DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses what constitutes a sale of PHI, the exceptions to this definition, and the rules regarding sale of PHI.
What Constitutes a Sale of PHI?
Under the HIPAA Privacy Rule, a sale of PHI is a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.
Remuneration includes money (e.g., cash, checks), and also includes and non-financial, or "in-kind", compensation. Non-financial remuneration includes goods, services, or other benefits. For example, the use of supplies, computers, or other materials in exchange for PHI would constitute remuneration
Does the Sale of PHI Require Patient Authorization?
Generally, a covered entity must obtain an authorization for any disclosure of PHI that is a sale of PHI. Generally, the authorization must state that the disclosure will result in remuneration to the covered entity.
Generally, a covered entity may not refuse to treat a patient solely because the patient refuses to provide an authorization permitting the covered entity to engage in sale of PHI. In other words, treatment cannot be made dependent on authorizing the sale of PHI.
Are There Exceptions To The Definition of "Sale of PHI"?
Under the Privacy Rule, the term “sale of protected health information” does not include disclosure of protected health information:
- For public health purposes, as that phrase is defined in the HIPAA Privacy Rule;
- For research purposes, if (and only if) the remuneration constitutes a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI;
- For treatment and payment purposes;
- For the sale, transfer, merger, or consolidation of all or part of a covered entity and for due diligence connected to these activities;
- To the patient when the patient requests the PHI;
- Required by law; and
- For any other purpose permitted by and in accordance with the HIPAA Privacy Rule, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article