Perspectives on privacy: Information for compliance professionals

Pamela S. Hrubey (pam.hrubey@crowe.com) is a principal in the Washington, DC, office, Candice M. Moschell (candice.moschell@crowe.com) is a senior manager in the Indianapolis, IN, office, and Shameka N. Smith (shameka.smith@crowehrc.com) is a principal in the St. Louis, MO, office of Crowe.

Anthony has been with his employer for 15 years, always covered by his employer’s insurance plan. Recently, Anthony was involved in a weekend accident that resulted in a brief hospitalization for a surgical procedure followed by physical therapy. Anthony spoke highly to friends and colleagues about the medical team that supported him through his accident. Once back at work full time, however, Anthony was bombarded by ads to both his work and personal email addresses that highlighted the hospital’s new heart-related CT scanning capabilities. Initially Anthony didn’t think much about the ads, but his annoyance grew, especially after he got the bill for his share of his hospitalization and surgical procedures. The ads made Anthony feel as though the hospital cared only about making money on the backs of working people, especially because he didn’t give his consent to receive marketing-related information from the hospital. He vented his frustration about the hospital to anyone who would listen, and he typically found a sympathetic ear whenever he brought up the topic of hospital services–related marketing and the rising out-of-pocket medical costs for working people. After learning from an internet search that his physician and physical therapist both worked for practices owned by the hospital organization sending the ads, he and his partner switched healthcare professionals.

Anthony is like the 29% of individuals who, according to a 2020 data privacy survey by Cisco,[1] have stopped buying products or services from a specific organization because of that organization’s data-related practices. While the US healthcare marketplace has grown accustomed to reliably safeguarding protected health information (PHI) under the HIPAA Privacy Rule, which became effective in April 2003,[2] many healthcare organizations have not contemplated the impact of changing consumer expectations, especially in the area of direct-to-consumer marketing.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field