45 CFR 164.501, 164.508(a)(3) (Download a copy in PDF)
The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality health care.
How the Rule Works
The Privacy Rule addresses the use and disclosure of protected health information for marketing purposes by:
- Defining what is “marketing” under the Rule;
- Excepting from that definition certain treatment or health care operations activities;
- Requiring individual authorization for all uses or disclosures of protected health information for marketing purposes with limited exceptions.
What is “Marketing”?
The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:
- A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
- A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
What Else is “Marketing”?
Marketing also means: “An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” This part of the definition to marketing has no exceptions. The individual must authorize these marketing communications before they can occur. Simply put, a covered entity may not sell protected health information to a business associate or any other third party for that party’s own purposes. Moreover, covered entities may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list. For example, it is “marketing” when:
- A health plan sells a list of its members to a company that sells blood glucose monitors, which intends to send the plan’s members brochures on the benefits of purchasing and using the monitors.
- A drug manufacturer receives a list of patients from a covered health care provider and provides remuneration, then uses that list to send discount coupons for a new anti-depressant medication directly to the patients.
What is NOT “Marketing”?
The Privacy Rule carves out exceptions to the definition of marketing under the following three categories:
(1) A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:
- The entities participating in a health care provider network or health plan network; < Replacement of, or enhancements to, a health plan; and
- Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
This exception to the marketing definition permits communications by a covered entity about its own products or services. For example, under this exception, it is not “marketing” when:
- A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.
- A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form.
(2) A communication is not “marketing” if it is made for treatment of the individual. For example, under this exception, it is not “marketing” when:
- A pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so.
- A primary care physician refers an individual to a specialist for a follow-up test or provides free samples of a prescription drug to a patient.
(3) A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. For example, under this exception, it is not “marketing” when:
- An endocrinologist shares a patient’s medical record with several behavior management programs to determine which program best suits the ongoing needs of the individual patient.
- A hospital social worker shares medical record information with various nursing homes in the course of recommending that the patient be transferred from a hospital bed to a nursing home.
For any of the three exceptions to the definition of marketing, the activity must otherwise be permissible under the Privacy Rule, and a covered entity may use a business associate to make the communication. As with any disclosure to a business associate, the covered entity must obtain the business associate’s agreement to use the protected health information only for the communication activities of the covered entity.
Marketing Authorizations and When Authorizations are NOT Necessary.
Except as discussed below, any communication that meets the definition of marketing is not permitted, unless the covered entity obtains an individual’s authorization. To determine what constitutes an acceptable “authorization,” see 45 CFR 164.508. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. See 45 CFR 164.508(a)(3). A communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by a covered entity to an individual; or a promotional gift of nominal value provided by the covered entity. For example, no prior authorization is necessary when:
- A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward.
- An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well.
Please review the Frequently Asked Questions about the Privacy Rule.
OCR HIPAA Privacy December 3, 2002, Revised April 3, 2003