• E-mail
• Print
• RSS

Under HIPAA, is there an alternative to de-identifying data when releasing it to a direct mailing company for our hospital newsletter?

HIPAA Weekly Advisor, December 7, 2001

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Under HIPAA, is there an alternative to de-identifying data when releasing it to a direct mailing company for our hospital newsletter?

A: Actually, de-identifying information will not work in this type of situation, because you will lose all the necessary information for the mailing list.

In order to de-identify data, you must remove personal identifiers (about 18 elements or more) or use a statistical algorithm to scramble PHI. The data elements include such demographic identifiers as patient name, address, birth date, telephone, and Social Security number. A direct mailing company cannot send out a newsletter without at least having the patients' names and addresses.

Instead, you'll need patient authorization. Mailing a hospital's newsletter is considered marketing. If protected health information (PHI) is provided to a business associate for marketing, it must be de-identified. Otherwise, patient authorization is required. The privacy rule was revised to allow a first-time exemption to this process, but patients should be allowed to opt out from future mailings. You'll need to obtain authorization after the first mailing.

Answered by Jon Bogen, president of HealthCIO Inc. in Duxbury, MA. If you have a question for him, write to BOH, P.O. Box 1168, Marblehead, MA 01945, or send an e-mail to HIPAA Weekly Advisor editor Brian Driscoll at bdriscoll@hcpro.com.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive