HAPPY BIRTHDAY, MRS. JONES
Download
Report
Transcript HAPPY BIRTHDAY, MRS. JONES
HAPPY BIRTHDAY,
MRS. JONES
A HIPAA Marketing Guide for
Health Care Providers
Barbara L. Crawford, Esq.
Stromberg Cleveland Crawford & Schmidt, P.C.
1
Am I Marketing?
If you are communicating with your
patients outside the exam room or
hospital bed in an effort to create
good will or to encourage them to
return for future services or to
purchase your products, you are
marketing.
2
Am I Marketing?
Birthday cards
Appointment
reminders
Newsletters
Discount coupons
Refrigerator logo
magnets
Free samples
Website
Announcements
about new facilities
Wellness programs
Health education
brochures
3
Am I Marketing?
If you give the names of all patients
with cardiac problems to the drug
rep so that the drug company can
send a special mailing about a new
cardiac drug to those patients, you
are marketing.
4
HIPAA Definition of Marketing
A communication made by a health care
provider about a service or product that
encourages the purchase or use of the
product or service.
An arrangement between a health care
provider and any other entity whereby the
health care provider, in exchange for direct
or indirect remuneration, discloses PHI to
the other entity for that entity’s marketing
communication.
• 45 C.F.R. 164.501
5
The Rule
If an activity is marketing, a health
care provider is required to obtain
advance written authorization from
the patient for the use of PHI in
connection with the activity.
• 45 C.F.R. 164.508(a)(3)(i)
UNLESS...
6
Exceptions to the Rule:
Not “Marketing”
A communication to describe the health
care provider’s own health-related
products and services
A communication related to the treatment
of the patient
A communication for care management or
to recommend alternative treatments,
providers or settings
• 45 C.F.R. 164.501
7
Exceptions to the
Authorization Requirement
In addition, a health care provider
may, without authorization, conduct
the following marketing:
• communicate face-to-face (i.e., in office)
about any type of service or product,
even a non-health related service or
product
• give or send promotional gifts of nominal
value.
• 45 C.F.R. 164.508(a)(3)(i)(A) and (B)
8
Can I Hire a Third Party to
Market For Me?
OK to use telemarketers,
business associates or other
third parties IF the third party
has agreed in writing to only
use the PHI for communications
on your behalf in the permitted
fashion.
9
HIPAA Does not
Apply to . . .
Marketing conducted without the use
of PHI, i.e., without the use of your
patient database
• Coupons included in the local “Valu-Pak”
• Mailings sent to “current resident” or
even mailings sent to a targeted
population, e.g., the elderly, when the
mailing list is not derived from your
patient database
• Newspaper or magazine ads
1
0
OCR Guidance
The Office of Civil Rights (the Privacy
Rule enforcement agency) issued
guidance re Privacy Rule on December
2, 2002
• summary of major aspects of the Privacy
Rule
• Q & As
• best source for interpretation of Privacy
Rule
• marketing addressed in pages 65-76
1
1
Appointment Reminders
Rx Refill Reminders
OCR Guidance states:
• “Appointment reminders are considered part of
treatment of an individual and, therefore, can be
made without an authorization.” Guidance p. 74
• “It is not marketing for a doctor to make a
prescription refill reminder even if a third party pays
for the communication. The prescription refill
reminder is considered treatment. . . Similarly, it is
not marketing when a doctor or pharmacy is paid by
a pharmaceutical company to recommend an
alternative medication to patients.” Guidance p. 7374
1
2
Appointment Reminders
Rx Refill Reminders
Appointment reminder OK
Rx refill reminder OK
• even if a drug company pays a doctor or
pharmacist to send a prescription reminder
• even if goes beyond reminder to recommend an
alternative medication to a patient (at request
of a drug company)
Not OK if a drug company pays for a
patient list and it sends out a
recommendation to your patients
1
3
Appointment Reminders
Rx Refill Reminders
Letter or Postcard?
• Not addressed in OCR Guidance
• If minimal PHI included, minimal risk to
use of postcard
• But what amount of information must
be included to be useful as a reminder
to patient?
• Rx reminder requires more information than
should be placed on postcard
1
4
Direct Mail Marketing
“The HIPAA Privacy Rule excludes from the definition of
‘marketing’ communications made to describe a covered
entity’s health-related product or service (or payment for
such product or service) that is provided by . . . the
covered entity making the communication. Thus, it
would not be marketing for a physician who has
developed a new anti-snore device to send a flyer
describing it to all of her patients (whether or not each
patient has actually sought treatment for snoring). Nor
would it be marketing for an ophthalmologist . . . to send
existing patients discounts for eye exams or eye glasses
available only to patients.” Guidance p. 72
1
5
Direct Mail Marketing
OCR Guidance, in summarizing the Rule re
marketing, states that a health care
provider can communicate about its own
services and products and gives the
following example:
• “A hospital uses its patient list to
announce the arrival of a new specialty
group or the arrival of new equipment
through a general mailing or
publication.” Guidance p. 67
1
6
Direct Mail Marketing
A health care provider can also
communicate about treatment options or
recommendations. The OCR Guidance
states:
• “For example, it would be an alternative
treatment communication if a doctor, in
response to an inquiry from a patient with skin
rash about a range of treatment options, mails
the patient a letter recommending that the
patient purchase various ointments and
medications described in brochures enclosed
with the letter.” Guidance p. 74
1
7
Direct Mail Marketing
Treatment alternatives can also mean
alternative medicine. The OCR Guidance
states:
• “Thus, alternative treatments would include
communications by a midwife who recommends
or sells vitamins and herbal preparations,
dietary and exercise programs, massage
services, music or other alternative types of
therapy to her pregnant patients.” Guidance p.
74
1
8
Direct Mail Marketing
Mailing an unsolicited discount service
coupon for your services OK
Mailing an unsolicited discount product
coupon OK, if it is a product that you
typically furnish through your office
Mailing a product recommendation OK, if
the product is among the treatment
options for the patient
1
9
Direct Mail Marketing
Mailing product brochures in response to an
inquiry from a patient OK regarding treatment
for a condition for which the product may be
used
Mailing an announcement about your new
services or your new facilities OK
• NOT OK to announce opening of an unrelated facility
Recommending that patient obtain test at
nearby facility OK, if the test is needed for
current treatment
2
0
Newsletters
OCR Guidance states:
• “[A] communication that merely promotes
health in a general manner and does not
promote a specific product or service from a
particular provider does not meet the
definition of ‘marketing’.” Guidance p. 71
A newsletter, without more, OK - not marketing
at all
A newsletter, with promotions, falls into the
exception from marketing if it promotes your
services or products and OK
2
1
Health Brochures
Same Guidance as newsletters. Same
section provides:
• “Examples of general health promotional
material include mailings reminding women
to get an annual mammogram; mailings
providing information about how to lower
cholesterol, new developments in health
care (e.g., new diagnostic tools), support
groups, organ donation, cancer prevention
and health fairs.” Guidance p. 71
2
2
Health Brochures
Mailing of health education
brochures, without more, OK - not
marketing
Mailing of health education
brochures listing office locations
and hours falls into the exception
from marketing if you are marketing
your services.
2
3
Wellness Programs
OCR Guidance states:
• “To the extent that the . . . wellness program is
operated by the covered entity directly or by a
business associate, communications about such
programs are not marketing because they are about
the covered entity’s own health-related services. So,
for example, a hospital’s Wellness Department could
start a weight-loss program and send a flyer to all
patients seen in the hospital over the past year who
meet the definition of ‘obese’, even if those
individuals were not specifically seen for obesity
when they were in the hospital.” Guidance p. 71
2
4
Wellness Programs
Mailings re your wellness program to all
patients, OK
Mailings re your cardiac rehab or
wellness program to all patients seen for
cardiac problems, OK
Mailings re your weight loss program to
all patients who were overweight per
your records, OK
Not OK to send info re the Jenny Craig
franchise in your medical office building
2
5
In-House Marketing
OCR Guidance states:
• “In face-to-face encounters, the HIPAA Privacy Rule
allows covered entities to give or discuss products
or services, even when not health-related, to
patients without prior authorization. Physicians
may give out free pharmaceutical samples,
regardless of their value. Similarly, hospitals may
give infant supplies to new mothers. Moreover, the
face-to-face exception would allow providers to
leave general circulation materials in their offices
for patients to pick up during office visits.”
Guidance p. 75
2
6
In-House Marketing
Giving free samples, OK
• even if not health related, e.g.
formula, diapers
• even if more than nominal value
Product sales in office, OK
• But adding buyers or browsers to
patient database for future marketing
not OK if no patient-provider
relationship.
2
7
In-House Marketing
Exceptions to the Privacy Rule are for
“patients” - aimed at not interfering with
the provider-patient relationship and
patient treatment.
“Patient” relationship requires actual
exam and treatment.
2
8
Magnets, Pens, Note Pads,
Mugs
OCR Guidance states re promotional gifts of
nominal value:
• “[T]he HIPAA Privacy Rule allows covered entities to
distribute items commonly known as promotional
gifts of nominal value . . . even if such items are
distributed with the intent of encouraging the
receiver to buy the products or services. . . A covered
doctor, for instance, may send patients items such as
pens, note-pads and cups embossed with a health
plan’s logo without prior authorization. Similarly,
dentists may give patients free toothbrushes, floss
and toothpaste.” Guidance p. 74-75
2
9
Magnets, Pens, Note Pads and
Mugs
As long as cost is nominal:
• Giving or sending promotional items
with your logo OK
• Giving or sending promotional items
with a third party’s logo OK
• Giving or sending health-related items
OK
• Giving or sending non-health-related
items OK
3
0
Birthday Cards
No OCR Guidance
Is birthday card in same category as
mug or pen? Probably
Birthday card, without more, OK
Birthday card, with discount offer, is
more like direct mail marketing must be discount on your services or
product
3
1
Web Site
No OCR Guidance
Informational web site that does not collect the
PHI of a browser does not trigger the Privacy
Rule - more like a newspaper ad.
Web site offering discounts or information only
after browser provides personal information
triggers Privacy Rule because PHI potentially
being gathered
• fulfilling order or request OK
• adding browser to “patient” database not OK
because not patient.
3
2
Give Notice
If you are going to conduct any of the
marketing discussed, add disclosure to
your Notice of Privacy Practices
Be specific regarding the types of
activities you might conduct
Complaints more likely if patient is
surprised to receive a mailing
3
3
Caution!
Regardless of whether you CAN
communicate with a patient in the
ways discussed, you must delete a
patient from your mailing list if the
patient requests that you do so.
3
4
Caution!
Nothing in the marketing provisions of
the Privacy Rule is to be construed as
amending, modifying or changing any
rule or requirement related to any
other federal laws, including antikickback, Stark, etc.
3
5
Caution!
The OCR Guidance states on this
subject:
• “In particular, although the Privacy Rule
defines ‘marketing’ to exclude
communications to an individual to
recommend, purchase or use a product or
service as part of the treatment of the
individual . . ., such communication by a
health care professional may violate the
anti-kickback statute.” Guidance p. 75
3
6
Caution!
August 2002 Special Fraud Alert re
offering gifts and inducements to
Medicare/Medicaid beneficiary
• Cannot offer valuable gifts to beneficiaries to
influence choice of a provider, practitioner or
supplier.
• BUT some of the exceptions dovetail with
permitted HIPAA marketing, e.g.:
• inexpensive gifts (<$10)
• promotion of preventive services
3
7
Caution!
Physicians must also consider the
Colorado BME Policy re sale of products
in the office - BME Policy No. 40-11
• BME criteria: sale, at reasonable price, of
products with reasonable potential for
therapeutic gain, with disclosure of financial
arrangement with supplier
• BME frowns on exclusive sales arrangements.
3
8
3
9
MRS. JONES, WE’D LIKE TO
THANK YOU FOR YOUR
CONTINUED SUPPORT...
Using and Disclosing Protected
Health Information for Fundraising
Taylor T. Pollock
Stromberg Cleveland Crawford & Schmidt, P.C.
40
Fundraising and Health Care
Operations
Fundraising is considered part of a
covered entity’s health care
operations (i.e., uses and
disclosures that may be made
without patient authorization)
However, fundraising activities
must be conducted in accordance
with specific HIPAA Privacy Rule
requirements.
4
1
General Rule on Fundraising
A health care provider may itself
use certain protected health
information for fundraising
purposes and may also disclose the
PHI to (i) a business associate, or
(ii) to an institutionally-related
foundation for purposes of raising
funds for the provider.
4
2
Key Terms:
“Fundraising Purposes”
Not defined in the Privacy Rule,
but the the Preamble to the
Privacy Rule states that
“permissible fundraising
activities” include appeals for
money, sponsorship of events, etc.
