[45 CFR 164.501, 164.508(a)(3)]
The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality health care.
How the Rule Works
The Privacy Rule addresses the use and disclosure of protected health information for marketing purposes by:
- Defining what is “marketing” under the Rule;
- Excepting from that definition certain treatment or health care operations activities;
- Requiring individual authorization for all uses or disclosures of protected health information for marketing purposes with limited exceptions.
What is “Marketing”? The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below.
Examples of “marketing” communications requiring prior authorization are:
- A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
- A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
What else is “Marketing”? Marketing also means: “An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” This part of the definition to marketing has no exceptions. The individual must authorize these marketing communications
before they can occur.
Simply put, a covered entity may not sell protected health information to a business associate or any other third party for that party’s own purposes. Moreover, covered entities may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list.
For example, it is “marketing” when:
- A health plan sells a list of its members to a company that sells blood glucose monitors, which intends to send the plan’s members brochures on the benefits of purchasing and using the monitors.
- A drug manufacturer receives a list of patients from a covered health care provider and provides remuneration, then uses that list to send discount coupons for a new anti-depressant medication directly to the patients.
What is NOT “Marketing”? The Privacy Rule carves out exceptions to the definition of marketing under the following three categories:
- A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:
- The entities participating in a health care provider network or health plan network;
- Replacement of, or enhancements to, a health plan; and
- Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
This exception to the marketing definition permits communications by a covered entity about its own products or services.
For example, under this exception, it is not “marketing” when:
- A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.
- A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form.
2. A communication is not “marketing” if it is made for treatment of the individual.
For example, under this exception, it is not “marketing” when:
- A pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so.
- A primary care physician refers an individual to a specialist for a followup test or provides free samples of a prescription drug to a patient.
3. A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
For example, under this exception, it is not “marketing” when:
- An endocrinologist shares a patient’s medical record with several behavior management programs to determine which program best suits the ongoing needs of the individual patient.
- A hospital social worker shares medical record information with various nursing homes in the course of recommending that the patient be transferred from a hospital bed to a nursing home.
For any of the three exceptions to the definition of marketing, the activity must otherwise be permissible under the Privacy Rule, and a covered entity may use a business associate to make the communication. As with any disclosure to a business associate, the covered entity must obtain the business associate’s agreement to use the protected health information only for the communication activities of the covered entity.
Marketing Authorizations and When Authorizations are NOT Necessary. Except as discussed below, any communication that meets the definition of marketing is not permitted, unless the covered entity obtains an individual’s authorization. To determine what constitutes an acceptable “authorization,” see 45 CFR 164.508. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. See 45 CFR 164.508(a)(3).
A communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by a covered entity to an individual; or a promotional gift of nominal value provided by the covered entity.
For example, no prior authorization is necessary when:
- A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward.
- An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well.
Frequently Asked Questions
Q: Does the HIPAA Privacy Rule expand the ability of providers, plans, marketers and others to use my protected health information to market goods and services to me? Does the Privacy Rule make it easier for health care businesses to engage in door-to-door sales and marketing efforts?
A: No. The Privacy Rule’s limitations on the use or disclosure of protected health information for marketing purposes do not exist in most States today. For example, the Rule requires patients’ authorization for the following types of uses or disclosures of protected health information for marketing:
- Selling protected health information to third parties for their use and re-use. Thus, under the Rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines without an authorization.
- Disclosing protected health information to outsiders for the outsiders’ independent marketing use. Under the Rule, doctors may not provide patient lists to pharmaceutical companies for those companies’ drug promotions without an authorization.
Without these Privacy Rule restrictions, these activities could occur with no authorization from the individual in most jurisdictions. In addition, if a State law provided additional limitations on disclosures of information for related activities, the Privacy Rule generally would not interfere with those laws.
Moreover, under the “business associate” provisions of the Privacy Rule, a covered entity may not give protected health information to a telemarketer, door-to-door salesperson, or other third party it has hired to make permitted communications (for example, about a covered entities’ own goods and services) unless that third party has agreed by contract to use the information only for communicating on behalf of the covered entity. Without the Privacy Rule, there may be no restrictions on how third parties re-use information they obtain from health plans and providers. See the fact sheet and frequently asked questions on this web site about the business associate standard for more information.
