HIPAA Enforcement: The Next StepAttorney Predicts Scrutiny of PHI Used for Marketing
HIPAA attorney Brad Rostolsky expects to see a ramping up of federal investigations concerning the inappropriate sale of protected health information for marketing purposes.
Among the many provisions of the HIPAA Omnibus Rule, which went into effect last year, was strengthening the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibiting the sale of PHI without individual authorization. Under the rule, patients have to opt in and provide authorization in writing for their PHI to be used for paid marketing relationships.
The Department of Health and Human Service's Office for Civil Rights has, so far, focused the bulk of its HIPAA enforcement activities around breach and compliance investigations that consider whether organizations have conducted a HIPAA security risk analysis, Rostolsky says. But he believes OCR will expand its scrutiny of compliance with other HIPAA Omnibus provisions, including privacy measures that restrict using PHI for marketing activities.
Rostolsky, of the national law firm Reed Smith, points out in an interview with Information Security Media Group that OCR issued guidance in September 2013 about the specific, allowable use of PHI to communicate prescription reminders.
Understand Where PHI Flows
"The most prudent thing is to get a sense of your PHI flow throughout your organization and through your different business relationships," he says. "Understanding where the PHI is going, why is it going there, and [whether] there are any dollars changing hands as a result or in connection to that" is critical, he adds.
Issues involving the sale of PHI could be potentially triggered not just with dollars being paid to a business associate for services, but with other benefits coming out of the relationship. "There's a potential that ... deals being struck where PHI is involved could implicate" unauthorized use of PHI for marketing, he says. "One could make the argument that OCR is starting to regulate whether a business associate is being paid appropriately for their services."
In the interview, Rostolsky also discusses:
- How healthcare entities and business associates should prepare for upcoming HIPAA compliance audits (see HIPAA Compliance: What's Next?).
- The privacy concerns of social media and consumer health information;
- Potential HIPAA privacy issues involving wearable consumer health devices;
Rostolsky is a partner in the Life Sciences Health Industry Group at Reed Smith's Philadelphia office. With a focus on healthcare regulatory and transactional law, he leads that group's HIPAA and health privacy and security practice. Rostolsky has extensive experience advising clients on all aspects of health information privacy and security compliance in all areas of the health care industry, including hospitals, medical practices, pharmacies, long-term care facilities, electronic health records providers, pharmaceutical manufacturers, and medical device companies.