Compliance Perspectives: How to Ensure HIPAA Compliance among Marketing Staff

Ensuring lab marketers comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements doesn’t end when you deliver initial or refresher privacy training. HIPAA privacy training is an ongoing responsibility that requires monitoring, following up, and reinforcing, particularly when significant operational and other changes occur and indications delivered in previous trainings may no longer be adequate. Lab leaders are at the greatest risk of HIPAA violations when they get complacent about training.

One way that compliance managers and other leaders can protect their labs is to remind marketers of HIPAA basics, outlining what is permitted and what is not when marketing the lab to providers and patients. A veteran healthcare privacy officer G2 Intelligence recently spoke with suggests lab leaders create a fact sheet listing key information about the marketing aspects of HIPAA privacy regulations. The officer recommends distributing the fact sheet to your marketing staff and urging them to either post it or keep it handy for quick reference when they engage in marketing activities. Here’s how to create a HIPAA compliance fact sheet for your marketers, along with a template you can adapt. To help create your own policy on use of protected health information for marketing purposes, see the Model Policy on the G2 Intelligence website.

5 Things to Include in Your HIPAA Marketing Compliance Fact Sheet

For the fact sheet strategy to work, it’s crucial for it to include the right information. According to the privacy officer, who asked not to be named for this article, there are five key items marketers need to be aware of to keep their activities HIPAA-compliant:

1. What Marketing Means

HIPAA compliance in the marketing context means keeping within the restrictions set out in the Privacy Rule governing use and disclosure of protected health information (PHI) for “marketing” purposes. The first thing marketers need to understand is what counts as marketing. The HIPAA Privacy Rule definition of marketing covers two kinds of activities, each of which lab marketing staff might engage in:³

• making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service,” unless specific exceptions apply, and
• an arrangement in which a covered entity discloses PHI to another entity, “in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.”

2. What HIPAA Generally Prohibits

The rule of thumb is that it’s illegal for labs and other covered entities to use and disclose PHI for marketing purposes unless the patient specifically authorizes the use or disclosure. Consequently, marketers should understand that they need to get—or verify that somebody at the lab has previously gotten—the patient to properly sign a written authorization form before engaging in the marketing activity involving the communication of PHI.

3. Which Marketing Communications Require Authorization

Having laid out the general rules, provide marketers specific examples of the things they’re not allowed to do without authorization, including selling PHI to third parties for those parties’ use and reuse. Example: A lab may not sell a list of patients that tested positive for a particular respiratory infection to a pharma company that sells over-the-counter drugs treating that infection for use in a promotional campaign. There are also restrictions on giving PHI to telemarketers and outside sales personnel to market the lab’s own products and services.

4. Which Marketing Communications Are Allowed without Authorization

Let marketers know that there are two exceptions in which the HIPAA Privacy Rule allows for use and disclosure of PHI for marketing communications without the patient’s authorization:

• when the communication occurs in a face-to-face disclosure between the lab or other covered entity and the individual, or
• when the communication involves a promotional gift of nominal value.

5. Which Communications Are Allowed Because They’re Not Considered Marketing

Marketers need to understand that the HIPAA Privacy Rule ban on use and disclosure of PHI for marketing purposes without authorization leaves room for communications that are not considered to be marketing-related. Specifically, the Privacy Rule definition of marketing exempts three types of communications in connection with healthcare operations and treatment, including communications:

• for purposes of treating the individual;
• for purposes of case management or care coordination or to recommend alternative treatments, providers, or settings; and
• by a health or benefit plan describing certain health-related services or products it offers.

Caveat: Ensure marketers know that the above exemptions are subject to a significant limitation. Under another law passed after HIPAA called the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (Section 13406), the exceptions don’t apply if the covered entity has or will receive direct or indirect payment in exchange for making the communication. In that situation, the lab or other covered entity would not only need to obtain authorization before making the communication but also disclose that it will receive payment for the communication.⁴

Takeaway

Distributing a HIPAA compliance fact sheet to sales and marketing staff may prevent improper uses of PHI that could result in privacy violations. Retaining a copy of the fact sheet also serves to document your efforts to comply with HIPAA requirements, the privacy officer adds.

References:

1. https://www.g2intelligence.com/compliance-tool-hipaa-compliance-fact-sheet-for-lab-marketing-staff/
2. https://www.g2intelligence.com/compliance-tool-model-policy-on-use-of-hipaa-protected-health-information-for-marketing-purposes/
3. https://www.govinfo.gov/content/pkg/CFR-2004-title45-vol1/pdf/CFR-2004-title45-vol1-sec164-501.pdf
4. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf