April 2003: PRC's Privacy Update Newsletter


In this issue . . .

[1] HIPAA Basics: The Federal Privacy Rule, effective April 14, 2003
The PRC’s Q and A fact sheet is now available on our website – a comprehensive guide to the high-points and low-points of HIPAA.

[2] California & National Do Not Call Lists for Telemarketing
How to register for the Do Not Call Registry.

[3] “Uniting Privacy & the First Amendment in the 21st Century” Conference: May 9 Oakland, CA
Sponsored by the Electronic Privacy Information Center (EPIC), Calif. Office of Privacy Protection, & the First Amendment Project

[1] HIPAA Basics: Medical Privacy in the Electronic Age

The new federal medical privacy rule, HIPAA, is effective April 14, 2003. To learn more about this complex law, read the PRC’s consumer guide, Fact Sheet 8a, “HIPAA Basics: Medical Privacy in the Electronic Age” at:

If you expect HIPAA to restore your confidence that sensitive medical data is a matter between you and your doctor, you will be disappointed. The PRC’s HIPAA guide explains its high-points and low-points and why many consumer and privacy advocates are critical of HIPAA.

HIPAA sets a national standard for accessing and handling medical information. Before HIPAA, your right to privacy of health information varied depending on what state you live in. Now, health care providers, health plans, and other health care services that operate in all states have to abide by the minimum standards set by HIPAA.

HIPAA does not pre-empt state law. Your state is free to adopt laws that give you more privacy, but it cannot take away the basic rights given by HIPAA. To find out what the laws are in your state, visit the web site of the Health Privacy Project of Georgetown University, http://www.healthprivacy.org, and select the section for State Law.

Test Your HIPAA IQ
True or False (answers at the bottom).

Questions . . .

A. True or False? If a doctor and nurse are overheard in an elevator discussing a patient's treatment, this is violation of HIPAA.

B. True or False? Under HIPAA, healthcare providers can sell your patient data to marketers.

C. True or False? Health care providers and plans can use your health information to raise funds for the covered entity without your consent.

Answers . . .

A. True. The HIPAA Privacy Rule, according to the U.S. Dept. of Health and Human Services (HHS) "recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures." However, in this scenario, because the communication was taking place in an elevator, rather than a semi-private room, hospital nursing station, or joint treatment area, it would be a violation of HIPAA.

B. Partially True, Partially False. The HIPAA Privacy Rule defines "marketing" as "a communication about a product or service the purpose of which is to encourage recipients of the communication to purchase or use the product or service."

An example of marketing communications that would require your consent before contacting you:

-A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.

It is not marketing and no authorization from you is required when:

-A hospital uses its patient list to announce the arrival of a new specialty group (for example, orthopedic) or the acquisition of new equipment (like a magnetic resonance image machine) through a general mailing or publication. Other instances include disease management, health promotion, preventive care, and wellness programs.

The term "marketing" is one area that is likely to be debated by state legislators given states’ authority to expand HIPAA privacy protections. What's the distinction in the above examples? The HHS states, "To the extent the disease management or wellness program is operated by the covered entity directly . . . communications about such programs are not considered marketing under HIPAA because they are about the covered entity’s own health-related services." The reasoning is that these programs could be considered a service that would be beneficial for the patients’ wellbeing.

C. True. "Health care operations," including fundraising, are not the same as business associate arrangements. Use of your medical information for purposes of carrying out "operations" does not require a written contract. Here are just some of the things that fall under the broad heading of operations:

-Reviewing the competence of health care professionals.
-Training programs.
-Activities related to health care contracts.
-Business planning and development.
-Resolution of internal grievances.
-Sale, transfer, merger, or consolidation of the health care provider or plan.
-Medical services review, legal services, auditing, including fraud detection.

To learn more, read the PRC’s HIPAA guide, http://www.privacyrights.org/fs/fs8a-hipaa.htm

[2] California & National Do Not Call List for Telemarketing

Beginning on July 1, 2003, the Federal Trade Commission (FTC) will allow consumers nationwide to subscribe to the national "do not call" (DNC) list to opt out of telemarketing calls. Consumers will be able sign up through the Internet or by calling a toll-free number. Telemarketers must purchase the list of consumers throughout the country who have subscribed to the DNC registry by September 1, 2003, and scrub their calling lists by October 1, 2003. After this date, telemarketers cannot phone those who have opted out of calls without facing the possibility of a hefty fine. If you have already subscribed to your state's DNC list, you will be automatically subscribed to the national registry. For more information about the national DNC list, go to: http://www.ftc.gov/donotcall

Californians can currently pre-register for the national "do-not-call" (DNC) list on line by going to website of the Calif. Attorney General at http://nocall.doj.state.ca.us/.

[3] “Uniting Privacy & the First Amendment in the 21st Century” Conference: May 9 Oakland, CA

Sponsored by the Electronic Privacy Information Center (EPIC), Calif. Office of Privacy Protection & the First Amendment Project.

No constitutional values are more cherished than freedom of expression and the right to privacy. Yet too often privacy and the First Amendment have been set against one another, sometimes to the detriment of citizens and consumers. This all-day conference will discuss topics such as: Protecting the Anonymous Consumer Advocate, Legislative Strategies for Preserving Consumer Privacy, Safeguarding Records of Bookstores, Libraries and Political Association, Privacy and Public Records.

For more information or to register: