A few years ago, I helped write a book about healthcare marketing and HIPAA. Over the past few weeks, I’ve had a major uptick in the number of media inquiries and emails from healthcare marketers who want my take on the HIPAA changes in the ARRA bill. I thought the interest would die off as time went by, but people still seem interested so I figured it would be good to go ahead and post what I’ve been telling people.
There were lots of changes to HIPAA in the ARRA (a.k.a. American Recovery and Reinvestment Act, a.k.a. Stimulus Bill, a.k.a Porkulus Bill, etc), but there are two big changes when it comes to marketing and HIPAA:
1) It fundamentally changes the world for Business Associates
If you’re not a student of the exciting world of HIPAA, a Business Associate (BA) is any third-party person or organization that performs work that involves use or disclosure of Protected Health Information (PHI) on behalf of a healthcare Covered Entity (CE). Previously, Business Associates just had to sign a Privacy Agreement with the CE. With the new legislation, a Business Associate now has to set up the same safeguards and protect PHI the same way a CE would.
What does that mean? Basically, I think it means we’ll see lots of direct mail vendors, telemarketing companies, and other marketing support companies dump their healthcare clients because they don’t want to deal with the bureaucracy. While at the same time, I think we’ll see a new breed of these marketing support companies that will accept the added government imposed hassle for a higher fee. And that fee will be passed through the healthcare organization to me and you.
2) Definitions of “what is marketing” under HIPAA
This is the biggest change. ARRA further limits how CEs can use PHI for marketing without the individual’s authorization. ARRA limits the right to use information for marketing if the communication is paid for by an outside entity. It provides exceptions for treatment and communications about pharmaceuticals. And it mandates more options of an opt-out for fundraising communications.
What does that mean? It means healthcare organizations need to closely examine all of their marketing communications that are using PHI. Err on the safe side as the ARRA also increased fines.
The Big Picture
Are you familiar with Duck and Cover? I think that’s the stance that healthcare marketers need to take in 2009. As the Obama administration starts to tinker with the fundamentals of the present healthcare system — all bets are off for everything healthcare related (especially HIPAA) until we get an idea of what their final picture will look like. Either by a little or by a lot, the healthcare industry will change over the next 18-24 months. There’s no need to develop healthcare marketing plans for a worldview that may not exist in a few months.
Please remember that I am a marketing guy — not a HIPAA consultant or legal advisor. Please consult your HIPAA legal counsel and PO for the most up-to-date info.