Steven J. Fox
Rachel H. Wilson
John W. Jones Jr.

Steven J. Fox

Rachel H. Wilson

John W. Jones Jr.

Many in health care feared that the de-identification standard under the original Health Insurance Portability and Accountability Act (HIPAA) privacy rule — which would have stripped health information of anything that could reveal a patient's identity — would curtail important research, health care operations, and public health activities. In particular, researchers said that the impracticality of using de-identified data would increase the workload of institutional review boards, because waivers of authorization would be needed more frequently for research studies.

In response, the modified rule allows the use and disclosure of "limited data sets" of personal health information for research, health care operations, or public health activities. These sets do not include direct identifiers, such as name, address, or Social Security number. Their use is subject to the terms of a data-use agreement.

This agreement — similar to a business-associate agreement — establishes how the data set may be used. The agreement requires those who receive the data to use personal health information only as permitted under HIPAA, and prohibits them from contacting the individual subjects. It also limits who can receive or use the data, and requires that those entrusted with it prevent its uses beyond those stated in the data-use agreement.


The modified rule significantly simplifies the requirements for research authorizations and the criteria for waivers of authorizations. Authorizations for research involving treatment of patients no longer have to include provisions beyond those required for other disclosures of personal health information. Also, "none" may be used as the expiration date in any research study, not just research that would use personal health information to create or maintain a database (such as a cancer registry).

In approving a request for a waiver of authorization for research, an IRB or privacy board must now consider whether the use or disclosure of personal health information involves no more than minimal risk to one's privacy, as well as whether the research could be conducted without either the waiver or access to personal health information. The IRB or privacy board's "minimal privacy-risk analysis" must weigh the adequacy of the plan to protect identifying information from improper use, destroy identifiers at the earliest opportunity, and provide written assurances against re-disclosure of personal health information.

The modified rule provides other much-needed clarification of the use of personal health information in the research context. In cases where authorization is revoked, covered entities may continue to use personal health information that had been collected before the revocation if it is needed to maintain the integrity of the study. Additionally, the modified rule makes clear that recruitment of individuals for research does not constitute marketing, so solicitations for participation in a research study may be made without individual authorization or an IRB or privacy board waiver.


Certain disclosure and opt-out requirements notwithstanding, the original privacy rule permitted health plans and other covered entities to use personal health information for marketing purposes without first obtaining an authorization. The modified rule gives people more control over their personal health information.

The modifications require patient authorization before using personal health information for almost any marketing-related purpose. However, the definition of marketing excludes communications with individuals about participating providers and plans in a network, or about a patient's treatment, case management, or care coordination — including recommendations for alternative treatments, therapies, health care providers or care settings.

The Department of Health and Human Services received numerous comments about the need for providers and health plans to communicate freely with patients and enrollees about the products, services, and benefits they offer. In response, the modified rule allows them to convey information to members about insurance products that could improve or replace their existing coverage.

Under this exemption, health plans do not engage in marketing when advising enrollees about other available coverage that could improve or substitute for existing coverage. HHS offers the example of a child about to become too old for coverage under a family's policy. In this case, a health plan would be permitted to send the family information about continuation of coverage for the child without first obtaining authorization to use personal health information for such purposes. However, absent proper authorization, the plan would not be permitted to send information about a life insurance product offered by an affiliate.

HHS also closed a loophole that would have allowed personal health information to be sold to a third party marketing its products or services. The original privacy rule would have permitted business associates of covered entities to pay providers for a list of patients with a particular condition, then use that list to market their own drugs or other products directly to those patients. This could have been accomplished by providing personal health information to business associates under the guise of recommending an alternative treatment or therapy to an individual.

The modified rule makes it clear that business-associate transactions of that nature constitute marketing, and are permissible only if proper authorization has been obtained. However, as privacy advocates have pointed out, the same result could still be achieved. It is not considered marketing if a third party pays a HIPAA-covered entity to send a marketing-type communication to a selected group of patients (for example, patients with diabetes).


We know what you're thinking — what about the ever-elusive security regulations? (HHS says they will be released Dec. 27 — really!) In a response to a comment published in the Aug. 14 privacy rule, HHS implicitly discouraged anyone from waiting for the final security-rule standards to be issued before implementing technical and physical safeguards. It noted that HHS warns "there should be no potential for conflict" between the safeguards required by the privacy rule and the mandates of the final security rule, even though those protections have not yet been issued. The comment also points out a distinction between the privacy rule and the security rule that some may have overlooked — the latter applies only to electronic health-information systems that maintain or transmit individually identifiable information. Safeguards to protect personal health information in oral, written, or other nonelectronic forms will be unaffected by the security rule.

Remember that the requirement for security is already in effect — it was imposed by the original 1996 HIPAA statute, which requires that those who transmit health information take "reasonable and appropriate administrative, technical, and physical safeguards" to protect it from unauthorized use. The privacy rule contains its own security requirements: "A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information."

The bottom line: Do not defer actions on security protections simply because the final security rule has not yet been published.

Steven J. Fox is a partner and Rachel H. Wilson is an associate in the Washington office of the law firm Pepper Hamilton. John W. Jones Jr. is an associate in Pepper Hamilton's Philadelphia office.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.