Start of Main Content

How HIPAA impacts selling pharmaceuticals to physicians


HIPAA, or the Health Insurance Portability and Accountability Act, was first enacted in 1996 and consists of five distinct sections (or titles). With this act, lawmakers aimed to modernize healthcare data sharing and address insurance coverage shortcomings. The goal of the Privacy Rule, under Title II, was to set guidelines for patient data sharing in order to protect patients while easing the flow of information between providers and other healthcare organizations.

In regard to sales representatives, the HIPAA Privacy Rule rarely impacts conversation, sampling, and other regular interactions. These medical device and pharmaceutical suppliers may face barriers when gathering product use and outcome data for marketing purposes.

According to the Privacy Rule, business associates that require access to PHI “for or on behalf of” covered entities must enter into mandatory contracts that outline the uses and disclosures of patient data. Pharmaceutical and medical device companies are considered business associates when conducting analyses of patient outcomes, quality improvement, benchmarking standards, disease management programming, and other care delivery methods. Additionally, patients must sign a HIPAA Privacy Rule authorization to permit outside organizations to access and distribute their diagnosis and treatment data in medical journals, press releases, and other marketing communications.

HIPAA safeguard measures

Safeguards implemented by the covered entities can be tailored depending on the circumstances of PHI use and the technology available to limit accidental and avoid strictly prohibited disclosure of such information.

Some examples of these safeguards include securing areas containing sensitive information, assigning individualized credentials for electronic health record access, and escorting company representatives in patient areas. These safeguards are often separated into three categories: technical, physical, and administrative.

Technical HIPAA safeguards

Under the Privacy Rule, PHI must be encrypted at all times to protect against data breaches. Outside of this mandate, individual organizations can determine the best methods to protect electronic PHI (ePHI) when implementing access and auditing control. These measures allow organizations to monitor personnel who can view, edit, and distribute specific data types, as well as review whether safety standards and other protocols are being properly followed. Access control and activity logs are the only required compliance measures, but other addressable mechanisms include: ePHI authentication, encryption and decryption tools, and automatic log-off for computers.

Physical HIPAA safeguards

There are four physical safeguards under the Privacy Rule, but only two are required. Healthcare organizations must implement and enforce policies regarding the use and positioning of computers and workstations in order to protect data as providers add it to the system.

Facilities must also put rules in place dictating the use of mobile devices in the workplace, and whether providers are allowed to access patient data and other sensitive information from tablets. This includes plans for wiping PHI from the devices before they are resold or discarded.

Administrative HIPAA safeguards

Administrative safeguards are some of the most comprehensive protections outlined in the Privacy Rule, requiring both a Security Officer and Privacy Officer to approve and implement the measures to ensure protection of ePHI. Pilot audits and other risk assessment tools are included as part of the administrative safeguards. Four of the seven administrative safeguards are required: conducting regular risk assessments, introducing a risk management policy, developing a contingency plan for emergencies, and restricting third-party data access.

The primary difference between “required” safeguards and “addressable” safeguards on the HIPAA compliance checklist is that there is some flexibility in how the “addressable” safeguards are implemented. Not all of these measures are feasible for every facility, so care centers are able to adopt reasonable alternatives to the “addressable” safeguards.

How HIPAA impacts selling

Looking for more information on how Medical Device and Pharmaceutical companies effectively sell to healthcare providers? Join us for our webinar, 5 Effective Selling Strategies Life Sciences Companies Are Using in 2019, on Wednesday, July 24 at 2pm EST. This webinar will teach you to:

This webinar with help you:

  • Understand what matters to your buyer by knowing their patient populations and diseases by specific providers
  • Know what Doctors offer expanded network and patient reach by examining critical referral patterns within and outside of an IDN
  • Uncover provider metrics, patterns, and affiliations data to accelerate prospect targeting
Definitive Healthcare

About the Author

Definitive Healthcare

This blog was written by a former contributor at Definitive Healthcare.At Definitive Healthcare, our passion is to transform data, analytics and expertise into healthcare…

Author profile