HIPAA Omnibus Rule



Back in July, we wrote about HIPAA and HITECH compliance as it relates to automatic patient communications, and discussed how software tools like RevenueWell adhere to these regulations. The deadline for compliance for the Omnibus Rule is today and RevenueWell is being asked whether these recent changes to the regulations affect the ability to market to one’s patient base; and if so, how.

First off, you’ll be happy to know that the Omnibus Rule is straight forward with regard to patient communications, and really revolves around one simple concern: are you “marketing” to your patients or just marketing to them? If you’re wondering about the goofy punctuation, please know that this is the whole point. You may think you’re marketing to your patient base using patient communication software, but you’re really not. Let us explain.

First, the definition

The Privacy Rule requires covered entities to obtain a valid authorization from individuals before using or disclosing protected health information to market a product or service to them (78 FR 5592).

Title 45 of the Code of Federal Regulations, section 164.501 defines “marketing” as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” As you might imagine, this seemingly straightforward definition of marketing isn’t all that straightforward when have a business to run. After all, depending on the person considering the definition, just about any type of messaging from a dental office to a patient could be considered “marketing.” To make things easier (and to allow patient communication to continue unencumbered), the regulation outlines several specific types of communications that are exceptions to this definition.

The exceptions

For the most part, the exceptions cover everything you can do with an automated dental practice marketing solution like RevenueWell. This includes messaging related to treatment plans, alternatives to treatment, new services, additional benefits, and case management services. In other words, these are the communications you wouldn’t think twice to send out, and that many of you have been doing already in one form or another for some time now. However, there is always that moment in legal discourse…

When everything gets flipped upside-down

And as you might imagine, that moment usually involves money. In this case, the regulators believe that monetary influence changes the intent of the message. So the moment a covered entity or their business associate receives any third-party “financial remuneration” to send these or other messages to their patients, these messages then fall into the restrictions on marketing per 45 CFR § 164.508(a)(2)(c), and would thus require permission from the recipient.

The good news

This whole “financial remuneration for marketing” concept doesn’t get a lot of play in a typical dental office. For you to be in violation of the regulation, you’d have to, for example, get paid by an oral cancer screening device manufacturer to send their brochure to all of your middle-aged patients who smoke. If you sent the brochure (or an email campaign) without getting compensated, just because you believe that these high-risk patients should be screened, then this communication would likely fall into the exemptions to marketing. This same logic applies to all other patient communications you may put out there yourself or using RevenueWell, no matter how marketing-ish and promotional they may seem

EDITOR’S NOTE: The opinions expressed herein are those of RevenueWell only. Nothing in this article should be construed as legal advice. Consult an attorney regarding HIPAA compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *