Patient
Information
Policy
Use and Disclosure of Protected Health Information for
Marketing Purposes
SCOPE:
All Louisiana State University (LSU) System health care
facilities and providers including, but not limited to
hospitals, physician practices, clinics, schools, etc. on
the LSU Health Sciences Center New Orleans Academic Campus.
Nota Bene: All LSU System health care facilities and
providers including, but not limited to hospitals, physician
clinics, schools, etc. on the LSU Health Sciences Center New
Orleans Academic Campus, are referred to in this policy as
LSUHSC-NO.
PURPOSE:
To provide guidance to the health care facilities and
providers affiliated with the LSU System on the requirements
of the Health Insurance Portability and Accountability Act,
Standards for Privacy of Individually Identifiable Health
Information (HIPAA Privacy Regulations) for using or
disclosing an individual’s Protected Health Information for
marketing purposes.
POLICY:
All LSU System health care facilities and providers must
obtain an individual’s signed authorization before using or
disclosing the individual’s Protected Health Information for
marketing purposes as defined in this policy.
DEFINITIONS:
Protected Health Information
(sometimes referred to as “PHI”) – for purposes of
this policy means individually identifiable health
information, that relates to the past, present or future
health care services provided to an individual. Examples of
Protected Health Information include medical and billing
records of the patient.
Authorization – A written
document completed and signed by the individual that allows
use and disclosure of PHI for purposes other than treatment,
payment or health care operations.
For the purposes of the definition of "Designated Record Set":
- The term "record" means any item,
collection, or grouping of
information that includes PHI and is
maintained, collected, used or
disseminated by or for LSUHSC-NO.
- The term "record" also includes
patient information originated by
another health care provider and
used by LSUHSC-NO to make decisions
about a patient.
- The term "record" includes
tracings, photographs, videotapes,
digital and other images that may be
recorded to document care of the
patient.
Designated Record Set – is a group of records maintained by or
for LSUHSC-NO that is:
- The medical records and billing records about individuals
maintained by or for LSUHSC- NO ; or
- Any records used, in whole or part, by or for LSUHSC- NO to
make decisions about individuals.
- Any record that meets this
definition of Designated Record Set
which are held by a HIPAA Business
Associate of LSUHSC- NO and are part of LSUHSC- NO’s Designated Record Set.
Privacy
Officer – Person designated by the facilities
and clinics as the Privacy Officer. Is the individual
identified by LSUHSC-NO to be responsible for
receiving and processing requests to receive
communications of their Protected Health Information
by alternative means or at alternative locations.
PROCEDURE:
| 1.0 |
Authorization
Required for Use & Disclosure of PHI for Marketing |
| 1.1 |
The facility
must obtain a patient’s or personal
representative’s prior authorization for any use
and disclosure of PHI for marketing purposes
except as specified in the section below,
Authorization Not Required for Use & Disclosure of
PHI for Marketing Communications. An authorization
must be specific as to the use and disclosure
being requested and is not to be written in such a
manner that it might be interpreted as a blanket
authorization for the use and disclosure of PHI
for marketing. A blanket marketing authorization
is invalid.
| 1.1.1 |
To
be valid, an authorization must include:
- All of the core elements and required
statements as detailed in the HIPAA
Authorization Policy. (See Policy: Use or Disclosure of PHI that requires Individual Written Authorization.)
- If
the marketing involves direct or
indirect remuneration to the facility
from a third party, the authorization
must also state that such remuneration
is involved.
- For further guidance on authorizations,
see HIPAA Authorization policy for
information on:
- The steps for responding to and
processing of authorizations for use
and disclosure of PHI;
- The patient’s right to revoke an
authorization;
- Authorization and revocation
documentation and retention
requirements;
- The prohibition on conditioning of
authorizations; and
- Other requirements related to
authorizations for use and disclosure
of PHI.
- A copy of the signed authorization must be given to the patient or personal representative.
|
|
| 1.2 |
Business
Associates – The facility may not disclose PHI
to third parties for marketing purposes
without authorization from the patient, even
if the third party is acting as the business
associate of the facility. |
| 2.0 |
Authorization Not Required for Use &
Disclosure of PHI for Marketing Communications |
| 2.1 |
The
facility may use or disclose PHI for marketing
without an authorization only if the
communication is made in the form of:
- A
face-to-face communication made by a covered
entity to a patient or personal
representative; or
- A
promotional gift of nominal value provided
by the facility.
|
| 3.0 |
Responsibilities The facility must designate the personnel who
are responsible for evaluating certain types
of communications to patients and determining
whether the communication meets the definition
of “marketing” and therefore requires
obtaining the patient’s or personal
representative’s authorization for the
marketing communication or purpose. Note: Many communications with patients are
for purposes other than marketing and it is
not intended that this review process
introduce any obstacles or hardships as it
relates to treatment of the patient or access
of the patient to quality health care. |
| 3.1 |
The
facility must designate the personnel who are
responsible for obtaining authorizations from
patients for use and disclosure of PHI for
marketing purposes. |
| 3.2 |
The
facility must designate the personnel who are
responsible for determining whether a
“promotional gift is of nominal value.”
|
| 3.3 |
The
facility must obtain business associate
contracts with any business associates
involved in the production, distribution, or
processing of marketing communications. |
| 4.0 |
Special
Considerations |
| 4.1 |
Facility’s
Own Uses - The facility may use PHI to communicate
with individuals about the facility’s own
health-related products or services, the patient’s
treatment, or case management or care coordination
for the individual, and may make the communication
itself or use a business associate to do so. |
| 4.2 |
Notice of
Privacy Practices - The facility’s Notice of
Privacy Practices must include a statement that
the facility may contact the patient to provide
appointment reminders or information about
treatment alternatives or other health-related
benefits and services that may be of interest to
the patient. See HIPAA Policy on Notice of Privacy
Practices. |
| 4.3 |
PHI is Not
for Sale - Patient medical information should not
be a commodity in the marketplace, and should not
be made available for purchase or sale by any
patient or entity. |
| 4.4 |
Communications Promoting Health – A communication
that merely promotes health in a general manner
and does not promote a specific product or service
from a particular provider does not meet the
general definition of “marketing.” Such
communications may include population-based
activities to improve health or reduce health care
costs as set forth in the definition of “health
care operations.” |
| 4.5 |
Therefore,
communications such as mailings reminding women to
get an annual mammogram, providing information
about how to lower cholesterol, advising of new
developments in health care, health or “wellness”
classes, support groups, and health fairs, are
permitted, and are not considered marketing. |
| 4.6 |
Newsletters
– The facility may make communications in
newsletter format without authorization so long as
the content of such communication is not
“marketing” as defined for purposes of HIPAA. |
REFERENCES:
45 C.F.R. 164.508
|
