|
|
Standards for Privacy of Individually Identifiable
Health Information
III. Section-by-Section Description of Final
Modifications and
Response to Comments
A. Section 164.501--Definitions
1. Marketing
December 2000 Privacy Rule
The Privacy Rule defined "marketing" at Sec. 164.501 as a communication
about a product or service, a purpose of which is to encourage recipients
of the communication to purchase or use the product or service,
subject to certain limited exceptions. To avoid interfering with,
or unnecessarily burdening communications about, treatment or about
the benefits and services of health plans and health care providers,
the Privacy Rule explicitly excluded two types of communications
from the definition of "marketing:" (1) communications made by
a covered entity for the purpose of describing the participating
providers and health plans in a network, or describing the services
offered by a provider or the benefits covered by a health plan;
and (2) communications made by a health care provider as part of
the treatment of a patient and for the purpose of furthering that
treatment, or made by a provider or health plan in the course of
managing an individual's treatment or recommending an alternative
treatment. Thus, a health plan could send its enrollees a listing
of network providers, and a health care provider could refer a patient
to a specialist without either an authorization under Sec. 164.508
or having to meet the other special requirements in Sec. 164.514(e)
that attach to marketing communications. However, these communications
qualified for the exception to the definition of "marketing" only
if they were made orally or, if in writing, were made without remuneration
from a third party. For example, it would not
have been marketing for a pharmacy to call a patient about the need
to refill a prescription, even if that refill reminder was subsidized
by a third party; but it would have been marketing for that same,
subsidized refill reminder to be sent to the patient in the mail.
Generally, if a communication was marketing, the Privacy Rule required
the covered entity to obtain the individual's authorization to use
or disclose protected health information to make the communication.
However, the Privacy Rule, at Sec. 164.514(e), permitted the covered
entity to make health-related marketing communications without such
authorization, provided it complied with certain conditions on the
manner in which the communications were made. Specifically, the
Privacy Rule permitted a covered entity to use or disclose protected
health information to communicate to individuals about the health-related
products or services of the covered entity or of a third party,
without first obtaining an authorization for that use or disclosure
of protected health information, if the communication: (1) Identified
the covered entity as the party making the communication; (2) identified,
if applicable, that the covered entity received direct or indirect
remuneration from a third party for making the communication; (3)
with the exception of general circulation materials, contained instructions
describing how the individual could opt-out of receiving future
marketing communications; and (4) where protected health information
was used to target the communication about a product or service
to individuals based on their health status or health condition,
explained why the individual had been targeted and how the product
or service related to the health of the individual.
For certain permissible marketing communications, however, the
Department did not believe these conditions to be practicable. Therefore,
Sec. 164.514(e) also permitted a covered entity to make a marketing
communication that occurred in a face-to-face encounter with the
individual, or that involved products or services of only nominal
value, without meeting the above conditions or requiring an authorization.
These provisions, for example, permitted a covered entity to provide
sample products during a face-to-face communication, or to distribute
calendars, pens, and the like, that displayed the name of a product
or provider.
March 2002 NPRM
The Department received many complaints concerning the complexity
and unworkability of the Privacy Rule's marketing requirements.
Many entities expressed confusion over the Privacy Rule's distinction
between health care communications that are excepted from the definition
of "marketing" versus those that are marketing but permitted subject
to the special conditions in Sec. 164.514(e). For example, questions
were raised as to whether disease management communications or refill
reminders were "marketing" communications subject to the special
disclosure and opt-out conditions in
Sec. 164.514(e). Others stated that it was unclear whether various
health care operations activities, such as general health-related
educational and wellness promotional activities, were to be treated
as marketing under the Privacy Rule.
The Department also learned that consumers were generally dissatisfied
with the conditions required by Sec. 164.514(e). Many questioned
the general effectiveness of the conditions and whether the conditions
would properly protect consumers from unwanted disclosure of protected
health information to commercial entities, and from the intrusion
of unwanted solicitations. They expressed specific dissatisfaction
with the provision at Sec. 164.514(e)(3)(iii) for individuals to
opt-out of future marketing communications. Many argued for the
opportunity to opt-out of marketing communications before any
marketing occurred. Others requested that the Department limit marketing
communications to only those consumers who affirmatively chose to
receive such communications.In response to these concerns, the Department
proposed to modify the Privacy Rule to make the marketing provisions
clearer and simpler. First, the Department proposed to simplify
the Privacy Rule by eliminating the special provisions for marketing
health-related products and services at Sec. 164.514(e). Instead,
any use or disclosure of protected health information for a communication
defined as "marketing" in Sec. 164.501 would require an authorization
by the individual. Thus, covered entities would no longer be able
to make any type of marketing communications that involved the use
or disclosure of protected health information without authorization
simply by meeting the disclosure and opt-out conditions in the Privacy
Rule. The Department intended to effectuate greater consumer privacy
protection by requiring authorization for all uses or disclosures
of protected
health information for marketing communications, as compared to
the disclosure and opt-out conditions of Sec. 164.514(e).
Second, the Department proposed minor clarifications to the Privacy
Rule's definition of "marketing" at Sec. 164.501. Specifically,
the Department proposed to define "marketing" as "to make a communication
about a product or service to encourage recipients of the communication
to purchase or use the product or service." The proposed modification
retained the substance of the "marketing" definition, but changed
the language slightly to avoid the implication that in order for
a communication to be marketing, the purpose or intent of the covered
entity in making such a communication would have to be determined.
The simplified language permits the Department to make the determination
based on the communication itself.
Third, with respect to the exclusions from the definition of "marketing"
in Sec. 164.501, the Department proposed to simplify the language
to avoid confusion and better conform to other sections of the regulation,
particularly in the area of treatment communications. The proposal
retained the exclusions for communications about a covered entity's
own products and services and about the treatment of the individual.
With respect to the exclusion for a communication made "in the
course of managing the treatment of that individual," the Department
proposed to modify the language to use the terms "case management"
and "care coordination" for that individual. These terms are more
consistent with the terms used in the definition of "health care
operations," and were intended to clarify the Department's intent.
One substantive change to the definition proposed by the Department
was to eliminate the condition on the above exclusions from the
definition of "marketing" that the covered entity could not receive
remuneration from a third party for any written communication. This
limitation was not well understood and treated similar communications
differently. For example, a prescription refill reminder was marketing
if it was in writing and paid for by a third party, while a refill
reminder that was not subsidized, or was made orally, was not marketing.
With the proposed elimination of the health-related marketing requirements
in Sec. 164.514(e) and the proposed requirement that any marketing
communication require an individual's prior written authorization,
retention of this condition would have adversely affected a health
care provider's ability to make many common health-related communications.
Therefore, the Department proposed to eliminate the remuneration
prohibition to the exceptions to the definition so as not to interfere
with necessary and important treatment and health-related communications
between a health care provider and patient.
To reinforce the policy requiring an authorization for most marketing
communications, the Department proposed to add a new marketing provision
at Sec. 164.508(a)(3) explicitly requiring an authorization for
a use or disclosure of protected health information for marketing
purposes. Additionally, if the marketing was expected to result
in direct or indirect remuneration to the covered entity from a
third party, the Department proposed that the authorization state
this fact. As noted above, because a use or disclosure of protected
health information for marketing communications required an authorization,
the disclosure and opt-out provisions in Sec. 164.514(e) no longer
would be necessary and the Department proposed to eliminate them.
As in the December 2000 Privacy Rule at Sec. 164.514(e)(2), the
proposed modifications at Sec. 164.508(a)(3) excluded from the marketing
authorization requirements face-to-face communications made by a
covered entity to an individual. The Department proposed to retain
this exception so that the marketing provisions would not interfere
with the relationship and dialogue between health care providers
and individuals. Similarly, the Department proposed to retain the
exception to the authorization requirement for a marketing communication
that involved products or services of nominal value, but proposed
to replace the language with the common business term "promotional
gift of nominal value."
As noted above, because some of the proposed simplifications were
a substitute for Sec. 164.514(e), the Department proposed to eliminate
that section, and to make conforming changes to remove references
to Sec. 164.514(e) at Sec. 164.502(a)(1)(vi) and in paragraph (6)(v)
of the definition of "health care operations" in Sec. 164.501.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response to
Other Public Comments."
The Department received generally favorable comment on its proposal
to simplify the marketing provisions by requiring authorizations
for uses or disclosures of protected health information for marketing
communications, instead of the special provisions for health-related
products and services at Sec. 164.514(e). Many also supported the
requirement that authorizations notify the individual of marketing
that results in direct or indirect remuneration to the covered entity
from a third party. They argued that for patients to make informed
decisions, they must be notified of potential financial conflicts
of interest. However, some commenters opposed the authorization
requirement for marketing, arguing instead for the disclosure and
opt-out requirements
at Sec. 164.514(e) or for a one-time, blanket authorization from
an individual for their marketing activities.
Commenters were sharply divided on whether the Department had properly
defined what is and what is not marketing. Most of those opposed
to the Department's proposed definitions objected to the elimination
of health-related communications for which the covered entity received
remuneration from the definition of "marketing." They argued that
these communications would have been subject to the consumer protections
in Sec. 164.514(e) but, under the proposal, could be made without
any protections at all. The mere presence of remuneration raised
conflict of interest concerns for these commenters,
who feared patients would be misled into thinking the covered entity
was acting solely in the patients' best interest when recommending
an alternative medication or treatment. Of particular concern to
these commenters was the possibility of a third party, such as a
pharmaceutical company, obtaining a health care provider's patient
list to market its own products or services directly to the patients
under the guise of recommending an "alternative treatment" on
behalf of the provider. Commenters argued that, even if the parties
attempted to cloak the transaction in the trappings of a business
associate relationship, when the remuneration flowed from the third
party to the covered entity, the transaction was tantamount to selling
the patient lists and ought to be considered marketing.On the other
hand, many commenters urged the Department to broaden the categories
of communications that are not marketing. Several expressed concern
that, under the proposal, they would be unable to send newsletters
and other general circulation materials with
information about health-promoting activities (e.g., screenings
for certain diseases) to their patients or members without an authorization.
Health plans were concerned that they would be unable to send information
regarding enhancements to health insurance coverage to their members
and beneficiaries. They argued, among other things, that they should
be excluded from the definition of "marketing" because these communications
would be based on limited, non-clinical protected health information,
and because policyholders benefit and use such information to fully
evaluate the mix of coverage most appropriate to their needs. They
stated that providing such information is especially important given
that individual and market-wide needs, as well as
benefit offerings, change over time and by statute. For example,
commenters informed the Department that some States now require
long-term care insurers to offer new products to existing policyholders
as they are brought to market and to allow policyholders to purchase
the new benefits through a formal upgrade process. These health
plans were concerned that an authorization requirement for routine
communications about options and enhancements would take significant
time and expense. Some insurers also urged that they be allowed
to market other lines of insurance to their health plan enrollees.
A number of commenters urged the Department to exclude any activity
that met the definitions of "treatment," "payment," or "health
care operations" from the definition of "marketing" so that they
could freely inform customers about prescription discount card and
price subsidy programs. Still others wanted the Department to broaden
the treatment exception to include all health-related communications
between providers and patients.
Final Modifications
The Department adopts the modifications to marketing substantially
as proposed in the NPRM, but makes changes to the proposed definition
of "marketing" and further clarifies one of the exclusions
from the definition of "marketing" in response to comments
on the proposal. The definition of "marketing" is modified
to close what commenters characterized as a loophole, that is, the
possibility that covered entities, for remuneration, could disclose
protected health information to a third party that would then be
able to market its own products and services directly to individuals.
Also, in response to comments, the Department clarifies the language
in the marketing exclusion for communications about a covered entity's
own products and services.As it proposed to do, the Department eliminates
the special provisions for marketing health-related products and
services at Sec. 164.514(e). Except as provided for at Sec. 164.508(a)(3),
a covered entity must have the individual's prior written authorization
to use or disclose protected health information for marketing communications
and will no longer be able to do so simply by meeting the disclosure
and opt-out provisions, previously set forth in Sec. 164.514(e).
The Department agrees with commenters that the authorization provides
individuals with more control over whether they receive marketing
communications and better privacy protections for such uses and
disclosures of their health information. In response to commenters
who opposed this proposal, the Department does not believe that
an opt-out requirement for marketing communications would provide
a sufficient level of control for patients regarding their health
information. Nor does the Department believe that a blanket authorization
provides sufficient privacy protections for individuals. Section
164.508(c) sets forth the core elements of an authorization necessary
to give individuals control of their protected health
information. Those requirements give individuals sufficient information
and notice regarding the type of use or disclosure of their protected
health information that they are authorizing. Without such specificity,
an authorization would not have meaning. Indeed, blanket marketing
authorizations would be considered defective under Sec. 164.508(b)(2).
The Department adopts the general definition of "marketing" with
one clarification. Thus, "marketing" means "to make a communication
about a product or service that encourages the recipients of the
communication to purchase or use the product or service." In removing
the language referencing the purpose of the communication and substituting
the term "that encourages" for the term "to encourage", the
Department intends to simplify the determination of whether a communication
is marketing. If, on its face, the communication encourages recipients
of the communication to purchase or
use the product or service, the communication is marketing. A few
commenters argued for retaining the purpose of the communication
as part of the definition of "marketing" based on their belief
that the intent of the communication was a clearer and more definitive
standard than the effect of the communication. The Department disagrees
with these commenters. Tying the definition of "marketing" to
the purpose of the communication creates a subjective standard that
would be difficult to enforce because the intent of the communicator
rarely would be documented in advance. The definition adopted by
the Secretary allows the communication to speak for itself.
The Department further adopts the three categories of communications
that were proposed as exclusions from the definition of "marketing."
Thus, the covered entity is not engaged in marketing when it communicates
to individuals about: (1) The participating providers and health
plans in a network, the services offered by a provider, or the benefits
covered by a health plan; (2) the individual's treatment; or (3)
case management or care coordination for
that individual, or directions or recommendations for alternative
treatments, therapies, health care providers, or settings of care
to that individual. For example, a doctor that writes a prescription
or refers an individual to a specialist for follow-up tests is engaging
in a treatment communication and is not marketing a product or service.
The Department continues to exempt from the "marketing" definition
the same types of communications that were not marketing under the
Privacy Rule as published in December 2000, but has modified some
of the language to better track the terminology used in the definition
of "health care operations." The commenters generally supported
this clarification of the language.
The Department, however, does not agree with commenters that sought
to expand the exceptions from marketing for all communications that
fall within the definitions of "treatment," "payment," or "health
care operations." The purpose of the exclusions from the definition
of marketing is to facilitate those communications that enhance
the individual's access to quality health care. Beyond these important
communications, the public strongly objected to any commercial use
of protected health information to attempt to sell products or services,
even when the product or service is arguably health related. In
light of these strong public objections, ease of administration
is an insufficient justification to categorically exempt all communications
about payment and health care operations from the definition of
"marketing."
However, in response to comments, the Department is clarifying
the language that excludes from the definition of "marketing"
those communications that describe network participants and the
services or benefits of the covered entity. Several commenters,
particularly insurers, were concerned that the reference to a "plan
of benefits" was too limiting and would prevent them from sending
information to their enrollees regarding enhancements or upgrades
to their health insurance coverage. They inquired whether the following
types of communications would be permissible: enhancements to existing
products; changes in deductibles/copays and types of coverage (e.g.,
prescription drug); continuation products for students reaching
the age of majority
on parental policies; special programs such as guaranteed issue
products and other conversion policies; and prescription drug card
programs. Some health plans also inquired if they could communicate
with beneficiaries about "one-stop shopping" with their companies
to obtain long-term care, property, casualty, and life insurance
products.
The Department understands the need for covered health care providers
and health plans to be able to communicate freely to their patients
or enrollees about their own products, services, or benefits. The
Department also understands that some of these communications are
required by State or other law. To ensure that such communications
may continue, the Department is broadening its policy, both of the
December 2000 Privacy Rule as well as proposed in the March 2002
NPRM, to allow covered entities to use protected health information
to convey information to beneficiaries and members about health
insurance products offered by the covered entity that could enhance
or substitute for existing health plan coverage. Specifically, the
Department modifies the relevant exemption from the definition of
"marketing" to include communications that describe "a health-related
product or
service (or payment for such product or service) that is provided
by, or included in a plan of benefits of, the covered entity making
the communication, including communications about: the entities
participating in a health care provider network or health plan network;
replacement of, or enhancements to a health plan; and health-related
products or services available only to a health plan enrollee that
add value to, but are not part of, a plan of benefits." Thus, under
this exemption, a health plan is not engaging in marketing when
it advises its enrollees about other available health plan coverages
that could enhance or substitute for existing health plan coverage.
For example, if a child is about to age out of coverage under a
family's policy, this provision will allow the plan to send the
family information about continuation coverage for the child. This
exception, however, does not extend to excepted benefits
(described in section 2791(c)(1) of the Public Health Service Act,
42 U.S.C. 300gg-91(c)(1)), such as accident-only policies), nor
to other lines of insurance (e.g., it is marketing for a multi-line
insurer to promote its life insurance policies using protected health
information).
Moreover, the expanded language makes clear that it is not marketing
when a health plan communicates about health-related products and
services available only to plan enrollees or members that add value
to, but are not part of, a plan of benefits. The provision of value-added
items or services (VAIS) is a common practice, particularly for
managed care organizations. Communications about VAIS may qualify
as a communication that is about a health plan's own products or
services, even if VAIS are not considered plan benefits for the
Adjusted Community Rate purposes. To qualify for this exclusion,
however, the VAIS must meet two conditions. First, they must be
health-related. Therefore, discounts offered by Medicare+Choice
or other managed care
organizations for eyeglasses may be considered part of the plan's
benefits, whereas discounts to attend movie theaters will not. Second,
such items and services must demonstrably "add value" to the plan's
membership and not merely be a pass-through of a discount or item
available to the public at large. Therefore, a Medicare+Choice or
other managed care organization could, for example, offer its members
a special discount opportunity for a health/fitness club without
obtaining authorizations, but could not pass along to its members
discounts to a health fitness club that the members would be able
to obtain directly from the health/fitness clubs.
In further response to comments, the Department has added new language
to the definition of "marketing" to close what commenters perceived
as a loophole that a covered entity could sell protected health
information to another company for the marketing of that company's
products or services. For example, many were concerned that a pharmaceutical
company could pay a provider for a list of patients with a particular
condition or taking a particular medication and then use that list
to market its own drug products directly to those patients. The
commenters believed the proposal would permit this to happen under
the guise of the pharmaceutical company acting as a business associate
of the covered entity for the purpose of recommending an alternative
treatment or therapy to the individual. The Department agrees with
commenters that the potential for manipulating the business associate
relationship in this fashion should be expressly prohibited. Therefore,
the Department is adding language that would make clear that business
associate transactions of this nature are marketing. Marketing is
defined expressly to include "an arrangement between a covered
entity and any other entity whereby the covered entity discloses
protected health information to the other entity, in exchange for
direct or indirect remuneration, for the other entity or its affiliate
to make a communication about its own product or service that encourages
recipients of the communication to purchase or use that product
or service." These communications are marketing and can only occur
if the covered entity obtains the individual's authorization pursuant
to Sec. 164.508. The Department believes that this provision will
make express the fundamental prohibition against covered entities
selling lists of patients or enrollees to third parties, or from
disclosing protected health information to a third party for the
marketing activities of the third party, without the written authorization
of the individual. The Department further notes that manufacturers
that receive identifiable health information and misuse it may be
subject to action taken under other consumer protection statutes
by other Federal agencies, such as the Federal Trade Commission.
The Department does not, however, agree with commenters who argued
for retention of the provisions that would condition the exclusions
from the "marketing" definition on the absence of remuneration.
Except for the arrangements that are now expressly defined as "marketing,"
the Department eliminates the conditions that communications are
excluded from the definition of "marketing" only if they are made
orally, or, if in writing, are made without any direct or indirect
remuneration. The Department does not agree that the simple receipt
of remuneration should transform a treatment communication into
a commercial promotion of a product or service. For example, health
care providers should be able to, and can, send patients prescription
refill reminders regardless of whether a third party pays or subsidizes
the communication. The covered entity also is able to engage a
legitimate business associate to assist it in making these permissible
communications. It is only in situations where, in the guise of
a business associate, an entity other than the covered entity is
promoting its own products using protected health information it
has received from, and for which it has paid, the covered entity,
that the remuneration will place the activity within the definition
of "marketing."
