ADDITIONAL PERMITTED DISCLOSURES WITH SPECIFIC REQUIREMENTS As described in this section, additional disclosures are permitted but must comply with specific requirements. These disclosures include:
-- Certain fundraising;
-- To business associates; and -- Marketing activities.
Fundraising
A covered entity may use and disclose protected health information of an individual without the individual’s authorization to raise funds for its own benefit if the proposed fundraising meets certain criteria. 45 CFR §164.514(f). The information used or disclosed must be limited to demographic information related to an individual and the dates of health care provided to an individual:
• If the institution is not doing the fundraising in- house, it can only disclose the information to a business associate or an institutionally related foundation;
• The covered entity must specifically note that it uses information for fundraising purposes in its notice of privacy practices;
• Any fundraising materials must include a description of how the individual can opt out of future fundraising communications; and
• The covered entity must make reasonable efforts to ensure that an individual who has exercised his or her opt-out rights does not receive further fundraising materials.
Because fundraising is included in the definition of health care operations, an individual has the right to request in advance that a covered entity restrict uses and disclosures for such purposes.
However, the covered entity is under no obligation to agree to such a restriction.
Business Associates
Health plans and providers routinely contract with other companies and consultants to perform a wide variety of functions on their behalf. Health plans and providers, for example, may work with outside attorneys, bill collectors, computer specialists, or accreditation organizations. All of these entities may need access to protected health information to perform their jobs on a client’s behalf. But these persons or entities are generally not directly subject to the Privacy Rule. To allow information to be shared with these business associates and to protect information that may be disclosed to them, the rule establishes specific conditions on when and how covered entities may share information with these entities. 45 CFR §164.502(e) and §164.504(e).
A business associate is a person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, such as:
• claims processing or administration;
• data analysis;
• utilization review;
• quality assurance;
• billing;
• practice management; or,
• providing legal, actuarial, accounting consulting, data aggregation, management, administrative, accreditation, or financial services.
A business associate does not include a member of the covered entity’s wo rkforce. Neither does it include the circumstance where two covered entities participate in an organized health care arrangement, such as a hospital where a doctor has privileges. 45 CFR §160.103. A covered entity may disclose protected health information to a health care provider concerning treatment of an individual without creating a business associate relationship. Furthermore, the Rule is not intended to cover the provision of protected health information to a person who merely acts as a conduit fo r protected health information, such as the U.S. Postal Service, nor to persons or entities whose access to protected health information is merely incidental.
Ø A covered entity is permitted to disclose protected health information to a business associate or to allow the business associate to create or receive protected health information on its behalf if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.
Generally, these satisfactory assurances must be in a written contract which, among other things, requires the business associate not to use or disclose the information other than as permitted or required by the contract or as required by law, and to implement appropriate safeguards to prevent inappropriate uses and disclosures. A contract is not required in certain circumstances where the covered entity and the business associate both are governmental agencies or where the business associate is required by law to perform the business associate function. In these cases, certain alternative documentation may be required.
EXTENDED TIMEFRAME TO COMPLY WITH CONTRACT REQUIREMENTS
Covered entities other than small health plans may have up to one additional year to comply with the business associate contract requirements of the Privacy Rule. 45 CFR §164.532(d). Specifically, providers will have a maximum of an additional year (until April 14, 2004) to conform existing contracts with the Privacy Rule’s contracting requirements if the provider’s existing contracts were entered into prior to October 15, 2002 and were not renewed or modified prior to April 14, 2003.
This one-year grace period is a maximum. If a contract is renewed or modified between April 14, 2003, and April 14, 2004, then the contract must be compliant by the renewal or modification date. Contracts with business associates that were entered into on October 15, 2002, or later, or that were renewed or modified between October 15, 2002, and April 14, 2003, must comply with the Privacy Rule’s
specifications as of April 14, 2003.
Marketing
The Privacy Rule requires a covered entity to obtain an individual’s prior written authorization to use or disclose protected health information for marketing. 45 CFR §164.508(a)(3).
Under the Privacy Rule, marketing means (1) to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, or (2) an arrangement between a covered entity and any other entity in which the
covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipie nts of the communication to purchase or use that product or service. 45 CFR §164.501.
The Privacy Rule expressly excludes various types of communications from the definition of marketing. The types of communications excluded from the definition include: those that describe a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication; those that describe the entities participating in a provider or plan network of the covered entity making the communication; those that describe replacement of or enhancements to, a health plan; those that describe health-related products or services available only to health plan enrollees that add value to (but are not part of) the plan’s benefits of the covered entity making the communication; those for treatment of the individual;
those made for case management and care coordination for the individual; and those made to direct or recommend alternate treatments therapies, providers, or settings of care to the individual.
Thus, communications from a covered entity to an individual that are related to the treatment of the individual are not marketing under the Privacy Rule, so they do not require prior written authorization.
Ø No authorization is required if a pharmacy conducts its own review of its prescription records and mails letters to individuals on antiretroviral therapy encouraging them to switch their medication to another drug manufacturer’s product if the purpose of the activity is for treatment or to recommend alternative therapies to the individual. If the drug manufacturer of the product pays the pharmacy to perform this activity, the pharmacy may still perform this activity without an individual authorization.
RECOMMENDED ACTIONS
1) Develop policies and procedures for handling each of the described uses and disclosures.
2) Consider whether there are uses and disclosures for health care operations, public health, or research where a limited data set could be used.
3) Identify all business associates and execute written contracts with each of them.
See sample business associate contract provisions provided by the Office for Civil Rights - available at : http://www.hhs.gov/ocr/hipaa/contractprov.html.