HIPAA Protections End Where the Money Begins

— I'm alarmed my personal health info is being used for targeted marketing

MedicalToday
A photo of a persons hand holding a magnifying glass over a HIPAA REQUIREMENTS document.

As a biomedical researcher, I am required to complete a HIPAA compliance course every year. Detailed modules explain procedures for protecting personal information, including names, addresses, phone numbers, financial information, and anything that could offer a clue about diagnosis. Under HIPAA, providers should only learn the minimum protected health information (PHI) required to offer high quality healthcare. Those who violate HIPAA rules can lose their medical licenses, be fined, or in extreme cases, be sent to jail.

But there is one surprising exception: protected personal information can be extracted from medical records for fundraising.

Within a few days of proudly earning my 2021 HIPAA certification, I received a letter from my healthcare provider at my home address. My name was prominently displayed on the envelope and the return address featured the medical subspecialty group where I had recently been a patient. The letter described several "opportunities" to make donations.

But wait, according to the HIPAA course, personally identifying information can only be used when it is essential for providing medical services that benefit the patient. That's the law and there are consequences for violating it. Yes and no.

In 2013 the HIPAA privacy rule was modified fundraisers access to names, addresses, birthdays, gender, insurance status, point of service, phone numbers, email addresses, occupation, health outcomes, and treating physicians' names. The policy now permits the fundraisers to share this information with affiliated "Business Associates" and charitable foundations.

To be fair, the HIPAA course acknowledges the fundraiser exemption. It was covered in one of the obscure sections of the online slideshow. While there is absolutely no medical rationale, the makes it technically legal with only one requirement for fundraisers: the inclusion of an opt-out option that must be "simple, quick, and inexpensive."

The letter I received said nothing about opting out. However, the same envelope did include a separate card asking for my credit card number, name of spouse, and more detailed personal contact information. It gave options for contributions of $100, $200, $250, $500, or $750, and provided an open space to fill in a larger amount.

A website and a phone number that could be used to opt-out of marketing mailings was hidden on the back of the card in 9-point font. It was not on the solicitation letter, as required by policy.

The HIPAA course did provide instructions for reporting violations. Anyone who had a concern -- no matter how minor -- was encouraged to contact the authorities immediately. So, I contacted the HIPAA coordinator and disclosed receiving a letter that clearly displayed my name, home address, and clinical service where I had received care. All three of these elements should have been protected by the HIPAA law. I acknowledged my awareness of HIPAA exceptions for fundraisers. There was no technical HIPAA violation, but the solicitation seemed discordant with the spirit of the law.

The HIPAA coordinator offered a polite response and said I could opt-out but did not acknowledge my general concern about privacy. And last week, I received another request for a donation.

I am OK with my doctor, medical trainees, and most relatives knowing I am receiving medical care. But I am alarmed that my personal health information is being used to target me for marketing campaigns. The development office simply does not have the required "need to know" for my personal information. These campaigns violate privacy, and privacy protection is the justification for HIPAA.

I admire a professional environment that scrupulously guards against even minor leakage of personal information. My colleagues go to great lengths to hide personally identifying information, carefully document permissions to share impressions, and only disclose information when it is crucial to the patient's welfare. I Googled "privacy protection" on the websites of several leading U.S. healthcare providers. Each provider group confirmed their commitment to protect private patient information and offered assurance that personal identifiers are only used in the service of patient care.

If privacy protection is really a core value, wouldn't we expect these organizations to apply the same standards to both providers and fundraisers? Why are patients required to opt-out of fundraising campaigns rather than to opt-in? They could be asked to sign a consent form that would allow fundraisers access to their personal information.

Twenty years ago, a researcher at the University of Pittsburgh was sentenced to prison for medical information about country singer Tammy Wynette to the National Enquirer. The punishment was acceptably severe because an exchange of money was involved.

I worry that our commitment to privacy protection is sincere -- only until institutions see the dollar signs.

is a faculty member at Stanford University's Clinical Excellence Research Center, a former associate director of the National Institutes of Health, and a former chief science officer for the U.S. Agency for Health Care Research and Quality.