Q: Can contractors (business associates) use protected health information to market to individuals for their own business purposes?
A: No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes. Although, under the HIPAA statute, the Privacy Rule cannot govern contractors directly, the Rule does set clear parameters for how covered entities may contract with business associates. See 45 CFR 164.502(e) and 164.504(e), and the definition of “business associate” at 45 CFR 160.103.
Further, the Privacy Rule expressly prohibits health plans and covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list.
Q: Can telemarketers gain access to protected health information and call individuals to sell goods and services?
A: Under the HIPAA Privacy Rule, a covered entity can share protected health information with a telemarketer only if the covered entity has either obtained the individual’s prior written authorization to do so, or has entered into a business associate relationship with the telemarketer for the purpose of making a communication that is not marketing, such as to inform individuals about the covered entity’s own goods or services.
If the telemarketer is a business associate under the Privacy Rule, it must agree by contract to use the information only for communicating on behalf of the covered entity, and not to market its own goods or services (or those of another third party).
Q: When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?
A: The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances: (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
Q: How can I distinguish between activities for treatment or health care operations versus marketing activities?
A: The overlap among common usages of the terms “treatment,” “healthcare operations,” and “marketing” is unavoidable. For instance, in recommending treatments, providers and health plans sometimes advise patients to purchase goods and services. Similarly, when a health plan explains to its members the benefits it provides, it too is encouraging the use or purchase of goods and services.
The HIPAA Privacy Rule defines these terms specifically, so they can be distinguished. For example, the Privacy Rule excludes treatment communications and certain health care operations activities from the definition of “marketing.” If a communication falls under one of the definition’s exceptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization. See the fact sheet on this web site about marketing, as well as the definition of “marketing” at 45 CFR 164.501, for more information.
However, if a health care operation communication does not fall within one of these specific exceptions to the marketing definition, and the communication falls under the definition of “marketing,” the Privacy Rule’s provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual’s authorization is required before a covered entity may use or disclose protected health information.
Q: Do disease management, health promotion, preventive care, and wellness programs fall under the HIPAA Privacy Rule’s definition of “marketing”?
A: Generally, no. To the extent the disease management or wellness program is operated by the covered entity directly or by a business associate, communications about such programs are not marketing because they are about the covered entity’s own healthrelated services. So, for example, a hospital’s Wellness Department could start a weightloss program and send a flyer to all patients seen in the hospital over the past year who meet the definition of obese, even if those individuals were not specifically seen for obesity when they were in the hospital.
Moreover, a communication that merely promotes health in a general manner and does not promote a specific product or service from a particular provider does not meet the definition of “marketing.” Such communications may include population-based activities in the areas of health education or disease prevention. Examples of general health promotional material include mailings reminding women to get an annual mammogram; mailings providing information about how to lower cholesterol, new developments in health care (e.g., new diagnostic tools), support groups, organ donation, cancer prevention, and health fairs.
Q: Is it “marketing” for a covered entity to describe products or services that are provided by the covered entity to its patients, or to describe products or services that are included in the health plan’s plan of benefits to members of the health plan?
A: No. The HIPAA Privacy Rule excludes from the definition of “marketing” communications made to describe a covered entity’s health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication. Thus, it would not be marketing for a physician who has developed a new anti-snore device to send a flyer describing it to all of her patients (whether or not each patient has actually sought treatment for snoring). Nor would it be marketing for an ophthalmologist or health plan to send existing patients or members discounts for eye-exams or eye-glasses available only to the patients and members. Similarly, it would not be marketing for an insurance plan to send its members a description of covered benefits, payment schedules, and claims procedures.
Q: Is it marketing for a covered entity to describe the entities participating in a health care provider network or a health plan network?
A: No. The HIPAA Privacy Rule excludes from the definition of “marketing,” communications by a covered entity to describe the entities participating in a health care provider network or a health plan network. Thus, it would not be marketing for a health plan or insurer to mail its members or enrollees a list of health care providers in the health
plan network or for an independent physicians association to send its patients a preferred provider list.
