Changes that are happening in the HIPAA rules also affect business associates as well. Business associates may be involved with things such as marketing or they will be providing EHR services that manage – that manage protected health information and may be subject to do requirements for access and new restrictions that may – that may affect business associates if that's the business that they're in.
They have – the marketing changes before – in the proposed rule that they had were such that it was a – here is a definition of marketing except and here is the definition of non-marketing except.
And so luckily, the final rule has a much more simple orientation but it means that there's going to need – need to be more authorizations. Now, if you have an authorization, you can do the marketing. If it is face to – if it is face-to-face communications, you don't need an authorization as per the new HIPAA security standards.
So somebody can, you know, can promote some kind of a product or service if somebody – if it is a face-to-face kind of thing.
But if it's something where somebody is providing remuneration for a – if a third party is providing remuneration for promoting a product or service, for marketing a product or service, you have to have an authorization, okay, except – there's a couple of exemptions – you know, there's face-to-face communication, there's also an exemption for refill reminders or other stuff, you know, that, you know, “It's time for you to get a refill on this particular drug that you're taking already,” it's okay for them to remind you of that.
Or if it's something that's a general health communication such as, “Hey, you know, it's always a good idea to get mammograms or, you know, coming in to have your blood pressure checked and have your – have your, you know, check to see what your – how your cholesterol is,” and things like that. That's not really marketing; that's general health kind of stuff.
Or things related to Medicare and Medicaid, the government-sponsored programs. That's not marketing because that's not commercial, okay as per Medicare guidelines.
But anything that – where there's any kind of financial remuneration for provide – for making that communication that has to have an authorization that clarifies things quite nicely.
And the nice thing about this too is the Notice of Privacy Practices you currently have may say that – say that – may say nothing about – it might say that – it may say that, “Oh, by the way, you know, we may be marketing to you without an authorization in certain circumstances.”
HIPAA Training Tip: Well, since you have to have an authorization to that kind of marketing to people, that's – where somebody receives financial remuneration by a third party, since you have to have an authorization, people will be notified then. It doesn't need to be a Notice of Privacy Practices any longer so you can take anything out that may be in there, okay, with that once it goes into effect.
So it simplifies things. It nice to be able to take something out of your Notice of Privacy Practices. If those things are – people don't want to read all that stuff anyway. The more you can take out, the better.
If you disclose information for remuneration, you have to have an authorization stating that the disclosure of results to remuneration. That's all there it to it.
Now, there are some exceptions they have – well, that's all there is to it except for the exceptions. They have exceptions for public health or for research. Or, for instance, if you – if somebody, you know, gets a copy of the information themselves and they pay the fees to get a copy, the sort of usual fees (that they may get out of that), that's not considered a sale; that's an exception, our expert mentioned in a HIPAA conference.
Or if you – if it's used for treatment or payment purposes or anything like that that involves something – some cost involved, that's not a sale of PHI but it's something outside of these kinds of, you know, legitimate purposes, then you have to have an authorization.
Here's an important one. If you have people doing fund raising for you and figuring out, you know, how to do a mailing and you handle some data files then they put together a list of names and addresses to do some marketing or do some fund raising pleas – do some marketing – but do some – do some campaigns to, in the old HIPAA rules, the way it was is you were only allowed to use – and there are people who go, “Oh, my goodness, I had no idea this could be trouble for us” – with the old rules, the only information you could use was demographic information and the dates of service for doing fund raising.
You say, “Okay, this person we served in this period of time,” no indication of how well things turned out, why they were there, whether it was a hangnail or triple bypass, you know, just demographic information and dates of – dates of services, that was all.
Well, the healthcare rules are changed now so that – they will be changing. As of March 26th they'll be changed so that you can also use what were the department providing services, who were the provis – who is the physician who was involved and what was the outcome.
Achieve never-failing medical compliance and get more information on healthcare topics with our cutting-edge healthcare events at AudioEducator