HIPAA Privacy Rule Gives ‘Too Much Access’ to Patient Information, ACP-ASIM Says

The HIPAA privacy rule gives marketers too much access to patients' medical information, according to one of the nation's largest medical societies. In testimony presented to the HHS National Committee on Vital Health Statistics last week, American College of Physicians-American Society of Internal Medicine President William Hall said that the rule "condones and perhaps even encourages a wide array of marketing activity using what is supposed to be protected health information." According to Hall, the privacy rule contains exceptions for "health plan operations" that allow health plans to use or disclose identifiable health information, without patient consent, under a variety of circumstances. One such exception applies to face-to-face communications with patients -- a protection that would extend to third-party telemarketers or door-to-door salesmen, Hall said. He added that the final rule does not limit the types of items or services that could be marketed through such communications, so patient information could be used to sell "vacations, magazines, cars and other items that may (or may not) have anything to do with your health." The rule also exempts communications that relate to items or services of "nominal value," an exception that Hall called "vague and ambiguous." Hall also expressed concern that "opt-out" procedures to allow patients to prohibit the use of their medical information are required only after their information has been shared with third parties and patients have received solicitations. Hall asked the committee to recommend to HHS that any use of patient information for marketing purposes be prohibited or, "at the very least," that patients be given the option to prohibit the use of their information before any marketing occurs. He also asked that HHS issue the regulations in final form "as soon as possible" (ACP-ASIM release, 1/24).