Public Comments: September 2010 – Joint comments on the Proposed Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH



Comments of the World Privacy Forum and the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times

To the US Department of Health and Human Services

On the Proposed Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (RIN 0991-AB57)

U.S. Department of Health and Human Services,
Office for Civil RightsAttention: HITECH Privacy and Security Rule Modifications
Hubert H. Humphrey Building
Room 509F
200 Independence Ave. SW
Washington DC 20201

September 13, 2010


The World Privacy Forum [1] and the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times [2] appreciate the opportunity to submit comments on the Department’s proposed changes to the HIPAA Privacy Rule. The proposed rule appeared in the Federal Register on July 14, 2010, at 75 Federal Register 40868, <>.

In our view, the Department’s proposed changes to HIPAA regarding marketing are contrary to the law. Current law requires that paid communications for any marketing should be allowed only on an opt-in basis. We oppose the Department’s proposed regulation that would allow communications paid for by third parties who are not the entities whose product or service is being described in the communication. We have additional issues with the Department’s NPRM in this area, which are discussed below.


I. Comments on Proposed Changes to Definition of Marketing

VI. Section-by-Section Description of the Proposed Amendments to the Privacy Rule

B. Section 164.501—Definitions.

2. Definition of “Marketing”

The Department proposes changes in the rules about marketing that, in our opinion, are contrary to the law and the intent of the HITECH Act. We have no doubt that the language and intent of the HITECH Act restrict marketing activities, with the exception of prescription reminder letters, which are specifically authorized. Congress’s goal was to limit marketing. It did so in several ways.

First, it prohibited a covered entity from “directly or indirectly receiv[ing] remuneration in exchange for any protected health information.” [HITECH Act, 13405(d)]. That is a broad provision, whose purpose was to ban marketing activities flatly. The word indirect indicates a sweeping intent. The law prohibits a covered entity from receiving a payment or benefit of any type from any third party for a use that involves protected health information (PHI) by the covered entity. We think this provision even prevents a covered entity from showing patients advertising that encourages the purchase or use of a good or service. That’s how broad the statutory language is.

Second, Congress closed the loophole that allowed some marketing activities to be conducted as health care operations. Section 13406(a)(2) says expressly that a covered entity cannot engage in any marketing activity under the guise of a health care operation if the entity receives a direct or indirect payment. Again, we find the same broad direct or indirect language. The intent to restrict marketing using PHI is clear.

The exception in the statute demonstrates the sweeping scope of the policy. The statute allows a reminder letter for a drug already being prescribed. However, a letter seeking to switch a patient to another drug is effectively prohibited by this provision, which excludes all other marketing. The conference report makes the purpose quite clear: “The conference report makes an exception and allows providers to be paid reasonable fees as determined by the Secretary to make a communication to their patients about a drug or biologic that the patient is currently prescribed.” By specifying that this type of marketing activity is allowed, Congress made it clear that all other marketing activities (other than the few activities allowed by the rule already) are prohibited without express patient authorization.

Third, in § 13405, Congress prohibited the sale of any PHI without an authorization. There are some exceptions in § 13405 that are not relevant to marketing. This provision is further evidence that Congress does not want patient records to be made available for marketing activities.

Congressional opposition to marketing activities is quite clear. Our principal concern here is that those seeking to market to patients will use every means to exploit every loophole to conduct marketing. If a third party can find a way to pay a covered entity to send a health-related communications to an individual about the third party’s products or services, that third party will do so. The enormous sums (measured in the billions) spent on direct-to-consumer drug advertising are evidence of the stakes here. These sums are spent to urge patients to seek high-priced, patent-protected drugs that reap enormous revenues for drug manufacturers. There is no evidence that this advertising produces better outcomes or lower costs. Indeed, this advertising will only continue as long as the revenues that result from advertising exceed the cost of the advertising. Patient outcomes and overall health care costs are not factors in marketing decisions.