Q: Is it marketing for an insurance plan or health plan to send enrollees notices about changes, replacements, or improvements to existing plans?
A: No. The HIPAA Privacy Rule excludes from the definition of “marketing,” communications about replacements of, or enhancements to, a health plan. Therefore, notices about changes in deductibles, co-pays and types of coverage, such as prescription drugs, are not marketing. Likewise, a notice to a family warning that a student reaching the age of majority on a parental policy will lose coverage, then offering continuation coverage, would not be considered marketing. Nor are special health care policies such as guaranteed issue products and conversion policies considered marketing. Similarly, notices from a health plan about its long term care benefits would not be considered marketing.
It would be considered marketing, however, for a health plan to send to its members promotional material about insurance products that are considered to be “excepted benefits” (described in section 2791(c)(1) of the Public Health Service Act), such as accident only policies. It would likewise be marketing for health plans to describe other lines of insurance, such as life insurance policies. Generally, such communications require authorizations.
Q: Can health plans communicate about health-related products or services to enrollees that add value to, but are not part of, a plan of benefits?
A: Yes. The provision of value-added items or services (VAIS) is a common practice, particularly for managed care organizations. Under the HIPAA Privacy Rule, communications may qualify under the marketing exception for a communication about a health plan’s plan of benefits, even if the VAIS are not considered plan benefits for the
Adjusted Community Rate purposes. To qualify for this exclusion, however, the VAIS must meet two conditions. First, they must be health-related. Therefore, discounts offered by Medicare + Choice or other managed care organizations for eyeglasses may be considered part of the plan’s benefits, whereas discounts to attend movie theaters will not. Second, such items and services must demonstrably “add value” to the plan’s membership and not merely be a pass-through of a discount or item available to the public at large.
So, a Medicare + Choice or other managed care organization could offer its members a special discount opportunity for eyeglasses and contact lenses without obtaining authorizations if the discount were only available through membership in the managed care organization. However, such communications would need an authorization if the members would be able to obtain such discounts directly from the eyeglass store. Similarly, a Medicare + Choice or other managed care organization could offer its members a special discount opportunity for a prescription drug card benefit or for a health/fitness club membership, which is not available to consumers on the open market. On the other hand, a Medicare+Choice or other managed care organization would need an authorization to notify its members of a discount to a movie theater available only to its members.
Q: Can a doctor or pharmacy be paid to make a prescription refill reminder without a prior authorization under the HIPAA Privacy Rule?
A: Yes. It is not marketing for a doctor to make a prescription refill reminder even if a third party pays for the communication. The prescription refill reminder is considered treatment. The communication is therefore excluded from the definition of marketing and does not require a prior authorization. Similarly, it is not marketing when a doctor or pharmacy is paid by a pharmaceutical company to recommend an alternative medication to patients. Communications about alternative treatments are excluded from the definition of marketing and do not require a prior authorization. The simple receipt of remuneration does not transform a treatment communication into a commercial promotion of a product or service.
Furthermore, covered entities may use a legitimate business associate to assist them in making such permissible communications. For instance, if a pharmacist that has been paid by a third party contracts with a mail house to send out prescription refill reminders to the pharmacist’s patients, neither the mail house nor the pharmacist eeds a prior authorization. However, a covered entity would require an authorization if it sold protected health information to a third party for the third party’s marketing purposes.
Q: Are appointment reminders allowed under the HIPAA Privacy Rule without authorizations?
A: Yes, appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization.
Q: What are examples of “alternative treatments” that are excepted from the HIPAA Privacy Rule’s definition of “marketing”?
A: Alternative treatments are treatments that are within the range of treatment options available to an individual. For example, it would be an alternative treatment communication if a doctor, in response to an inquiry from a patient with skin rash about the range of treatment options, mails the patient a letter recommending that the patient purchase various ointments and medications described in brochures enclosed with the letter. Alternative treatment could also include alternative medicine. Thus, alternative treatments would include communications by a nurse midwife who recommends or sells vitamins and herbal preparations, dietary and exercise programs, massage services, music or other alternative types of therapy to her pregnant patients.
