The United States Department of Health and Human Services (HHS) provides a helpful set of questions and answers on its website regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Professionals should note that this guidance is informal and may be updated or withdrawn and may differ from state laws.
It is important to note that "marketing" is defined in the HIPAA Privacy Rule (Privacy Rule) as "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." However, marketing does not include communications made:
1. to provide refill reminders or communicate about a drug or biologic that is currently being prescribed for the individual if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication; or
2. for the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
a. for treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
b. to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
c. for case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
With this definition and exclusions in mind, we highlight four questions and answers from the HHS website below.
When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?
The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances:
- When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
- The communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
Created 2.20.02
Content reviewed last December 28, 2022
Does the HIPAA Privacy Rule expand the ability of providers, plans, marketers and others to use my protected health information to market goods and services to me? Does the Privacy Rule make it easier for health care businesses to engage in door-to-door sales and marketing efforts?
No. The Privacy Rule's limitations on the use or disclosure of protected health information for marketing purposes do not exist in most states today. For example, the Rule requires patients' authorization for the following types of uses or disclosures of protected health information for marketing:
- Selling protected health information to third parties for their use and re-use. Thus, under the Rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines without an authorization.
- Disclosing protected health information to outsiders for the outsiders' independent marketing use. Under the Rule, doctors may not provide patient lists to pharmaceutical companies for those companies' drug promotions without an authorization.
Without these Privacy Rule restrictions, these activities could occur with no authorization from the individual in most jurisdictions. In addition, if a state law provided additional limitations on disclosures of information for related activities, the Privacy Rule generally would not interfere with those laws.
Moreover, under the "business associate" provisions of the Privacy Rule, a covered entity may not give protected health information to a telemarketer, door-to-door salesperson, or other third party it has hired to make permitted communications (for example, about a covered entities' own goods and services) unless the third party has agreed by contract to use the information only for communicating on behalf of the covered entity. Without the Privacy Rule, there may be no restrictions on how third parties re-use information they obtain from health plans and providers. For more information about the business associate standard, please review the frequently asked questions and fact sheet on HHS' website.
Created 12.19.02
Content reviewed last January 9, 2023
Is it marketing for a covered entity to describe its products or services to its patients or to describe products or services that are included in the health plan’s plan of benefits?
No. The HIPAA Privacy Rule excludes from the definition of "marketing" communications made to describe a covered entity's health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication.
Thus, it would not be marketing for a physician who has developed a new anti-snore device to send a flyer to her patience describing it, whether or not each patient has sought treatment for snoring. Nor would it be marketing for an ophthalmologist or health plan to send existing patients or members discounts for eye-exams or glasses available only to the patients and members. Similarly, it would not be marketing for an insurance plan to send its members a description of covered benefits, payment schedules, and claims procedures.
Date Created: 12.20.02
Content reviewed last January 9, 2023
How can I distinguish between activities for treatment or health care operations versus marketing activities?
The overlap among common usages of the terms "treatment," "health care operations," and "marketing" is unavoidable. For instance, in recommending treatments, providers and health plans sometimes advise patients to purchase goods and services. Similarly, when a health plan explains to its members the benefits it provides, it too is encouraging the use or purchase of goods and services.
The HIPAA Privacy Rule defines these terms specifically, so they can be distinguished. For example, the Privacy Rule excludes treatment communications and certain health care operations activities from the definition of "marketing." If a communication falls under one of the definition's exceptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization.
However, if a health care operation communication does not fall within one of these definition exceptions, but does fall under the definition of "marketing," the Privacy Rule's provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual's authorization is required before a covered entity may use or disclose protected health information. For more information about Privacy Rules requirements for marketing, please review the fact sheet and additional frequently asked questions on HHS' website.
Created 12.20.02
Content reviewed last January 9, 2023
We recommend that privacy officers be kept informed of their company's proposed marketing efforts, so that regulatory requirements are not unintentionally violated. While counsel and privacy officers should recognize that marketing can be the sustaining life blood of a company, operations professionals must understand the risks and potential penalties for violating HIPAA. Not only can a HIPAA investigation can be costly and time consuming, but it can also significantly impair a company's brand value in your community.
For more information, please contact Grant Dearborn, Kate Crawford, or another member of Shumaker's Health Law Service Line.