Giant Food Inc. V Elensys Care Service Inc Case

...

Do compliance programs provide any legitimate benefits? If so, to whom?

Yes, I think the compliance programs provide legitimate benefits to both the patients (prescription information, alternatives, and reminders) and to the pharmacies in the form of increased revenues and customer loyalty. However there is a gray ethical dilemma when sharing personal information.

Does the Elensys compliance program represent a compatible or incompatible use of Giant’s prescription data? Based on your conclusion, critique Giant’s implementation of fair information practices.

Compatible, there were safeguards in place to ensure the data was only used for Giant’s compliance program specific purpose. Giant implemented fair information practices by selecting an independent non-marketing firm, tightly controlled the pharmaceutical relationships, determined what communications were sent out and avoided offers for controversial drugs.

Is there anything Giant could have done to salvage the situation, either from the beginning or after the fact? Consider the costs and implementation issues for your recommendations.

Giant could have been more pro-active in communicating the partnership to their customers and the community. Being more transparent about the compliance programs, their benefits, Elensys’ background, and the steps they were taking together to protect patient privacy could have prevented the media from distorting the truth, shaping customer perceptions, and causing customers to panic. This communication would not have been considered marketing material and would not contain any sensitive customer medical information. Although Giant would have incurred a small cost to communicate this (mailings, newspaper articles, media interviews), the cost would have been far less than the damage control costs.

Giant may have had plans to do such a communication prior to the launch of the program, but information got out prior to the program start. Giant and Elensys should have done a better job controlling internal knowledge of the pending program. Only those who were involved in the project should have known about it. Those project members should have been briefed on the importance and sensitivity to keeping this project confidential. Employees from both Giant and Elensys should have signed an agreement assenting to compliance.

Post media release, Giant can still salvage the situation, but it will take a pretty robust public relations campaign. Giant needs to issue a statement addressing the article and correcting the falsities. For example, let the public know that Elensys is not a marketing firm and their information is not being sold. Giant should work with Elensys to educate the public about what Elensys does and the benefits the partnership will provide them.

Is the Elensys program legal under the HIPAA regulations (see appendix in case)? Is it ethical?

Elensys program is legal under HIPPA regulations. HIPPA requires that organizations “reasonably safeguard” sensitive patient information. Elensys took multiple steps to do just that, including but not limited to separating customer’s health information and identifiable information into separate databases, using sealed window envelopes for mailings, and never selling information to pharmaceutical companies.

HIPPA requires that patients be provided with notice of their privacy rights and the privacy practices of the covered entity. Although customers were not notified of Elensys practices prior to Giant sending their information, there is a provision that remedies this. “An entity can disclose to a business associate to create or receive health information on its behalf if the entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.”

Giant had considered handling the program in house, but decided to outsource due to Elensys’ capabilities. Elensys was simply a third party acting on Giant’s behalf. All communications would be reviewed and heavily controlled by Giant. The letters would even be sent out on Giant letterhead.

Lastly, this type of communication is not considered marketing under the privacy rule. It falls into the category of communications, “That describe health-related products or services available to health plan enrollees that add value to (and are not part of) the plans benefits”; this was not funded by the insurance company. Elensys had no intention to use the information for any other purpose than assisting Giant with their analysis and communication of their compliance program.

The program was neither illegal nor unethical. Elensys programs were designed with the patients in mind – to provide clear therapeutic or economic benefits to them,

---------------------------------------------------------------

Class Material

Chapter 13’s focus was security and privacy as related to information technology. The case had a strong focus on privacy, but the text pointed out that an organization that is unable to secure customer data will neither be able to ensure customer privacy.

The text identifies 5 fair principles to safeguard privacy; notice, choice, access, security, enforcement. Three steps to seek compliance with those principles include, saying what you do, do what you say, and being able to prove it. Although Giant made the mistake of not being proactive on this front, they still have the opportunity to gain back the trust of their customers by showing them their policies and safeguards they have in place, enforcing those policies, and being transparent with the customers to show them while they do so.

Ethics was another important topic discussed. “Ethical decisions are rarely straightforward. Well-intentioned individuals are forced to make difficult trade-offs.” Giant was unsure about doing the compliance program and sending out reminder letters to customers due to privacy concerns, but decided the benefits outweighed the risks. Plus, other companies were doing the same thing, and they were unaware of any legal issues. Ethics should fill in the gaps where the law is silent. Fortunately, both Giant and Elensys seemed to have developed a sound culture of ethical decision making. Both companies were aware that there were risks and tried to put the customers first.

The characteristics of information introduced in chapter 4 also came to play in this case. Information is not consumed by use. Although in this case Elensys and Giant didn’t appear to have any malicious intentions, the possibility exists that companies

...