Review Dates: 6/29/13
Revision Date: 07/26/13
CATHOLIC HEALTH SERVICES
Rockville Centre, New York
IT Security & Privacy Policies and Procedures
Policy Number: 135
Last Revision Date:
Facility marketing activities involving the use or disclosure of protected health information may only be conducted after being approved by authorized marketing staff at the facility who will ensure that requirements set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) for the use and disclosure of patient information have been met. Patient information or lists should not be used or released before this approval has been obtained from authorized marketing staff, as there are legal restrictions on marketing activities of the facility.
If CHS receives financial remuneration from a third party in exchange for patient information, an authorization from the patient is required including an acknowledgement that remuneration is being received. Financial remuneration means direct or indirect payment from or behalf of a third party whose product or service is being described, not including payment for patient treatment.
This policy applies to all facility staff members and medical staff members. Facility staff members include all employees, medical or other students, trainees, residents, interns, volunteers, consultants, contractors and subcontractors at the facility. Medical staff members include physicians as well as allied health professionals.
1. Marketing Activities Subject To This Policy
a. Marketing activities generally include all oral or written communications with a patient about a product or service that encourage the patient to purchase or use that product or service. Facility marketing activities may involve patient information because the marketing is directed at current or former patients. Marketing also may include distributing patient information to another organization so that it may market its own products and services if the facility receives direct or indirect payment in exchange for patient information.
b. This policy does not generally apply to various activities related to the routine
treatment, case management or care coordination, or to direct or recommend
alternative treatments, therapies, health care providers or setting of care to the patients
or routine operations of the facility even if those activities involve patient
communications concerning products or services. Examples include:
i. telling patients whether a product or service is provided by the facility,
ii. indicating whether a product or service will be covered by insurance,
iii. discussing products or services that may further a particular patient’s
iv. describing potentially beneficial products or services in the course of managing
or coordinating a particular patient’s care or treatment,
v. recommending alternative treatments, therapies, health care providers or
settings of care,
vi. refill reminders or discussing a drug or biologic,
vii. information about treatment alternatives provided the facility is not receiving
financial payment in exchange for making the communication.
a. It is the responsibility of the Vice President for Development or equivalent in
consultation with the facility’s Privacy Officer, to implement processes to ensure that
the distribution of marketing materials adhere to this policy and HITECH.
3. Contacting Authorized Marketing Staff
a. To obtain approval from authorized marketing staff, facility staff and medical staff
should contact the Vice President for Development or designee.
1. The facility’s Privacy Officer has general responsibility for implementation of this policy.
Members of the facility staff, medical staff and vendors, subcontractors and business associates
who violate this policy will be subject to disciplinary action up to and including termination of
employment, contract or medical staff with the facility.
2. Anyone who knows or has reason to believe that another person has violated this policy should
report the matter promptly to his or her supervisor or the facility’s Privacy Officer. All reported
matters will be investigated, and, where appropriate, steps will be taken to remedy the
situation. Where possible, the facility will make every effort to handle the reported matter confidentially. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with the facility.
3. If you have questions about this policy, please contact your department supervisor or the facility’s Privacy Officer immediately. It is important that all questions be resolved as soon as possible to ensure protected health information is used and disclosed appropriately.
REVIEW OF POLICY
In the event that a significant regulatory change occurs, the policy will be reviewed and updated as needed. The policy will be reviewed periodically to determine its effectiveness in complying with the HIPAA Security Regulations, as well as meeting business needs.
Lynn Taylor, CPO Date
Dr. Patrick O’Shaughnessy, CMO Date
07/26/13 - Clarified scope to include students (PD)