Sharing of PHI with Large Tech Companies, Confidential Agreements, and HIPAA's Prohibition on the Marketing and Sale of PHI
May 06, 2020
As stated on Forbes, "The chief worry isn't about thieves getting their hands on lost or stolen devices, but the ease with which companies can gain access to the personal information." In the healthcare sector, protected health information (PHI) requires that certain measures be adopted, which include, but are not limited to the following: (1) express, written, patient consent; (2) a mutually executed business associate agreement (BAA); and (3) an annual, adequate risk analysis, as required by the Security Rule.
While it is not uncommon for healthcare entities, as well as business associates and subcontractors, to store data, including PHI, in the cloud, it is well established that the "conduit exception" does not apply; therefore, the aforementioned measures (i.e., BAA, patient consent, and risk analysis) are compulsory. This is because "the conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers providing mere data transmission services." In the Federal Register, the U.S. Department of Health and Human Services expressly stated that, "an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information." Therefore, it is imperative to appreciate that cloud providers and data centers do not fall under the conduit exception.
Recently, an article underscored the concern "that many health systems are working with large tech companies to store and analyze information under confidential data-sharing deals [without patients' knowledge or consent]." In late 2019, various Senators sent a letter to Google executives about the "concern over reports that Ascension has entered into a partnership that provides Google with health records of tens of millions of Americans without their awareness of consent." This is problematic on numerous fronts; however, the most significant may be that it constitutes the illicit marketing and sale of PHI.
The purpose of this article is to provide an overview of the prohibitions underlying the illicit marketing and sale of PHI, touch upon how courts are viewing the wrongful marketing and/or sale of PHI, and provide compliance suggestions. In sum, this is a topic that cannot be overlooked by covered entities, business associates, or subcontractors.
Analysis A question that I am commonly asked is, "Is the marketing and/or the sale of PHI legal"? My answer always remains the same, "It depends." The first step that organizations should take is to make sure that marketing is addressed in the required Notice of Privacy Practices and that both sales and marketing have a prominent place in an organization's policies and procedures. Not surprisingly, "The HIPAA Privacy Rule gives individuals important controls over whether and how their protected information is used and disclosed for marketing purposes."
What does my answer, "It depends," exactly mean? Fundamentally, it means that there are nuances regarding utilizing PHI to market or actually selling patients' PHI. The three key items to address: (1) is the type of marketing which is linked to PHI permissible or prohibited; (2) have adequate disclosures been provided to the patients or other surrogate decision makers; and (3) have patients provided their express, written consent?
First, let's address marketing, which is attached to PHI. The Privacy Rule defines "marketing" as making "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." Generally, if the communication is "marketing," then the communication can occur only if the covered entity first obtains an individual's "authorization." Notice is different than authorization. Patients acknowledge that they have received a copy of the covered entity's Notice of Privacy Practices; however, the patient must separately authorize certain types of marketing and the sale of PHI. A common example of marketing where a covered entity would not need to obtain a separate written authorization is a physician's practice utilizing its patient list to announce the addition of a new piece of medical equipment or if it is made for treatment of the individual.
Examples of "marketing" communications requiring prior authorization are:
A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
"An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service." This part of the definition to marketing has no exceptions.
The individual must authorize these marketing communications before they can occur. Simply put, a covered entity may not sell protected health information to a business associate or any other third party for that party's own purposes. Moreover, covered entities may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list.
For example, it is "marketing" when:
A health plan sells a list of its members to a company that sells blood glucose monitors, which intends to send the plan's members brochures on the benefits of purchasing and using the monitors.
A drug manufacturer receives a list of patients from a covered healthcare provider and provides remuneration, then uses that list to send discount coupons for a new anti-depressant medication directly to the patients.
Second, let's consider the disclosure requirements to patients. A covered entity's Notice of Privacy Practices must state that any sale of PHI and certain types of marketing require an express, written authorization by the patient, typically on a HIPAA Authorization, which is in bold and gives the patient the opportunity to "opt out" of having his/her PHI sold or to receive certain marketing items. These parameters should also be defined in an entity's written policies and procedures.
Lastly, when is express, written consent required? "With limited exceptions, the Rule requires an individual's written authorization before a use or disclosure of his or her protected health information can be made for marketing." The Authorization for a Sale must specifically state that the Sale will result in remuneration.
The sale of PHI was given additional emphasis in the Final Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013). Fundamentally, the sale of PHI equates to disclosure for remuneration. A sale of PHI occurs when there is direct or indirect remuneration, including in-kind remuneration.
The definition of a sale of PHI includes a transfer of ownership of the PHI, as well as disclosures of PHI based on an access, license, or lease agreement.
There are a number of exclusions to the definition of a Sale of PHI, including for purposes of (i) public health; (ii) research that is covered by HIPAA (e.g., clinical research) if the payment is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI; (iii) treatment and payment; (iv) a sale and merger transaction involving the covered entity or the business associate; (v) activities performed by a business associate for or on behalf of the covered entity (or by a business associate subcontractor for or on behalf of the business associate) if the payment is for the business associate's performance of such activities (or for the subcontractor's performance of such activities); (vi) providing an access or an accounting to an individual; (vii) as required by law; and (viii) as otherwise permitted under HIPAA, where only a reasonable, cost-based fee is paid (or such other fee as permitted by law).
Adhering to these requirements is crucial, as the sale of PHI may serve as the basis of a False Claims Act (FCA) case. In United States v. America at Home Healthcare and Nursing Services, Ltd., 2018 U.S. Dist. LEXIS 2592 (N.D. Ill. Jan. 8, 2018) (hereinafter "America at Home"), the Honorable Robert John Blakely analogized violations of 42 U.S.C. § 1302d-6(a) to violations under the Anti-Kickback Statute in relation to the submission of false claims.
In America at Home, Judge Blakely upheld the relator's claim that "HIPAA violations under 42 U.S.C. § 1302d-6(a), which criminalizes knowingly using, obtaining, or disclosing an individual's identifiable health information without authorization" were substantiated by the facts that two individuals employed by the defendants "searched confidential medical charts at different facilities to collect the names of patients they could solicit for home health services (including unnecessary services)" (America at Home, p. 14). In turn, the defendants knowingly billed the government for medical services after obtaining patients' information unlawfully; and the defendants deliberately submitted claims and cost reports to the State of Illinois and the federal government that impliedly certified compliance with Medicare laws and regulations, but knowingly failed to disclose their HIPAA violations (Id.).
"If ‘information that a hospital has purchased patients by paying kickbacks has a good probability' of affecting a payment decision, [United States v. Rogan, 517 F.3d 449, 452 (7th Cir. 2008)], then information that a home health agency has pilfered protected health data to solicit patients has a good probability of affecting payment decision, too" (Id.). Overall, failing to adhere to HIPAA's sale and marketing requirements could not only open an entity up to government enforcement actions by OCR, it could also result in significant liability under the FCA.
The sale and marketing of PHI will continue to get increased attention. Covered entities such as Ascension and its Business Associate, Google, in addition to having a business associate agreement in place, should confirm that patient consent was given in each circumstance that an individual's PHI was transferred to Google. Additionally, persons should always consider FCA liability, as well as enforcement actions by OCR. The best practice is to have all policies and procedures, disclosure forms, and conduct evaluated by counsel with experience and expertise in these areas on an annual basis or when a change in the law occurs. Overall, this is one area that cannot be overlooked.
Rachel V. Rose, JD, MBA is an Attorney at Law, in Houston, TX. Rachel advises clients on healthcare, cybersecurity, securities law and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer's Top 25. She can be reached at firstname.lastname@example.org. www.rvrose.com