Much of the enforcement attention surrounding HIPAA involves ensuring that patient data is secure from hackers and security breaches. But a more comprehensive approach to HIPAA compliance includes awareness that this patient health information (PHI) must also be protected against being used inappropriately for marketing.

The HIPAA Omnibus Rule, adopted by the U.S. Department of Health and Human Services last year, tightened the restriction on the use and disclosure of patient information for marketing purposes. These new rules also bar the sale of this information without the patient’s permission. Patients must opt in and provide written authorization allowing their information to be used for any marketing purposes.

Brad Rostolsky, a HIPAA attorney at the law firm Reed Smith, tells HealthcareInfoSecurity that he believes the Office for Civil Rights will step up its scrutiny of compliance with new the privacy rules.

"The most prudent thing is to get a sense your PHI flow throughout your organization and through your different business relationships," he told the website. "Understanding where the PHI is going, why is it going there, and [whether] there are any dollars changing hands."

The changes to the omnibus rule strengthen the notification requirements, specifying when breaches of PHI must be reported to HHS. It’s worth noting that PHI is of particular risk whenever there is a transaction of some sort with a business associate, such as a contractor or subcontractor. In some cases, the largest breaches of patient information happened in transactions with business associates. Breaching these rules can be costly to HIPAA-covered entities. Penalties for not complying with the rule have increased to $1.5 million per violation.

Not all communication will fall under the HIPAA privacy rule’s definition of marketing. Marketing refers to products or services that a patient could purchase. But if a health care provider is discussing a healthcare-related product or a service related to a patient treatment or coverage, that discussion would not be considered marketing. Understanding the difference between the types of communication and the rules governing the protection of patient information can help prevent you from violating HIPAA requirements, and avoid expensive fines. To learn more, contact us.

Subscribe to our mailing list

* indicates required