Sending patients appointment reminders or other common mailings may seem like such a simple task that you don't need to worry about HIPAA. But because different sections of the regulations apply to different types of mailings, it can become complicated.
"I see lots of grey areas," says Jon Neiditz, an Atlanta-based healthcare attorney. "If I were a hospital marketing person, I would be really conversant with the rules and know what the state restrictions were and make that a part of my initial planning on a sales initiative."
The first step is to identify which rule applies to your particular mailing. In general, the following three sections cover most mailings:
- treatment and care coordination
- fundraising
- marketing
Treatment and care coordination
Most patient mail falls into this category. This includes items like appointment reminders, test results, or instructions about how to prepare for an upcoming procedure. In general, it's fine to send out this kind of medical information--as long as it's in a sealed envelope addressed directly to the patient.
"If it's in a sealed envelope, we can send anything we believe the patient needs to have--how to prepare for your colonoscopy, for example," says Texas-based consultant Mary Brandt, MBA, RHIA, CHE, CHPS. "If your nosy mother-in-law gets to the mail before you get home from the office, that's not the hospital's problem. It sent it addressed specifically to you." However, because there is always a risk that mail will go astray, it's prudent to include only the minimum amount of information necessary to accomplish your task.
You must also offer patients the right to object if they don't want sensitive information sent to their homes, Neiditz says. You should alert them to this right in your notice of privacy practices and you must cooperate if they ask you to mail information to an alternate address.
You also need to know whether your state has any special privacy laws concerning sensitive areas such as AIDS, substance abuse treatment, or mental health issues. Those rules may restrict how much information you can disclose in any mailings to patients, Neiditz says.
If you're not using a sealed envelope, be very careful about what you say. Anyone can easily read a postcard, so disclose only very general information in this case. For example, you can remind a patient about an appointment but you should not say what the purpose of the appointment is. Including a return address is fine, but don't if the name of the facility could give away a diagnosis (e.g., a dialysis clinic or substance abuse treatment facility). You can include a date, time, and phone number so the patient can call for details.
"HIPAA allows you to send out appointment reminders but there are lots of good reasons to limit what you say on those reminders," Neiditz says.
Fundraising
Covered entities can solicit donations from patients without an authorization as long as they do it for their own use. This often takes the form of a mailing. If you want to do this, you must notify the patient in your notice of privacy practices and give them the right to opt out. It's also a good idea to include a provision in your mailing that allows the patient to opt out (e.g., a number to call to have his or her name removed from a mailing list), Brandt says.
Many covered entities don't understand the restrictions regarding how they target patients for fundraising, she says. You can use demographic information to target patients (e.g., name, address, dates of service) but you can't use diagnostic information. So if you're soliciting for a new breast cancer center, you can't pull a list of all your breast cancer patients and send them a mailing. But you could use demographic information to target women over 40.
You also can't make reference to diagnostic information in the mailing itself. So you can't, for example, address a letter to a "breast cancer survivor." If the mailing is open to all readers (in the case of a postcard or brochure), you can't even refer to the fact that the person was a patient, Brandt says.
Marketing
Marketing includes any mailing that encourages patients to buy a covered entity's products or services, with the exception of mailings about treatment, providers or alternative providers, treatments, or care settings. Outside of those exceptions, providers must get an authorization from patients to disclose information. They must also obtain an authorization if they wish to disclose information so another entity can market its products or services.
"There's a lot of ways to interpret this and it is pretty grey," says Brandt. Because most covered entities are in the business of providing healthcare, most of the marketing they do may fall under the treatment exception and does not require an authorization. When considering such mailings, you will first have to figure out where it fits in the marketing rule and whether you need an authorization, Neiditz says. Once you've figured that out, the same kinds of guidelines apply to marketing mailings as to others. You must only disclose the minimum information necessary. If you're mailing an open postcard or brochure that anyone can read, keep it general to avoid inappropriately disclosing information about the patient.
"Step back and think about who the target audience is and what the specific message is," says Brandt. "If you're trying to educate them about a new treatment center a general mailing is fine. If you're going to get specific about a particular drug, that's a mailing that should go out in a sealed envelope."