Q: Are prior authorizations required when a doctor or health plan distributes promotional gifts of nominal value?
A: No. In a specific exception, the HIPAA Privacy Rule allows covered entities to distribute items commonly known as promotional gifts of nominal value without prior authorization, even if such items are distributed with the intent of encouraging the receiver to buy the products or services. This authorization exception generally applies to items and services of a third party, whether or not they are health-related, or items and services of the covered entity that are not health-related. A covered doctor, for instance, may send patients items such as pens, note-pads, and cups embossed with a health plan’s logo without prior authorization. Similarly, dentists may give patients free toothbrushes, floss and toothpaste.
Q: Are health care providers required to seek a prior authorization before discussing a product or service with a patient, or giving a product or service to a patient, in a face-to-face encounter?
A: No. In face-to-face encounters, the HIPAA Privacy Rule allows covered entities to give or discuss products or services, even when not health-related, to patients without a prior authorization. This exception prevents unnecessary intrusion into the doctor-patient relationship. Physicians may give out free pharmaceutical samples, regardless of their value. Similarly, hospitals may give infant supplies to new mothers. Moreover, the face-to-face exception would allow providers to leave general circulation materials in their offices for patients to pick up during office visits.
Q: Must insurance agents that are business associates of a health plan seek a prior authorization before talking to a customer in a face-to-face encounter about the insurance company’s other lines of business?
A: No. In the specific case of face-to-face encounters, the HIPAA Privacy Rule allows health plans and their business associates to market both health and non-health insurance products to individuals.
Q: What effect do the “marketing” provisions of the HIPAA Privacy Rule have on Federal or State fraud and abuse statutes?
A: The Privacy Rule makes it clear that nothing in the marketing provisions of the Privacy Rule are to be construed as amending, modifying, or changing any rule or requirement related to any other Federal or State statutes or regulations, including specifically antikickback, fraud and abuse, or self-referral statutes or regulations, or to authorize or permit any activity or transaction currently proscribed by such statutes and regulations. Examples of such laws include the anti-kickback statute (section 1128B(b) of the Social Security Act), safe harbor regulations (42 CFR Parts 411 and 424), and HIPAA statute on self-referral (section 1128C of the Social Security Act). The definition of “marketing” is applicable solely to the Privacy Rule and the permissions granted by the Rule are only for a covered entity’s use or disclosure of protected health information. In particular, although the Privacy Rule defines the term “marketing” to exclude communications to an individual to recommend, purchase, or use a product or service as part of the treatment of the individual or for case management or care coordination of that individual, such communication by a health care professional may violate the anti-kickback statute.
Similar examples of pharmacist communications with patients relating to the marketing of products on behalf of pharmaceutical companies were identified by the Office of the Inspector General (OIG) as problematic in a 1994 Special Fraud Alert (December 19, 1994, 59 FR 65372). Other violations have involved home health nurses and physical therapists acting as marketers for durable medical equipment companies. Although a particular communication under the Privacy Rule may not require patient authorization because it is not “marketing,” or may require patient authorization because it is “marketing” as the Rule defines it, the arrangement may nevertheless violate other statutes and regulations administered by the Department of Health and Human Services, Department of Justice, or other Federal or State agencies.
Q: May covered entities use information regarding specific clinical conditions of individuals in order to communicate about products or services for such conditions without a prior authorization?
A: Yes, if the communication is for the individual’s treatment or for case management, care coordination, or the recommendation of alternative therapies. The HIPAA Privacy Rule permits the use of clinical information to the extent it is reasonably necessary for these communications. Similarly, population-based activities in the areas of health education or disease prevention are not considered marketing when they promote health in a general manner. Again clinical information may be used for such communications, such as in targeting a public education campaign.
Q: Are communications concerning information to beneficiaries about government programs or government-sponsored programs “marketing” under the HIPAA Privacy Rule?
A: No. Communications about government and government-sponsored programs do not fall within the definition of “marketing.” There is no commercial component to communications about benefits available through public programs. Therefore, a covered entity is permitted to use and disclose protected health information to communicate about eligibility for such programs as Medicare, Medicaid, or the State Children’s Health Insurance Program (SCHIP).