What are the HIPAA Rules on Marketing?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  

The HIPAA Privacy Rule regulates the use and disclosure of PHI for marketing purposes.

What is Marketing?

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s authorization (there are certain exceptions, discussed below). Examples of “marketing” communications requiring prior authorization are: 

1. A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice. 
2. A communication from a health insurer promoting a home and casualty insurance product offered by the same company.

What Else is “Marketing”?

Marketing also means: “An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” 

This part of the definition to marketing has no exceptions. The individual must authorize these marketing communications before they can occur. Why? A covered entity may not simply sell PHI to a business associate or any other third party for that party's own purposes.  In addition, covered entities may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list. For example, it is “marketing” when: 

1. A health plan sells a list of its members to a company that sells blood glucose monitors, which intends to send the plan’s members brochures on the benefits of purchasing and using the monitors. 
2. A drug manufacturer receives a list of patients from a covered healthcare provider and provides remuneration, then uses that list to send discount coupons for a new antidepressant medication directly to the patients. 

What is NOT “Marketing”? 

The Privacy Rule carves out exceptions to the definition of marketing under the following three categories: 

(A) A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: 

The entities participating in a health care provider network or health plan network; 
Replacement of, or enhancements to, a health plan; and 

Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits. 

This exception to the marketing definition permits communications by a covered entity about its own products or services. For example, under this exception, it is not “marketing” when: 

A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication. 

A health plan sends a mailing to subscribers approaching Medicare-eligible age with materials describing its Medicare supplemental plan and an application form. 

(B) A communication is not “marketing” if it is made for the treatment of an individual. For example, under this exception, it is not “marketing” when: 

1. A pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so. 
2. A primary care physician refers an individual to a specialist for a follow-up test or provides free samples of a prescription drug to a patient.
   
   

(C) A communication is not "marketing" if it is made for case management or care coordination for an individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. 

For any of the three above exceptions to the definition of marketing, the activity must otherwise be permissible under the Privacy Rule, and a covered entity may use a business associate to make the communication. The covered entity must obtain the business associate’s agreement to use the protected health information only for the communication activities of the covered entity. 

When are Authorizations Necessary? 

Except as discussed below, any communication that meets the definition of marketing is not permitted, unless the covered entity obtains an individual’s authorization. To determine what constitutes an acceptable “authorization,” see 45 CFR 164.508. 

If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.  A communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by a covered entity to an individual; or a promotional gift of nominal value provided by the covered entity. For example, no prior authorization is necessary when: 

1. A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward. 
2. An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well.