We agree with the statement in the NPRM that:

Congress intended with these provisions to curtail a covered entity’s ability to use the exceptions to the definition of “marketing” in the Privacy Rule to send communications to the individual that were motivated more by commercial gain or other commercial purpose rather than for the purpose of the individual’s health care, despite the communication’s being about a health-related product or service.” 75 FR 40884.

In our view, the new law requires that paid communications for any marketing should be allowed only on an opt-in basis. We oppose in the strongest possible terms the proposal that would allow communications paid for by third parties who are not the entities whose product or service is being described in the communication. The Department’s description is:

We also emphasize that financial remuneration for purposes of the definition of “marketing” must be in exchange for making the communication itself and be from or on behalf of the entity whose product or service is being described. For example, authorization would be required prior to a covered entity making a communication to its patients regarding the acquisition of new state of the art medical equipment if the equipment manufacturer paid the covered entity to send the communication to its patients. In contrast, an authorization would not be required if a local charitable organization, such as a breast cancer foundation, funded the covered entity’s mailing to patients about the availability of new state of the art medical equipment, such as mammography screening equipment, since the covered entity would not be receiving remuneration by or on behalf of the entity whose product or service was being described. Furthermore, it would not constitute marketing and no authorization would be required if a hospital sent flyers to its patients announcing the opening of a new wing where the funds for the new wing were donated by a third party, since the financial remuneration to the hospital from the third party was not in exchange for the mailing of the flyers. 75 FR 40885.

If the Department allows third parties to fund marketing communications, the result will be the laundering of marketing funds through non-profit organizations established by drug and device manufacturers to promote high-priced, patent-protected drugs and devices. It is child’s play for a large, wealthy drug manufacturer to establish and fund an independent non-profit whose principal function will be to fund advertising that the manufacturer cannot directly pay for itself. Many hospitals, especially those that are not- for-profit, have associated foundations that could provide the necessary “cover”.

The Department’s proposal would allow indirectly precisely what the law and the other parts of the proposed regulation seek to prohibit directly. Even worse, manufacturers who utilize non-profits to hide their advertising dollars will be able to take a charitable tax deduction for the contributions given to the non-profits that are to be used to fund the marketing activity. Manufacturers may also utilize existing non-profits, who may welcome a few dollars in exchange for laundering marketing to patients. Money talks, and financially strapped non-profits may, unfortunately, listen to the money more than they should.

From the perspective of the patient whose data is being employed in the marketing activity, the source of funds for the communication makes no difference. Patients receiving marketing communications will see only that their PHI has been used and that their confidentiality has been breached. It will not matter one iota that the communication was paid by a non-profit. The message to patients will be that patient records are now available for any and all marketing uses, and that patients should be wary about revealing their personal information to health care providers lest it be used for marketing. Labeling the communications will not help. Patients will not see or appreciate what the labels tell them. The rules as proposed would confuse lawyers, let alone the average person with a 9th grade reading level. You cannot cure a bad policy with a label.

The proposed regulations contain another troubling point. The Department would allow providers to be paid by third parties to engage in marketing paid for by third-parties in the guise of treatment communications:

[W]e do not propose to require individual authorization where financial remuneration is received by the provider from a third party in exchange for sending the individual treatment communications about health-related products or services. However, to ensure the individual is aware that he or she may receive subsidized treatment communications from his or her provider and has the opportunity to elect not to receive them, we propose to require a statement in the notice of privacy practices when a provider intends to send such subsidized treatment communications to an individual, as well as the opportunity for the individual to opt out of receiving such communications. 75 FR 40886

We recognize that Congress expressly addressed marketing in the context of health care operations. It did not expressly ban paid marketing by providers under the guise of treatment. However, the congressional intent is clear. Marketing is an unfavored activity in this context, and the only paid marketing allowed is for prescription reminders. Why would Congress have been so specific in this area if marketing activities could be conducted with as few limitations as treatment? We submit that any doubts, any ambiguity must be resolved in favor of the policy that Congress expressed in the HITECH Act. Whether a marketing activity is treatment or a health care operation, it should be as severely restricted as possible.

