
Failure to comply with the HIPAA Privacy Rule can have serious consequences to healthcare providers.
The HIPAA Privacy Rule gives individuals control over how their protected health information (PHI) may be used for marketing purposes. With limited exceptions, the Rule requires that written authorization must be obtained prior to using an individual’s PHI for marketing purposes.
HIPAA Privacy Rule Basics
The Privacy Rule applies to the use and disclosure of health information for marketing by a qualified health provider. For the Rule to apply, two criteria must be present: (1) marketing; (2) by a qualified health provider (also known as a covered entity).
What is marketing. The HIPAA Privacy Rule defines “marketing” as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. If the marketing is by a covered entity, it requires prior written authorization of the patient. Examples of marketing communications that require prior written authorization are:
- a hospital mailer informing former patients about a wellness clinic that is not part of the hospital, that can provide a health and wellness screening for $99.00, if the communication is not for the purpose of providing treatment advice.
- an email communication from a health insurer promoting a home insurance product offered by the same company.
What else is considered marketing. According to the HIPAA Privacy Rule, “marketing” also occurs where there is an an arrangement between a covered entity and any other party whereby the covered entity discloses protected health information of consumers to the other party in exchange for direct or indirect compensation. This generally occurs in circumstances where the third-party or its affiliates are used to promote the covered entity’s products or services. This part of the definition of marketing has no exceptions. