HIPAA Omnibus: Marketing and FundraisingAttorney Discusses Compliance Steps to Take
The HIPAA Omnibus Rule strengthens the limitations on the use of protected health information for marketing and fundraising purposes, and policies must reflect those changes, Oscislawski explains in an interview with Information Security Media Group.
If organizations lack clear-cut policies on how patients' protected health information can be used for marketing and fundraising purposes, they had better develop those policies pronto or risk potentially hefty penalties, warns Oscislawski, a corporate and regulatory attorney whose practice focuses almost exclusively on advising healthcare clients.
She points out that Department of Health and Human Services' Office for Civil Rights already has issued a financial penalty in a HIPAA non-compliance case involving marketing-elated issues. (That December 2010 resolution agreement with Management Services Organization Washington Inc. stemmed from inappropriate disclosure of PHI to a subsidiary for marketing purposes and the lack of policies and staff training related to protecting PHI.)
Now that the HIPAA Omnibus Rule holds business associates directly liable for HIPAA compliance, those organizations could face similar OCR enforcement actions, she warns.
"It's imperative that business associates take a look at ... the full scope of services that a covered entity has contracted it to do," she says. As a business associate, "if I go outside that scope, then I am in violation of HIPAA," she says.
Under the HIPAA Omnibus Rule, healthcare organizations must obtain patient authorization to use, sell or disclose their health information for marketing communications by third parties. Plus, organizations must implement procedures for how patients can opt out of receiving fundraising communications, Oscislawksi also points out.
Covered entities and business associates must train their staffs to understand their policies around using patient PHI for fundraising and marketing purposes, and then carry out the related processes, she says. "Clear policies result in clear action and processes, and unclear or unambiguous policies or lack of policies result in ... trouble in how PHI may be used," she says.
In the interview, Oscislawski also discusses:
- How HIPAA Omnibus changes how patient data can be used for marketing and fundraising purposes;
- The kinds of business associates that might use patient data for marketing or fundraising purposes - and the compliance steps they need to take;
- The biggest challenges business associates and covered entities are likely to face when complying with the rule's marketing and fundraising provisions.
Before founding Attorneys at Oscislawski, a healthcare law firm based in Princeton, N.J., Oscislawski was a healthcare attorney with a national law firm for almost a decade. In 2008, Gov. Jon Corzine appointed Oscislawski to the New Jersey Health Information Technology Commission to fill the seat reserved by statute for "an attorney practicing in this state with demonstrated expertise in health privacy." In 2010, Gov. Chris Christie reappointed Oscislawski to the HIT Commission, and she was also tapped to serve as chair of the State Privacy and Security Committee. Oscislawski received her law degree from Rutgers School of Law.