April 14, 2003, marked the beginning of a new era in America’s healthcare industry because access or exchange of sensitive data may occur only under the conditions outlined in a complex new regulatory scheme referred to as the Privacy Rule. The Rule, meant to safeguard health information privacy, is an offshoot of health care directives provided by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This article explores how well the Rule protects patient privacy, particularly in the context of permissible disclosures that a consumer might regard as commercial marketing. Part I introduces the issue by explaining the implementation of the initial Privacy Rule and its modified version under HIPAA. Part II briefly familiarizes the reader with the complexity of defining privacy and establishes which definition to use in analyzing the Rule. Part III evaluates the Rule as a whole, determining whether the move from consent in the initial Rule to mere notice about information disclosures in the modified Rule adequately protects privacy. This Article then highlights the effectiveness of the Rule’s notice requirements in connection with disclosures under three types of circumstances: treatment, payment, and health care operations. Deciphering the last category reveals the serious infractions created by the ability to mask commercial marketing under the guise of health care operations. Part IV summarizes the major concerns and provides practical solutions to shore up patient privacy.
June Mary Makdisi,
Commercial Use of Protected Health Information Under HIPAA's Privacy Rule: Reasonable Disclosure or Disguised Marketing?,
82 Neb. L. Rev.
Available at: http://digitalcommons.unl.edu/nlr/vol82/iss3/5