patient privacy (except to make money..)

Nurses General Nursing

Published

Specializes in ER.

GOVERNMENT & MEDICINE

Physicians protest privacy rule loophole

New standards would allow use and disclosure of health information for certain marketing purposes without a patient's consent.

By Amy Snow Landa, AMNews staff. Feb. 11, 2002.

--------------------------------------------------------------------------------

Washington -- A patient is found to have high cholesterol during a routine check-up at her physician's office. The next week, she receives a letter saying, "Now that you have high cholesterol, your physician asked us to tell you about re-evaluating your life insurance."

A teenager is diagnosed and treated for a sexually transmitted disease. Soon after, he receives a letter saying a certain brand of ointment has been shown to be an effective treatment for his type of STD.

In both hypothetical cases, a marketer has used personally identifiable health information to target a patient for communication about a particular product -- and did so without the patient's prior authorization.

Physicians and consumer advocates say this is exactly the type of practice that should be prohibited under the federal medical records privacy standards, which are intended to safeguard access to patients' sensitive health information.

"Unfortunately, the final rule condones and perhaps even encourages a wide array of marketing activity using what is supposed to be protected health information," said William J. Hall, MD, president of the American College of Physicians--American Society of Internal Medicine.

Dr. Hall testified last month before a subcommittee of the National Committee on Vital Health Statistics, which is advising the Dept. of Health and Human Services on the privacy rule's implementation.

The Bush administration said last year that it would modify certain areas of the final rule, which President Clinton issued just before he left office. The privacy standards are scheduled to take effect on April 14, 2003.

The American Medical Association has been actively advocating changes to the rule based on current AMA policy, which says that physicians, hospitals and others in the health care system have a duty to keep patient information private.

The marketing section, in particular, is one area of the regulation that physician and consumer groups would like to see tightened. They say that, at the very least, patients should have the opportunity to allow, prohibit or restrict the disclosure of their personal health information before it is disclosed to anyone for marketing purposes.

Instead, the final rule lays out certain conditions under which a health care entity or third party may use or disclose a patient's personally identifiable health information for marketing purposes without first obtaining the patient's authorization.

Exceptions "swallow the rule"

The marketing provisions provide several exemptions that essentially "swallow the rule" requiring patients' prior consent for the use or disclosure of their personal health information, several witnesses told the privacy panel.

For example, marketing communications that occur in a "face-to-face" encounter with a patient or over the telephone are exempt.

This means that a patient who has just been discharged after a major hospital stay could be visited by a door-to-door salesperson or called by a telemarketer when they are convalescing at home, said Dr. Hall. Under this exemption, the patient's private health information could be used to promote not just medical items and services, but vacations, magazines and other products that aren't related to health care.

Another exemption applies to marketing communications that promote items or services of "nominal value" -- whether they are health-related or not.

For marketing communications that are not face-to-face -- a letter, for example -- and that concern a product of greater than nominal value, the rule allows the use or disclosure of a patient's private health information to promote health-related products and services under three conditions. They are:

The marketing communication identifies the health care entity from which the patient was identified.

It states whether the health care entity has received or will receive payment related to the communication.

It informs the patient that he or she can "opt out" of receiving future communications.

None of these requirements make the exemption acceptable, said Dr. Hall. Instead, they just add more problems for patients and physicians.

For example, requiring that the marketing communication identify the health care entity "throws the physician into the middle of a sale between the third party and the patient," he said.

Dr. Hall cited the hypothetical example of the patient with high cholesterol who received the letter saying her physician asked the marketer to tell her about a life insurance product.

"In addition to the intrusiveness on a rather personal issue, it also gives the patient the impression that the product being offered is endorsed and/or approved by the physician," he said.

Requiring that the communication inform the patient that they can opt out of receiving future communications is "too little, too late," said Dr. Hall, because it does not allow the patient to opt out before their personal health information has been disclosed.

Furthermore, the final rule leaves it up to the patient to figure out how to stop a marketer from contacting them in the future, said Jeffrey Janofsky, MD, who testified at the hearing on behalf of the American Psychiatric Assn.

The final rule does not offer details on what procedures the patient would have to follow to successfully opt out. It requires only that the marketer make "reasonable efforts" to ensure that the patient does not receive future communications.

"Why are you putting the burden on the patient?" Dr. Janofsky said to the panel. "Why shouldn't the burden be on the marketer?"

Both Dr. Hall and Dr. Janofsky stated unequivocally that their associations oppose allowing the use or disclosure of personal health information for marketing purposes without prior authorization.

But the Direct Marketing Assn., whose 5,000 member companies are involved in direct and "interactive" marketing sales, presented testimony that the final rule has "struck the right balance between protecting consumers' health-related information and preserving their right to receive the benefits of marketing."

Having received public testimony on the marketing issue, the health statistics committee will meet in February to consider recommending modifications of the rule to HHS Secretary Tommy Thompson.

Back to top.

--------------------------------------------------------------------------------

Copyright 2002 American Medical Association. All rights reserved.

---------------------------------------------------------------------------

Absolutely incredible! More junk mail and to a vulnerable population. Maybe they'll be giving out the names of the terminally ill to sell gravestones and plots.

0 Votes
Specializes in Vents, Telemetry, Home Care, Home infusion.

just spent four days at hipaa conference. sharing following info. karen

the health insurance portability & accountability act of 1996

title ii includes a section, administrative simplification, requiring:

1. improved efficiency in healthcare delivery by standardizing electronic data interchange, and

2. protection of confidentiality and security of health data through setting and enforcing standards.

more specifically, hipaa calls for:

1. standardization of electronic patient health, administrative and financial data

2. unique health identifiers for individuals, employers, health plans and health care providers.

