If it's Subsidized, Get it Authorized: New Restrictions on the Sale and Use of PHI for Marketing Purposes Under HIPAA's Omnibus Rule Angela M. Rust This.

Slides:



Advertisements
Similar presentations
1 Fundraising and Marketing Elizabeth C. Stone, J.D. University of Wisconsin-Madison Office of Administrative Legal Services Rebecca Hutton, J.D., M.S.
Advertisements

NIXON PEABODY LLP 1 Understanding the Marketing Restrictions of HIPAA Leigh-Ann M. Patterson Nixon Peabody LLP 101 Federal Street Boston, MA (617)
H OGAN & H ARTSON, L.L.P.
Code of Ethics for Professional Accountants
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Health Insurance Portability & Accountability Act (HIPAA)
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Medicare Parts C and D Fraud, Waste, and Abuse Compliance Training
HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.
2 H. Westley Clark, M.D., J.D., M.P.H., CAS, FASAM Director Center for Substance Abuse Treatment Substance Abuse Mental Health Services Administration.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Form NYIMG0039 (Rev. 11/11/10). Regulation 194: Producer Compensation Transparency New rule imposes mandatory compensation disclosure requirements on.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
© 2008 Foley Hoag LLP. All Rights Reserved. 1 The New Massachusetts Pharmaceutical & Medical Device Marketing Regulations How to Address and Overcome Likely.
HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP
PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.
Vendor Relations Policy. Why Is There A Policy? The Patient Protection and Affordable Care Act was signed into law March 23, The new law contains.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.
The Physician Payments Sunshine Act Legislation Ann Leopold Kaplan October 27, 2008.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
Final PRIVACY RULE Presentation by Richard Campanelli, Director OCR/HHS at 5 th National HIPAA Summit Washington, D.C. October 31, 2002.
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Main Line Hospitals Institutional Review Board HIPAA Policy Changes 2013 Anne Marie Hobson, BSN, JD, ORA Director.
UC Riverside Health Training and Development
HIPAA Privacy Rule Training
Health Insurance Portability and Accountability Act of 1996
HIPAA PRIVACY & SECURITY TRAINING
UNDERSTANDING WHAT HIPAA IS AND IS NOT
HIPAA THE PRIVACY RULE Reviewed December 2012.
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
The HIPAA Privacy Rule: Implications for Medical Research
HEALTH INFORMATION TECHNOLOGY SUMMIT OCTOBER 23, 2004 COMMUNITY-BASED COLLABORATIONS: LEGAL ISSUES: STARK, FRAUD & ABUSE Paul T. Smith, Esq. Partner,
HIPAA Administrative Simplification
HIPAA.
HOGAN & HARTSON, L.L.P. “Publications” “Health”
Analysis of the Proposed Sunshine Rule: Legal Considerations
. Lifeblood of the Successful Pharmacy Chain: Marketing, Joint Ventures and Arrangements with Referral Sources…While Remaining Within Legal Parameters.
Compliance Program 2018.
Training Objectives What is the Signature Partners MSSP ACO?
ABA Privacy and Data Security Update May 14, 2013
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
HIPAA Privacy The Morning After
manatt | phelps | phillips
National Congress on Health Care Compliance
Analysis of Final HIPAA Privacy Modification Rule
Fraud, Waste & Abuse (FWA) Education Related to Sales Activities
Presentation transcript:

If it's Subsidized, Get it Authorized: New Restrictions on the Sale and Use of PHI for Marketing Purposes Under HIPAA's Omnibus Rule Angela M. Rust This presentation is limited to a discussion of general principles and should not be interpreted to express legal advice applicable in specific circumstances or to create an attorney/client relationship.

Goals for Today's Presentation Spot instances when a patient's authorization may be required for marketing efforts using PHI. This is not a substitute for consulting with your legal counsel, but will help you pose intelligent questions and bring matters to your attorney's attention. Understand generally the recent changes to HIPAA to separate "myth" from real issues, and provide some perspective. Learn and practice applying the new

Changing Law The Health Information Technology for Economic and Clinical Health Act (HITECH) Enacted as part of the American Recovery and Reinvestment Act of 2009 Required the Department of Health and Human Services (HHS) to issue regulations making changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Regulations Proposed Rule Public Comment Final Rule

Rulemaking Implementing HITECH Notice of Proposed Rulemaking was issued in July 2010 “Omnibus” Final Rule issued January 17, effective March 26, compliance with most provisions is required by September 23, 2013. Addresses many changes under HIPAA/HITECH, including changes to the rules for marketing disclosures of PHI. Some provisions changed following public comment and are not the same as the proposed rule.

Other Laws and Regulations HIPAA/HITECH is only one piece of the puzzle Don’t forget to consider anti-kickback and Stark (anti self-referral) statutes, Medicare Marketing Rules, other state and federal law, internal policies and business associate agreements

The Basics You must have an authorization for a sale of PHI. Authorization is also required for marketing unless: It is face to face, or It is a promotional gift of nominal value provided by the CE (covered entity)

What is considered a "sale" of PHI under the new Omnibus Rule?