In addition, the Department adopts the proposed marketing authorization
provision at Sec. 164.508(a)(3), with minor language changes to
conform to the revised "marketing" definition. The Rule expressly
requires an authorization for uses or disclosures of protected health
information for marketing communications, except in two circumstances:
(1) When the communication occurs in a face-to-face encounter between
the covered entity and the individual; or (2) the communication
involves a promotional gift of nominal value. A marketing authorization
must include a statement about remuneration, if any. For ease of
administration, the Department has changed the regulatory provision
to require a statement on the authorization whenever the
marketing "involves" direct or indirect remuneration to the covered
entity from a third party, rather than requiring the covered entity
to identify those situations where "the marketing is expected to
result in" remuneration.
Finally, the Department clarifies that nothing in the marketing
provisions of the Privacy Rule are to be construed as amending,
modifying, or changing any rule or requirement related to any other
Federal or State statutes or regulations, including specifically
anti-kickback, fraud and abuse, or self-referral statutes or regulations,
or to authorize or permit any activity or transaction currently
proscribed by such statutes and regulations. Examples of such laws
include the anti-kickback statute (section 1128B(b) of the Social
Security Act), safe harbor regulations (42 CFR part 1001), Stark
law (section 1877 of
the Social Security Act) and regulations (42 CFR parts 411 and 424),
and HIPAA statute on self-referral (section 1128C of the Social
Security Act). The definition of "marketing" is solely applicable
to the Privacy Rule and the permissions granted by the Rule are
only for a covered entity's use or
disclosure of protected health information. In particular, although
this regulation defines the term "marketing" to exclude communications
to an individual to recommend, purchase, or use a product or service
as part of the treatment of the individual or for case management
or care coordination of that individual, such communication by a
"white coat" health care professional may violate the anti-kickback
statute. Similar examples for pharmacist
communications with patients relating to the marketing of products
on behalf of pharmaceutical companies were identified by the OIG
as problematic in a 1994 Special Fraud Alert (December 19, 1994,
59 FR 65372). Other violations have involved home health nurses
and physical therapists acting as marketers for durable medical
equipment companies. Although a particular communication under the
Privacy Rule may not require patient authorization because it is
not marketing, or may require patient authorization because it is
"marketing" as the Rule defines it, the arrangement may nevertheless
violate other statutes and regulations administered by HHS, the
Department of Justice, or other Federal or State agency.
Response to Other Public Comments
Comment: Some commenters recommended that the definition
of "marketing" be broadened to read as follows: "any
communication about a product or service to encourage recipients
of the communication to purchase or use the product or service or
that will make the recipient aware of the product or service available
for purchase or use by the recipient." According to these commenters,
the additional language would capture marketing campaign activities
to establish "brand recognition."
Response: The Department believes that marketing campaigns
to establish brand name recognition of products is already encompassed
within the general definition of "marketing" and that
it is not necessary to add language to accomplish this purpose.
Comment: Some commenters opposed the proposed deletion of
references to the covered entity as the source of the communications,
in the definition of those communications that were excluded from
the "marketing" definition. They objected to these non-marketing
communications being made by unrelated third parties based on protected
health information disclosed to these third parties by the covered
entity, without the individual's knowledge or authorization.
Response: These commenters appear to have misinterpreted
the proposal as allowing third parties to obtain protected health
information from covered entities for marketing or other purposes
for which the Rule requires an individual's authorization. The deletion
of the specific reference to the covered entity does not permit
disclosures to a third party beyond the disclosures already permitted
by the Rule. The change is intended to be purely editorial: since
the Rule applies only to covered entities, the only entities whose
communications can be governed by the Rule are covered entities,
and thus the reference to covered entities there was redundant.
Covered entities may not disclose protected health information to
third parties for marketing purposes without authorization from
the individual, even if the third party is acting as the business
associate of the disclosing covered entity. Covered entities may,
however, use protected health information to communicate with individuals
about the covered entity's own health-related products or services,
the individual's treatment, or case management or care coordination
for the individual. The covered entity does not need an authorization
for these types of
communications and may make the communication itself or use a business
associate to do so.
Comment: Some commenters advocated for reversion to the
provision in Sec. 164.514(e) that the marketing communication identify
the covered entity responsible for the communication, and argued
that the covered entity should be required to identify itself as
the source of the protected health information.
