HIPAA marketing rule doesn't go far enough, health attorney says

Tools

The U.S. Department of Health & Human Services or Congress should work to expand the limited range of permitted activity in marketing low-cost, low-risk devices requiring a prescription, David Harlow, a Boston-based health attorney and FierceHealthIT Editorial Advisory Board member, writes in a recent post to his HealthBlawg.

In the post, Harlow (pictured) contends that the HITECH Act "hamstrings" regulators and the regulated community. Increased privacy protections, he says, limit research, fundraising and marketing. The HIPAA marketing rule, Harlow adds, has given providers some guidance on permitted marketing activities--but not enough.

"Frankly, in this day and age, we thought that it might be time for sub-regulatory guidance expanding the definition of 'face-to-face' communications [a term not defined in the regulations] beyond communications between individuals in the same room," Harlow says. "At the very least, we thought that that might be somewhere for [the Office for Civil Rights] to hang its hat in extending itself a bit."

In a letter sent to Harlow last month, OCR Deputy Director of Health Information Privacy Susan McAndrew explains that products and services are permitted under the Privacy Rule without authorization if the communications "describe the availability of new developments ... only in a general manner [i.e., do not identify a particular product or brand]."

Additionally, McAndrew points out that "covered entities and business associates may continue to provide to individuals promotional gifts of nominal value."

Says Harlow, the rule "does outline a range of permitted activity for the client going forward--but it doesn't go far enough."

During a recent FierceHealthcare webinar, "Three things you must know about the new HIPAA rules," Harlow and Dena Boggan, HIPAA privacy and security officer at St. Dominic Hospital in Jackson, Miss., shared their experiences and expertise with attendees regarding internal policies, training staff and business associates, among other topics.

"The new rules call for fines at an astronomical level," Harlow said during his presentation. "This could [have] a devastating impact on an organization both in terms of the financial impact in terms of fines and the PR impact in terms of having to go public with a large breach."

To learn more:
- read the full post in HealthBlawg
-
see the letter from McAndrew to Harlow

Related Articles:
David Harlow: Don't rely on outdated HIPAA training materials
Leon Rodriguez: Permanent HIPAA auditing program will be narrower
Health data breach count tops 800
HHS unveils final HIPAA omnibus rule
Data breaches cost healthcare entities $7 billion annually
Privacy experts: Health data security efforts too reactive