Health Information Privacy U.S. Department of Health & Human Services
  • Text Resize A A A
  • Print Print
  • Share Share Share Share

When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?

Answer:

The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances:

  1. When the communication occurs in a face-to-face encounter between the covered entity and the individual; or 
  2. The communication involves a promotional gift of nominal value.

If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

 

 

Date Created: 12/20/2002

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013