Marketing is not a permitted action under HIPAA; it is an authorized one, meaning that previous and specific written permission is required from each patient. Please consult the “Authorized Uses” section at this link.
Agree its authorized but an exception if done face to face. Thus my first lawyer read that its not a violation if handed out.
IANAL but over the last six weeks, I’ve signed more HIPAA releases than you could shake a stick at.
My PCP doesn’t even make a referral to a specialist without a HIPAA release. If he tells me F2F that a certain gym in town has aquaaeorbics that might fit my needs, it is my understanding that he is well within bounds. However, if he hands out printed information from the gym, he’s stepped over (marketing to someone based upon protected information).
To make a referral to a non-medical (not covered by HIPAA) organization would be considered marketing because those entities are not bound by the same rules and may (or may not) have other agendas.
This kind of stuff is part of the reason that HIPAA was enacted in the first place.
The hospital would be allowed to send such marketing material IF it had written authorization from the patients that such marketing was allowable.
An employee (or ex-employee) of the hospital cannot themselves use the remembered patient (or ex-patient) names to look up their addresses and send them targeted marketing materials relevant to their health status. There is no scenario under which this is acceptable.
Edited to Add: the relevant portion of the HIPAA code is 45 CFR 164.501, 164.508(a)(3) http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketing.html
It is an exception for the hospital if they provide this info face to face. The employees, acting without approval from the hospital, are not covered by this clause.
Also, the fact that they stood to gain personally from this solicitation means it will be taken more seriously (and punished more seriously) as a HIPAA violation.
Ex patients doesn’t matter if you are contacting them because they were patients of the hospital. You are using protected information to decide who to contact. It doesn’t really matter what you ask them or give them. Also, the RRTs were not acting as a part of the covered entity. They were acting on behalf of another entity, their gym program.
If you want to solicit them as former patients, you have to ask the hospital to provide you with contact info. The hospital will then request a HIPAA waiver from the patients to release their info to you. It doesn’t matter if, in reality, you already know the info. The documentation has to be there or the hospital has violated HIPAA.
I’ll also note that this board is heavily indexed by Google, and that the poster used what appears to be a real-life-associated username to ask this question. If he understands what’s best, he’ll stop posting information that might be easily obtained by the other side for a lawsuit and stick to asking actual lawyers in person.
Party pooper! I want to hear the results when they file this in some court. Especially if it is a court in Wash DC. The RRTs have every right to pursue a wrongful dismissal case (or what ever reason an attorney is involved) and it will be interesting to see how it works out for them in the long run with this attorney who has advised them that there is no HIPAA violation.
Just to clarify a bit. HIPAA protects the patient’s information from disclosure. There are not face-to-face exceptions, that is something the OP’s attorney has come up with by mis-reading the regulation.
Say that you are fat. The doctor can tell you about a gym and even give you printed information about it’s location because using the gym will help you loose weight (e.g. treat the condition of fatness). Most doctors will NOT do that because if OtherPissedOffGym claims the doctor has been paid for the recommendation, then they’re stuck fighting a legal battle. Instead, doctors usually provide a list of ALL gyms w/locations and phone numbers withing a 50 mile radius. This is NOT marketing because the information is provided in the hopes of helping the patient combat their fatness and the doctor has not received anything for having provided the list.
NOW… if the doctor gave a list of all his fat patients to a local gym, that IS a HIPAA violation no matter why it was given (say he’s friends with the owner, or he’s getting paid for the list, or he has some personal perverted need to impose his anti-fatness agenda on plush people) and no matter HOW it is given (he could print it out, dictate it over the phone or send it by Morris code on a carrier pigeon.) The violation is that the patient’s information has been given to an external entity without the patient’s permission.
What the RRTs did was to abuse their position as employees of the Hospital to provide/use a list of patients to solicit sales for the newly created company that will financially benefit the RRTs themselves. This is exactly what the marketing restriction part of HIPAA is intended to prevent.