at least as compared to the NPRM), marketing remains an area of critical concern for HHS, covered entities and the general public (and their lawyers). While the Final Rule allows certain marketing activities without restriction, covered entities should evaluate these Rules carefully, with an eye not only towards compliance with the Rule but also to the risks of marketing activities at the margins.
For further information on marketing under the HIPAA Privacy Rule, please contact Kirk J. Nahra (202.719.7335 or ).