Response: As modified, the Privacy Rule requires the individual's
written authorization for the covered entity to use or disclose
protected health information for marketing purposes, with limited
exceptions. The Department believes that the authorization process
itself will put the individual sufficiently on notice that the covered
entity is the source of the protected health information. To the
extent that the commenter suggests that these disclosures are necessary
for communications that are not "marketing'as defined by the
Rule, the Department disagrees because such a requirement would
place an undue burden on necessary health-related communications.
Comment: Many commenters opposed the proposed elimination
of the provision that would have transformed a communication exempted
from marketing into a marketing communication if it was in writing
and paid for by a third party. They argued that marketing should
include any activity in which a covered entity receives compensation,
directly or indirectly, through such things as discounts from another
provider, manufacturer, or service provider in exchange for providing
information about the manufacturer or service provider's products
to consumers, and that consumers should be advised whenever such
remuneration is involved and allowed to opt-out of future communications.
Response: The Department considered whether remuneration
should determine whether a given activity is marketing, but ultimately
concluded that remuneration should not define whether a given activity
is marketing or falls under an exception to marketing. In fact,
the Department believes that the provision in the December 2000
Rule that transformed a treatment communication into a marketing
communication if it was in writing and paid for by a third party
blurred the line between treatment and marketing in ways that would
have made the Privacy Rule difficult to implement. The Department
believes that certain health care communications, such as refill
reminders or informing patients about existing or new health care
products or
services, are appropriate, whether or not the covered entity receives
remuneration from third parties to pay for them. The fact that remuneration
is received for a marketing communication does not mean the communication
is biased or inaccurate. For the same reasons, the Department does
not believe that the communications that are exempt from the definition
of "marketing" require any special conditions, based solely on
direct or indirect remuneration received by the covered entity.
Requiring disclosure and opt-out conditions on these communications,
as Sec. 164.514(e) had formerly imposed on health-related marketing
communications, would add a layer of complexity to the Privacy Rule
that the Department intended to eliminate. Individuals, of course,
are free to negotiate with covered entities for limitations on such
uses and disclosures, to which the entity may, but is not required
to, agree.
The Department does agree with commenters that, in limited circumstances,
abuses can occur. The Privacy Rule, both as published in December
2000 and as proposed to be modified in March 2002, has always prohibited
covered entities from selling protected health information to a
third party for the marketing activities of the third party, without
authorization. Nonetheless, in response to continued public concern,
the Department has added a new provision to the definition of "marketing"
to prevent situations in which a covered entity could take advantage
of the business associate relationship to sell protected health
information to another entity for that entity's commercial marketing
purposes. The Department intends this prohibition to address the
potential financial conflict of interest that would lead a covered
entity to disclose protected health information to another entity
under the guise of a treatment exemption.
Comment: Commenters argued that written authorizations (opt-ins)
should be required for the use of clinical information in marketing.
They stated that many consumers do not want covered entities to
use information about specific clinical conditions that an individual
has, such as AIDS or diabetes, to target them for marketing of services
for such conditions.
Response: The Department does not intend to interfere with
the ability of health care providers or health plans to deliver
quality health care to individuals. The "marketing" definition
excludes communications for the individual's treatment and for case
management, care coordination or the recommendation of alternative
therapies. Clinical information is critical for these communications
and, hence, cannot be used to distinguish between communications
that are or are not marketing. The covered entity needs the individual's
authorization to use or disclose protected health information for
marketing communications, regardless of whether clinical information
is to be used.
Comment: The proposed modification eliminated the Sec. 164.514
requirements that permitted the use of protected health information
to market health-related products and services without an authorization.
In response to that proposed modification, many commenters asked
whether covered entities would be allowed to make communications
about "health education" or "health promoting"
materials or services without an authorization under the modified
Rule. Examples included communications about health improvement
or disease prevention, new developments in the diagnosis or treatment
of disease, health fairs, health/wellness-oriented classes or support
groups.
Response: The Department clarifies that a communication
that merely promotes health in a general manner and does not promote
a specific product or service from a particular provider does not
meet the general definition of "marketing." Such communications
may include population-based activities to improve health or reduce
health care costs as set forth in the definition of "health
care operations" at Sec. 164.501. Therefore, communications,
such as mailings reminding women to get an annual mammogram, and
mailings providing information about how to lower cholesterol, about
new developments in health care (e.g., new diagnostic tools), about
health or "wellness" classes, about support groups, and
about health fairs are permitted, and are not
considered marketing.