Sale of PHI Sale of PHI used to be addressed under the marketing rules, but is now a separate category of activity that requires authorization “[A] disclosure of PHI by a CE or BA [which] directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.” § 164.502(a)(5)(ii)(B)(1)

Further Defining “Sale” Applies when remuneration is given for access, license, or lease agreements, not just sales that transfer ownership Remuneration does not have to be financial payment, and may be “in kind” (note: this is the opposite under the new marketing rule!) Authorization must state disclosure will result in remuneration to CE (can tailor it this language, and explain what kind of remuneration) Can rely on existing authorizations that do not specify this

Disclosures that are exceptions, and not a “sale” of PHI Public health activities Research purposes when remuneration reflects cost of preparation/transmittal of the PHI Treatment of the individual Sale, merger or consolidation of a CE Business Associate (BA) compensated for performing services on behalf of CE Disclosing PHI to an individual about him/herself Health information exchange fees

Examples of Sale of PHI CE sells patient list composed of women who have recently delivered babies on the maternity unit to local photography studios to advertise newborn portrait services or to formula manufacturers CE sells patient list to pharmaceutical company that wants to target mailings to patients with a certain diagnosis

How does the Omnibus Rule change that definition? What is “Marketing”? How does the Omnibus Rule change that definition?

Marketing is … A communication “about a product or service that encourages recipients of the communication to purchase or use the product or service.” Subject to exceptions

The “Exceptions” Under HIPAA HIPAA provided that communication for the following purposes was NOT marketing: General Promotion of Good Health Treatment or Care Management/Coordination Health Care Operations The Omnibus Rule took away exceptions 2 and 3, but only when they are “subsidized” by a third party whose product or service is being marketed.

General Promotion of Good Health This does not meet definition of “marketing” Does not promote a specific product or service, just general good health or routine appointments E.g., Encouraging a healthy diet, getting an annual physical

Treatment or Care Management/ Coordination Communications for treatment, case management, care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care Examples: Patient appointment reminders Prescription drug samples from treating physician to patient Is it subsidized?

Pharmacy Refill Reminders Previously fell within “treatment” exception Now, the treatment exception applies only if: The reminder is not subsidized, or The financial remuneration received by the CE in exchange for making the reminder is reasonably related to the cost of making it Stayed the same from proposed to final rule “Reasonably related” = actual costs only

Health Care Operations Exception Communications for case management or care coordination, to the extent these activities do not fall within the definition of treatment Communications made to describe a health-related product or service provided by the CE making the communications. Is it subsidized?

A Communication is Subsidized if… It is made in exchange for “financial remuneration.” I.e., a "direct or indirect payment from or on behalf of a third party whose product or service is being described." This does not include payment for treatment of an individual or “in kind” remuneration Definition did not change from proposed to final rule

Proposed vs. Final Rule on "Subsidized" Communications Proposed Rule Final Rule (Follow This!) Notice of Privacy Practice must disclose that CE may send subsidized treatment communications and that individual may opt-out, AND the communication must disclose remuneration will be received and provide a “clear and conspicuous” chance to opt-out (e.g., by hotline or email) If it's “subsidized," get it authorized. (It is not enough to provide an "opt out" option.)

Summary of the Analysis Is it a communication encouraging purchase/use of a product or service? Is it face to face or a promotional gift of nominal value? Is it for general promotion of good health? Is it for treatment or health care operations purposes? If so, is there a direct or indirect payment (financial remuneration) for the communication? Is the payment on behalf of the third party whose product or service is being described?

Example: Hospital with New Mammography Equipment The hospital marketing budget is used to "target mail" former patients an announcement of the new mammography equipment. Treatment/health care operations exceptions, no authorization required. The same mailing is paid for by the manufacturer of the new equipment. Now it is subsidized, get it authorized.

Example: Hospital with New Mammography Equipment A non-profit breast cancer foundation pays for the mailing. No authorization required (remuneration not by or on behalf of the entity whose product or service is described) Doctor at hospital sends letter recommending the new equipment to a patient. Unless it is subsidized, no authorization required (treatment exception).

Example: Hospital with New Mammography Equipment Manufacturer of new equipment pays for color brochures for physicians at the hospital to hand out to patients who may benefit from a mammogram. Face to face communication, no authorization required

Example: Hospital with New Mammography Equipment Manufacturer of the equipment purchases patient contact information to mail patients an announcement regarding the new equipment. Authorization required, this is a "sale" of PHI

Example: Hospital with New Mammography Equipment Doctor calls patients and tells them about the new equipment. Treatment/care management or health care operations exceptions likely apply, unless this is subsidized. Phone calls are not "face to face" communication.

Example: Hospital with New Mammography Equipment Hospital sends reminders to its patients to get annual mammograms. Promotion of general health, not "marketing," so no authorization required.

Your Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.