To allow third-party funded advertising with an opt-out ignores the widespread rejection of opt-outs in privacy discussions taking place elsewhere. Regulators elsewhere in government are looking for alternatives to opt-out as a privacy protection. Legislators are considering proposals that might allow opt-out in some circumstances, but would generally require opt-in (affirmative consent) for health and other sensitive information. History shows that opt-outs are rarely utilized by individuals because they are hidden, cumbersome to use, or ignored. There is little evidence that people read notices of privacy practices (NPP) that they receive. Essentially, the current HIPAA rule regarding NPPs as implemented by many covered entities has already taught people that the NPPs are not important or worth reading. Placing a notice of opt-out in an NPP or similar document will not inform patients of their opt-out rights in any meaningful way.

The only entities today that support opt-out are those who benefit from the inability of individuals to opt-out. The more opt-outs available to individuals, the less likely it is that individuals will use them. The burden of opting out at every website, every merchant, every health care provider is and will be overwhelming. The likelihood of successfully protecting personal information through opt-out will be perceived by many individuals as low. Whatever the Department’s position on the value of opt-out generally as a privacy protection device, it is imperative that any doubts be resolved against the use of opt-outs for sensitive information contained in health records.

Further, polls suggest that most patients want to exercise personal control over the use of their information for research and to be asked for permission for their records to be made available to researchers. It is not hard to extrapolate that even more would want to have the ability to exercise affirmative consent prior to the use of their information for marketing. Therefore, the simplest rule – the least expensive to administer – is one that makes the default what people want, which is no use of PHI for marketing.

We remind the Department that there are many providers who have information on each patient. A patient’s information may be held by or accessible to a hospital, physician, laboratory, x-ray facility, pharmacy, and many more providers. A patient may have no direct relationship with some providers and have no idea why, for example, a laboratory that the patient never heard of is profiting by using the patient’s information to send advertising to the patient based on a test result.

Each provider with access to patient information may be in a position to send advertising on behalf of third parties. A family of four may have to take separate action on behalf of each family member to opt-out of communications by each physician, each laboratory, each pharmacy, each x-ray facility, and more. That family might be obliged to opt-out dozens of times. No matter how easy it may be to opt-out in one given instance, the total burden will be overwhelming. If a patient opts-out of receiving paid advertising by one provider, the next provider can still send the same ad. Opt-out again, and a third provider can send the next ad. Then a fourth provider, and so on. There is no simple, quick, and inexpensive way to opt out if you have to opt out over and over again.

Faced with the effective impossibility of opting-out and having it stick, even the rational patient who strongly opposes use of his or her information for marketing will give up, defeated by a lax Department policy that favors marketing over privacy and that does not give patients any real chance of protecting their own health privacy. There is no way to structure an opt out that will give a patient an even break.

We also remind the Department that efforts to make health records electronic may place patient information in the hands of more and more health care providers than ever before. This will only increase the marketing possibilities and will further overwhelm patients who seek to exercise any rights that they may have. As patient health care activities migrate to the Internet, the advertising that the Department proposes to allow without patient authorization will also migrate to the Internet. Patients who click casually on ads may not realize that the ad was served only to patients with a particular disease, with a certain net worth, who own their homes, who have a health care plan that covers high priced drugs, who have children, etc. The ad will not reveal how patients were selected to receive it.

No matter what disclosures are made, the patient who clicks an ad may be sharing personal information – health related or otherwise – with an advertiser who is then free to use the information without any legal or regulatory restriction. Patient privacy may well be fatally undermined as a result, as patient information leaks over time into the unregulated files of marketers and profilers, who will then profit from its use and sale indefinitely. For genetic information, PHI may retain marketing value for generations.

Further, allowing physicians and other health care providers to profit by receiving remuneration for recommending specific types of treatment should be illegal and is certainly unethical. Why the Department wants to support this conduct is a mystery. The Department has enough difficulty already controlling self-dealing by providers. Giving providers another way to profit by taking money to promote products and services is unsupportable.