3. security standards protecting the confidentiality and integrity of "individually identifiable health information," (called protected health information or phi) past, present or future.

4. written consent/authorization for release of phi with opt-out clause.

the bottom line: sweeping changes in most healthcare transaction and administrative information systems.

compliance deadlines:

privacy rule --- april 14, 2003

transmission/edi: must have plan submitted by october 2002 and full implimentation by october 2003.

security---final rule still be worked on.

marketing

the privacy rule limits how personal health information may be used in marketing, including the kind of marketing that may be done as a part of healthcare operation. marketing is defined as communicating about a product or service in order to encourage its purchase or use.

certain activities that otherwise meet this definition, are not considered marketing under the privacy rule "to prevent interference with essential treatment or health-related communications with a patient." they include:

*describing participating providers or plans in a network -- or the services and benefits they provide.

*using the communication to provide, manage or further treatment -- as in recommending over-the-counter medications or sending reminder notices for appointments or prescription refills.

*if a communication is marketing, personal health information may be used or disclosed only in these cases:

face-to-face encounters with the patient -- as in offering product samples during an office visit.

they involve products or services of nominal value, i.e., toothbrushes, pens, etc.

they concern health-related products and services of the covered entity or a third party, and if the covered entity making communication is identified.

it is stated that the covered entity is being paid for the communication, if this is so.

the individuals are told how to opt out of further marketing.

individual are told why they have been targeted (are they diabetics, smokers?) and how the communication relates to their health.

they are marketing-related disclosures made to business associates only to support the covered entity's marketing activities. the entity must require a signed business associate agreement from its telemarketer or door-to-door salesman, who may not use protected health information for his own or other purposes.

under the privacy rule, all other marketing requires individual authorizations to use or disclose personal health information. in order to release patient or enrollee lists for any other reasons, the covered entity must obtain authorization from everyone on the list.

info from:http://www.hipaadvisory.com/regs/finalprivacy/gsum.htm

--------------------------------------------------------------------------------

full info about hipaa at:

ttp://www.hipaadvisory.com/

http://www.aishealth.com/

overview:

http://www.hipaadvisory.com/regs/hipaaprimer1.htm

privacy information rules :

http://www.hipaadvisory.com/action/privacy/index.htm

excellent series of articles re privacy/confidentiality here:

***student nurses pose hipaa challenges: de-identification, *minimum necessary ( a must read for all nurses)

*shred-it bins offer more privacy than recycle bins for hipaa compliance

*tips for protecting faxes under hipaa privacy rule

*12 tips to improve confidentiality in the er

*crack down on hallway consults, screens to improve patient privacy

*tips to protect phi that falls outside the medical records dept.

*common medical record abuses and steps you can take to prevent them

above articles + many more located at:

http://www.aishealth.com/compliance/hipaaresource.html

0 Votes

I'll bet you couldn't get your own health records that easily.

0 Votes
Specializes in ORTHOPAEDICS-CERTIFIED SINCE 89.

This is all to true. My hubby has prescription insurance and takes several expensive medications. Last week he got a letter from a mail order pharmacy saying that they could save him money on his diabetes medication.

Now HOW did they get that information except through the insurance company?

And talking about medical records. When I was undergoing all the testing about my back, I had to provide one doctor with ALL my medical records. I PAID big money to have them copied and sent to him. He took one look at them and said "I cant take the time to read through al this."... So I asked for them back. He REFUSED!!! I'm still working on that.

P

0 Votes
Specializes in ER.

OK, and you paid for them to be copied, they are about you, and you have every right to read them...are you still seeing this duck farmer?

0 Votes

How are we going to deal with the HIPPA rules when patients are in semi-private rooms? Our hospital almost all the rooms are semi-private except for OB and ICU. How are we going to guard the patient's privacy then? Those curtains sure aren't soundproof!!!

0 Votes
Specializes in Vents, Telemetry, Home Care, Home infusion.

Curtain pulled along with lowered voice when discussing diagnosis or other sensitive information is enough to meet the intent of the law.

0 Votes
Specializes in Informatics, Education, and Oncology.

The Health Insurance Portability and Accountability Act (HIPAA) requires that health care organizations establish data content standards for electronic health data, create technical and administrative procedures to ensure the security of electronic health data and forge policies to protect the confidentiality of medical information. Although far from "perfect" the regulation will go a long way toward promoting confidence in the privacy of health information.

Understanding and complying with this federal mandate affects our clinical practice. If you deal with identifiable patient information you too should thoroughly understand HIPAA as it will direct how you handle patient information written, verbal and electronic.

Still of major concern is a lack of awareness and compliance amongst clinicians. There is a need to instill a security conciseness in healthcare practitioners and a mandate to securely transmit and store identifiable patient data.

There are penalties for failure to meet the privacy regulations and for inappropriately disclosing or receiving patient health information. Penalties can be either criminal or civil and can result in monetary fines, imprisonment, or both. Monetary penalties range from $100 to $100,000 depending upon severity. Imprisonment can be for up to 10 years depending on severity. Both institutions and individuals can be held liable for breaches in patient privacy and confidentiality, as the penalties do not just apply to organizations.

HIPAA compliance will require the use of appropriate technology, education, changes in previous practice patterns and implementation of organizational policies and procedures. "Reasonable" and "scalable" solutions can be employed to achieve HIPAA compliance without interfering with the delivery of quality nursing and health care.

0 Votes
+ Add a Comment