Marketing Involving PHI

The HIPAA Omnibus Rule made changes to the rules related to marketing involving PHI.  A marketing communication, as defined by HIPAA, is a communication about a product or service that encourages the recipient to purchase that product or service.  Previously, PHI could not be used or disclosed for a marketing communication without authorization unless an exception applied.  One exception allowed the use and disclosure of PHI for treatment-related marketing communications for which financial remuneration was received, provided the individual was given notice and an opportunity to opt out. Now, marketing communications about a third party’s products or services for which financial remuneration is received by the covered entity almost always require authorization from the individual, irrespective of whether they are treatment related, unless an exception applies. As long as the marketing communication is only about health-related product[s] or service[s] that the covered entity is offering, no prior authorization is required.

The few exceptions to the authorization requirement for marketing include:

  1. Face-to-face marketing communications;
  2. Promotional gifts of nominal value; and
  3. Prescription refill reminders, if the remuneration received by the covered entity is reasonably related to the cost of making the marketing communication.

If your organization uses PHI to market its own, or a third party’s, products and services, your organization should:

  1. Draft a form authorization to cover multiple, ongoing marketing communications;
  2. Implement or refine a process for tracking marketing communications and related authorizations to ensure that the recipients have signed authorizations or an exception applies; and
  3. Ensure that business associates and their subcontractors follow procedures that are materially the same.

Sale of PHI

Under the proposed regulation, the “sale of PHI” was prohibited without express authorization from the individual.  Unfortunately, the “sale of PHI” was not a defined term and there was uncertainty as to how extensively the prohibition was to be applied.  Now, we know that a “sale” covers the disclosure of PHI wherein direct or indirect remuneration was provided to the covered entity or business associate in exchange for the disclosure.  Unlike in the marketing context, remuneration can include non-monetary exchanges such as an in-kind transaction. It also covers situations in which the party providing payment for the PHI is not the party who is receiving the PHI.

If your organization participates in the sale of PHI, the authorization to release the PHI must specifically state that the covered entity is receiving remuneration in exchange for the PHI.

Also note that data use agreements for limited data sets must be brought into compliance with these requirements by September 23, 2014.

In case you missed them, here are the first two installments in the series:

HIPAA: Are you up to date?

Omnibus Rule Changes to Breach Notification and Business Associates