HHS Issues HIPAA Law-Enforcement Guide and Informal Guidance on Marketing and Decedents' PHI
HHS has added several new resources to its HIPAA privacy website, including the following materials addressing the use and disclosure of protected health information (PHI) in law-enforcement situations, for certain marketing purposes, and with respect to deceased individuals:
- “Blue Card” Guide for Law Enforcement. This two-page summary briefly explains the scope of the HIPAA privacy rule and lists examples of situations in which covered entities may disclose PHI to law-enforcement officials without an individual’s written authorization. The Guide does not provide any new rules or exceptions; rather, it summarizes and illustrates existing rules. [EBIA Comment: Although the Guide may be directed at law-enforcement personnel, covered entities and business associates may find the examples helpful if they receive law-enforcement inquiries. Just remember that the Guide is only a summary; responding to actual inquiries will depend on the particular facts and may necessitate advice of counsel.]
- Refill Reminders Exception to Marketing Rules. A new fact sheet and related FAQs provide informal guidance on how changes to HIPAA’s marketing rules under the January 2013 final regulations affect a covered entity’s use of refill reminders and similar communications to individuals about their current prescriptions. As background, an individual’s written authorization is generally required for any use or disclosure for marketing purposes; the “refill reminders exception” permits these types of communications under limited circumstances. [EBIA Comment: Although the rule and exception primarily affect pharmacies and other providers, they may be relevant to health plans that include a mail-order pharmacy administered by a business associate of the plan.]
- Deceased Individuals. A new fact sheet (with linked FAQs) provides informal guidance on handling the health information of deceased individuals. Although the privacy rule protects this information as PHI for 50 years following death, special rules may permit disclosure during that period to relatives and others involved in the decedent’s care and to law enforcement in certain circumstances. (After 50 years, the information is no longer considered PHI.) [EBIA Comment: These materials can assist with those practical questions that employer plan sponsors, administrators, and insurers often receive from surviving family members.]
EBIA Comment: HHS continues to devote resources to HIPAA privacy and security compliance—health plans and their business associates would be wise to follow suit. Those interested will find these and other detailed materials reasonably easy to locate online, organized by topic within the HIPAA privacy tab of HHS’s website (see “Emergency Preparedness Planning and Response” and “Guidance on Significant Aspects of the Privacy Rule”). For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVI.D (“Disclosures for Specific Public Policy-Related Purposes”) and XXVI.E.1.c (“Uses and Disclosures for Marketing Purposes Usually Require an Authorization”).