An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Yes. It is not marketing for a doctor to make a prescription refill reminder even if a third party pays for the communication.
No. Communications about government and government-sponsored programs do not fall within the definition of “marketing.”
The refill reminder exception to the definition of “marketing” encompasses refill reminders and other communications about a drug or biologic that is currently being prescribed for the individual.
Yes, so long the prescription lapsed within the last 90 calendar days and any financial remuneration received in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.
Yes. Where an individual is prescribed a self-administered drug or biologic, such as insulin, communications regarding all aspects of a drug delivery system, such as an insulin pump, fall within the refill reminder exception at paragraph (2)(i) of the definition of “marketing” at 45 CFR 164.501, provided any financial remuneration received in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.
No. In the specific case of face-to-face encounters, the HIPAA Privacy Rule allows health plans and their business associates to market both health and non-health insurance products to individuals.
Yes, if the communication is for the individual’s treatment or for case management, care coordination, or the recommendation of alternative therapies.
No, only communications about drugs or biologics currently prescribed to the individual fall within the refill reminder exception at paragraph (2)(i) of the definition of “marketing” at 45 CFR 164.501
The Privacy Rule excepts from the definition of “marketing” refill reminders and other communications about a drug or biologic that is currently being prescribed for the individual, provided that financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication.
Yes. The Privacy Rule permits a covered entity to engage and pay a business associate to assist in making otherwise permitted communications to individuals and does not prescribe what the covered entity itself may pay the business associate for such services.
Yes, provided any payments to the business associate do not exceed the fair market value of its services. See paragraph (2)(i) of the definition of “marketing” at 45 CFR 164.501.
Yes. However, in order for the refill reminders or other program communications to fall within the “refill reminder” exception to marketing, any financial remuneration received by the business associate from the pharmaceutical manufacturer (either directly or through the covered entity) must not exceed the fair market value of the business associate’s services.
No. A HIPAA authorization remains valid until it expires or is revoked by the individual. While a HIPAA authorization must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure, the Privacy Rule does not otherwise prescribe the expiration date or event that must apply to the authorization, which may vary based on the circumstances.
No. If the Food and Drug Administration (FDA) determines that a particular drug can only be approved with additional measures, beyond labeling, to mitigate a serious risk posed by the drug, and one or more of those measures take the form of patient communications about the drug, then such communications are not marketing, even if the communication is funded by the drug manufacturer.
No. Face-to-face communications with an individual about specific products or services do not require individual authorization, even if such communications are subsidized by the third party whose product or service is being described.