• Does not include sale of products of
third parties
4
3
Key Terms:
“Business Associate”
A “business associate” is a
person or entity that performs
certain functions or activities on
behalf of the health care provider
involving the use or disclosure of
PHI.
4
4
Key Terms:
“Institutionally-Related Foundation”
An “institutionally-related
foundation” is a nonprofit 501(c)(3)
entity that has an explicit linkage to
the health care provider in the
foundation’s organizational
documents.
• Does not include a charitable organization
that raises funds for general charitable
purposes.
4
5
What type of PHI may be disclosed
for fundraising activities?
“Demographic information”
relating to a patient.
Dates of treatment provided to
a patient.
4
6
Key Terms:
“Demographic Information”
“Demographic Information” is not
defined in the Privacy Rule, but the
Preamble to the Privacy Rule clarifies
that it includes:
•
•
•
•
name and address
age
gender
insurance status
“Demographic information” does not include
detail of the patient’s illness or treatment!
4
7
Who can benefit from the use or
disclosure of PHI for fundraising?
The health care provider’s PHI may
only be used to raise funds for the
provider.
The PHI may not be used to raise
funds for related entities that may be
served by the same foundation.
• Example: a university system cannot use
its hospital’s PHI to raise funds for
academic department research.
4
8
Notice of Privacy Practices:
Special Requirements
The health care provider’s
Notice of Privacy Practices must
inform the patient of the
potential for the use or
disclosure of PHI for fundraising
purposes.
4
9
Notice of Privacy Practices:
Special Requirements (cont.)
The Notice of Privacy Practices
must also contain a statement
that the health care provider
may contact the individual to
raise funds for the provider.
5
0
Opting Out of Future
Fundraising Communications
The health care provider must
include in all fundraising materials
a description of how the individual
may “opt-out” of future
fundraising communications.
5
1
Opting Out of Future Fundraising
Communications (cont.)
The health care provider must
make reasonable efforts to ensure
that individuals who opt-out of
receiving future fundraising
communications are not sent
future solicitations.
5
2
Targeted Mailings /
“Mining” Patient Databases
Health care providers cannot search
patient databases to create lists of
targeted patients (e.g., patients with
a specific health status, patients who
received a specific treatment, etc.)
Targeted mailings to wealthy donors
permissible? (i.e., comparing list of
patients with a publicly-available database
or listing of wealthy potential donors)
5
3
Continued Use of Existing
Databases
All databases maintained or held by a health
care provider after April 14, 2003 are governed
by the Privacy Rule.
Databases created before April 14, 2003 by a
separate legal fundraising entity that is not
itself a covered entity are not covered by the
Privacy Rule.
• Note: all updates and future disclosures from the
health care provider to the fundraising entity will be
subject to the Privacy Rule and must be limited to
demographic information and dates of treatment.
5
4
Applying the Fundraising
Rules
In connection with raising funds
for a new orthopedic wing, a
hospital hires an outside
marketing firm to plan and
conduct the fundraising program.
?
5
5
Applying the Fundraising
Rules (cont.)
The marketing firm asks the
hospital for a list of all orthopedic
surgery patients in the last 5 years.
?
5
6
Applying the Fundraising
Rules (cont.)
The hospital sends the marketing
firm names and addresses of all
patients seen at the hospital in the
last 5 years.
?
5
7
Applying the Fundraising
Rules (cont.)
The hospital revises its Notice of
Privacy Practices to inform patients
that they can opt out of future
fundraising communications.
?
5
8
Applying the Fundraising
Rules (cont.)
A year after the new orthopedic facility
is completed, the hospital gives the list
to a local physician who has developed
a medical device designed to speed
recovery from knee surgery. The
physician would like to use the list to
raise money to further develop and
market his new device.
?
5
9
Summary of HIPAA Fundraising
Requirements
Always OK with patient authorization.
Absent authorization, may only use
demographic information and dates of
treatment.
Use and disclosure OK to business associate
or related foundation to raise funds for the
health care provider.
Must include possible fundraising use in
Notice of Privacy Practices.
Must give the patient the opportunity to optout of future communications.
6
0
Stromberg Cleveland
Crawford & Schmidt, P.C.
4600 South Ulster Street, Suite 300
Denver, Colorado 80237
61