Comment: Some commenters asked whether they could communicate
with beneficiaries about government programs or government-sponsored
programs such as information about SCHIP; eligibility for Medicare/Medigap
(e.g., eligibility for limited, six-month open enrollment period
for Medicare supplemental benefits).
Response: The Department clarifies that communications about
government and government-sponsored programs do not fall within
the definition of "marketing." There is no commercial
component to communications about benefits available through public
programs. Therefore, a covered entity is permitted to use and disclose
protected health information to communicate about eligibility for
Medicare supplemental benefits, or SCHIP. As in our response above,
these communications may reflect population-based activities to
improve health or reduce health care costs as set forth in the definition
of "health care operations" at Sec. 164.501.
Comment: The proposed modification eliminated the Sec. 164.514
requirements that allowed protected health information to be used
and disclosed without authorization or the opportunity to opt-out,
for communications contained in newsletters or similar general communication
devices widely distributed to patients, enrollees, or other broad
groups of individuals. Many commenters requested clarification as
to whether various types of general circulation materials would
be permitted under the proposed modification. Commenters argued
that newsletters or similar general communication devices widely
distributed to patients, enrollees, or other broad groups of individuals
should be permitted without authorizations because they are "common"
and "serve appropriate information distribution purposes"
and, based on their general circulation, are less intrusive than
other forms of communication.
Response: Covered entities may make communications in newsletter
format without authorization so long as the content of such communications
is not "marketing," as defined by the Rule. The Department
is not creating any special exemption for newsletters.
Comment: One commenter suggested that, even when authorizations
are granted to disclose protected health information for a particular
marketing purpose to a non-covered entity, there should also be
an agreement by the third party not to re-disclose the protected
health information. This same commenter also recommended that the
Privacy Rule place restrictions on non-secure modes of making communications
pursuant to an authorization. This commenter argued that protected
health information should not be disclosed on the outside of mailings
or through voice mail, unattended FAX, or other modes of communication
that are not secure.
Response: Under the final Rule, a covered entity must obtain
an individual's authorization to use or disclose protected health
information for a marketing communication, with some exceptions.
If an individual wanted an authorization to limit the use of the
information by the covered entity, the individual could negotiate
with the covered entity to make that clear in the authorization.
Similarly, individuals can request confidential forms of communication,
even with respect to authorized disclosures. See Sec. 164.522(b).
Comment: Commenters requested that HHS provide clear guidance
on what types of activities constitute a use or disclosure for marketing,
and, therefore, require an authorization.
Response: The Department has modified the "marketing"
definition to clarify the types of uses or disclosures of protected
health information that are marketing, and, therefore, require prior
authorization and those that are not marketing. The Department intends
to update its guidance on this topic and address specific examples
raised by commenters at that time.
Comment: A number of commenters wanted the Department to
amend the face-to-face authorization exception. Some urged that
it be broadened to include telephone, mail and other common carriers,
fax machines, or the Internet so that the exception would cover
communications between providers and patients that are not in person.
For example, it was pointed out that some providers, such as home
delivery pharmacies, may have a direct treatment relationship, but
communicate with patients through other channels. Some raised specific
concerns about communicating with "shut-ins" and "persons
living in rural areas." Other commenters asked the Department
to make the exception more narrow to cover only those marketing
communications made
by a health care provider, as opposed to by a business associate,
or to cover only those marketing communications of a provider that
arise from a treatment or other essential health care communication.
Response: The Department believes that expanding the face-to-face
authorization exception to include telephone, mail, and other common
carriers, fax machines or the Internet would create an exception
essentially for all types of marketing communications. All providers
potentially use a variety of means to communicate with their patients.
The authorization exclusion, however, is narrowly crafted to permit
only face-to-face encounters between the covered entity and the
individual.
The Department believes that further narrowing the exception to
place conditions on such communications, other than that it be face-to-face,
would neither be practical nor better serve the privacy interests
of the individual. The Department does not intend to police communications
between doctors and patients that take place in the doctor's office.
Further limiting the exception would add a layer of complexity to
the Rule, encumbering physicians and potentially causing them to
second-guess themselves when making treatment or other essential
health care communications. In this context, the individual can
readily stop any unwanted communications, including any communications
that may otherwise meet the definition of "marketing."
|
 |
 |
