Compliance Tool: HIPAA Compliance Fact Sheet for Lab Marketing Staff

Misusing protected health information (PHI) for marketing purposes is one way labs could violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, the HIPAA Privacy Rule’s restrictions on use and disclosure of PHI for marketing can be confusing. While delivering effective training is the first line of defense, you can also minimize liability risks by ensuring that marketers retain and apply the compliance principles you teach them. One proven method of accomplishing this objective, notes a veteran privacy officer, is to create and distribute a fact sheet that highlights the key HIPAA-related do’s and don’ts. Here’s a template recommended by the privacy officer for labs to adapt for their own use:

HIPAA COMPLIANCE FACT SHEET FOR SALES & MARKETING STAFF

GENERAL RULE

The HIPAA Privacy Rule bans the use and disclosure of a patient’s protected health information (PHI) for marketing purposes without prior written authorization. However, exceptions apply, and it’s not always clear whether a communication containing PHI is a marketing communication. This fact sheet sets out the basic principles you need to understand to comply with HIPAA. Please post or keep a copy of this fact sheet nearby for easy reference.

DEFINITION OF MARKETING

“Marketing” for which HIPAA authorization is required includes:

• • a communication about a product or service that encourages recipients of the communication to purchase or use the product or service unless specific exceptions apply, or

• an arrangement in which a covered entity discloses PHI to another entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.

PROHIBITED PRACTICES—MARKETING DON’TS

Examples of marketing activities or communications banned by HIPAA without patient authorization include, without limitation:

• • Providing a list of patients to a drug manufacturer in exchange for payment so that the manufacturer can directly send listed patients coupons for the company’s drugs

• • Providing the names of pregnant women to a manufacturer of baby formula or the publisher of a parenting magazine

• • Providing the names of patients who test positive for diabetes to a manufacturer of diabetic supplies

• • Distributing or posting a brochure from a hospital notifying former patients about an outside cardiac clinic offering electrocardiograms at a discount, since the communication isn’t for the purposes of providing treatment advice

• Giving a list of patients to telehealth companies, door-to-door salespersons, or fundraising organizations

PERMISSIBLE PRACTICES: MARKETING DO’S

The following communications are NOT considered marketing communications requiring patient authorization under HIPAA:

• • Communications to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed to the patient, as long as any financial remuneration received is reasonably related to the covered entity’s cost of making the communication

• • Communication for treatment of a patient, provided that the covered entity receives no payment in exchange for making the communication. Examples:
    • A provider may give a patient a prescription for the drug or a referral to a lab or specialist
    • A provider may send appointment reminders to patients

    • • A cardiologist who advises a patient to lose weight may give the patient, as part of treatment, a brochure describing a specific weight-loss plan

• • A face-to-face communication made by a covered entity’s employee or staffer to a patient

• A promotional gift of nominal value provided by the covered entity

OTHER PERMITTED PRACTICES

The following are not considered marketing communications under the HIPAA Privacy Rule and are therefore permitted without patient authorization:

• Communications to plan members that describe products and/or services provided by a health or benefits plan. Examples:
  • A health or benefits plan may give its members information about the health-related products or services it offers, such as deductibles, copay changes, and enhancements

  • A health or benefits plan may give its members a list of new providers participating in the plan or a description of new services offered by the plan

• Other health-related communications to patients, including case management or care coordination, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the patient, provided the covered entity receives no payment in exchange for making the communication. Examples:
  • A physician may send patients prescription refill reminders offering them an alternative medication or treatment, whether offered by the physician, a pharma company, or another provider
  • A provider may send information about a new smoking cessation program to all patients who have visited its clinic for nutritional information and who identified themselves as being smokers

  • A provider may communicate information about benefits of government-sponsored health programs like Medicare or Medicaid to its patients

AUTHORIZATION REQUIRED WHERE PAYMENT IS RECEIVED

The exemptions allowing for the communications and practices described above without patient authorization do not apply if the covered entity receives, has received, or will receive full or partial payment in exchange for making the communication. In that situation, the covered entity must obtain prior authorization for the use or disclosure of PHI in connection with the communication. The authorization must also expressly state that such payment has been or will be received.