We suggest that any controls on the amount of financial remuneration will be unenforced and ineffective. The Department does not have enough resources to police HIPAA today. Overseeing and enforcing payment limitation will not be a priority. If anyone exceeds the vague limits proposed, they will happily pay a fine in the unlikely event that they are caught. We do not have to discuss the possibility of under-the-table or disguised payments that will be impossible to trace. The Department well knows that drug manufacturers are happy to pay physicians for “lectures” or other activities that are proxies for prescribing their medications.

In conclusion, we do not understand why the Department is showing any interest in allowing new marketing uses and disclosures without specific patient authorization. The Department offers no evidence that marketing using PHI improves outcomes or lowers costs. We believe that the contrary is true. Only high priced, patent-protected drugs and devices will be marketed, and the marketing will continue only as long as the manufacturer’s profits increase and without regard to better outcomes. From an advertiser’s perspective, higher revenues and higher profits are the only important outcome. Allowing marketing will further undermine the Department’s efforts to control health care costs.

If health plans controlled marketing uses of PHI, it is likely that they would not seek to promote expensive medications. Unfortunately, some in the health care system do not care what the costs are. Some pharmacies have demonstrated a willingness to send marketing materials to patients for the few cents that they earn from the communication and the additional prospect of an additional small profit from a prescription refill. These providers do not care what the costs are to other participants. The Department has to look at the issue with a broader perspective.

We suggest that the Department take with a grain of salt the pleas by marketers that giving patient additional information is valuable and educational. If a patient should receive additional information, why is that information only available in connection with the marketing of high-priced, patent protected drugs and devices? If there are benefits here, we think it would be less costly overall to require that information useful to patients be included with other disclosures that are already required. If the cost of conveying additional information is billions of dollars in extra profits to manufacturers, then the price is too high. We think that a cost benefit analysis is appropriate here. The Department should not pay attention to a cherry-picked analysis of the supposed value of the information to consumers.

We have an additional suggestion. It is our understanding that prescription reminder programs are often structured so that not all patients receiving the drug in question receive a reminder. Some patients are not sent reminders so that they serve as a “control”. That allows the drug manufacturer paying for the reminder to tell if the reminders increase revenues. This practice is unfair and obnoxious. It is bad enough that patients only receive paid reminders for drugs that are highly profitable. Advertisers may also be discriminating against patients based on other characteristics, such as the type of health insurance they have. The Department should require those paying for refill reminders to send reminders to all patients, including those taking generics. If these programs are justified because there is a patient benefit, then all patients should receive the benefit.

The Department should change the rule to allow reminders only if they are sent to all patients and without regard to their incomes, the type of health plan, the nature of prescription drug coverage, or any other characteristic. A policy of non-discrimination is essential.

In conclusion, we express deep concern about the marketing changes the Department has proposed. We urge the Department to make substantive changes and to close the loopholes and address the inconsistencies with the law and with Congressional intent we have discussed.


Respectfully submitted,

Pam Dixon,
Executive Director,
World Privacy Forum

Jeff Chester,
Executive Director,
Center for Digital Democracy

Michelle de Mooy,
Senior Associate National Priorities,
Consumer Action

Susan Grant,
Consumer Federation of America

Lee Tien,
Senior Staff Attorney,
Electronic Frontier Foundation

Linda Ackerman,
Senior Counsel,
Privacy Activism

Beth Givens,
Privacy Rights Clearinghouse

Evan Hendricks,
Privacy Times





[1] The World Privacy Forum is a non-profit, non-partisan public interest research group, with a focus on research and analysis of privacy issues, along with consumer education. For more information, see <>.

[2] The Center for Digital Democracy <> Consumer Action <>, Consumer Federation of America <>, Electronic Frontier Foundation <>, Privacy Activism <>, Privacy Rights Clearinghouse <>, Privacy Times <>.