Protections, Limitations, Prohibitions and More: Important Modifications to Privacy Rule
This Health Law Alert is the fifth in a six-part series Hinshaw & Culbertson LLP is publishing detailing the significant changes to Health Insurance Portability and Accountability Act (HIPAA) privacy, security, enforcement and breach notification rules as part of the Omnibus Final Rule (Final Rule) issued by the U.S. Department of Health and Human Services.
This Health Law Alert discusses several modifications to the Privacy Rule impacting covered entities. These modifications were made in order to strengthen the privacy and security protections established under HIPAA for individuals’ protected health information (PHI). The Final Rule:
- strengthens the limitations on the use and disclosure of PHI for marketing and fundraising purposes;
- increases privacy protection for genetic information, as required by the Genetic Information Non-Discrimination Act of 2008 (GINA);
- prohibits the sale of protected health information without individual authorizations;
- in certain circumstances permits disclosure of child immunization proof to schools; and
- enables access to PHI by family members of decedents.
Marketing
The Final Rule modifies the definition of “marketing” and requires covered entities to obtain patient authorization before sending “marketing” communications to them that are paid for by third parties. In this respect, the Final Rule defines “marketing” as communication about a health-related product or service if the covered entity receives financial remuneration in exchange for making the communication from a third party that would benefit financially. The definition of “marketing” does not include:
- communications made to provide refill reminders or otherwise communicate about a drug or biological that is currently being prescribed to an individual if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication;
- a communication made for treatment and health care operation purposes, except where the covered entity receives financial remuneration in exchange for making the communication; and
- face-to-face communications, even if remuneration is received from a third party promoting health in general that do not promote a product or service from a particular provider.
Fundraising
Under the old rules, a covered entity, without authorization, might use or disclose for purposes of raising funds for its own benefit only demographic information related to the individual, health insurance status, and the dates of the health care provided to the individual. Under the Final Rule, demographic information may include name, address, contact information, age, and gender. In addition, the Final Rule permits use and disclosure of generic department of service information, treating physician information and outcome results.
Under the Final Rule, the covered entity may not use or disclose PHI for fundraising purposes unless an opt-out statement required by the Final Rule is included in the covered entity’s Notice of Privacy Practices. With each fundraising communication made to an individual under the provisions, the covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communication. The method for the individual to elect not to receive the fundraising information may not cause the individual to incur an undue burden or more than a nominal cost. Furthermore, a covered entity may not condition treatment or payment on the individual’s choice with respect to the receipt of the fundraising communication, and the covered entity may not make fundraising communications where the individual has elected not to receive such communication.
Genetic Information
The Final Rule prohibits the use and disclosure of genetic information by health plans that are covered entities for underwriting purposes. A health plan — excluding an insurer of long-term care policies — may not use or disclose PHI that is genetic information for underwriting purposes. “Underwriting purposes” means:
- rules for, or determinations of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage or policy;
- the computation of premium or contribution amounts under the plan, coverage or policy;
- the application of any pre-existing condition excluded under the plan, coverage or policy; and
- other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.
Sale of Protected Health Information
The Final Rule prohibits the sale of PHI. “Sale” is defined as a disclosure of PHI by a covered entity or business associate where the covered entity or business associate receives remuneration from the recipient of the PHI. Sale of PHI may also include agreements to access or license PHI and lease agreements.
The Final Rule expressly prohibits covered entities or business associates receiving remuneration in exchange for disclosing PHI unless the covered entity obtains patient authorization or an exception applies. No authorization is required:
- for treatment and payment purposes;
- for the sale, transfer, merger or consolidation of all or part of the covered entity, and for related due diligence;
- to and by business associates for activity that the business associate undertakes on behalf of the covered entity; or
- for public health purposes.
Proof of Immunization
A covered entity may provide to a school proof of immunization of a student or prospective student if the school is required by state or other laws to have such proof of immunization prior to admitting the student, and the covered entity obtains and documents the agreement for disclosure, either from a parent, guardian or other person acting in place of the parent, or the student, if the student is an adult or emancipated minor.
Disclosure to Family Member
If an individual is deceased, a covered entity may disclose PHI to a family member, or other person identified, who was involved in the individual’s care or payment for health care prior to the individual’s death, unless the individual makes known to the covered entity an express contrary preference.
These significant changes in the Privacy Rule must be incorporated into the privacy practices and policies of applicable covered entities. For further information, please contact Roy M. Bossen or your regular Hinshaw attorney.
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.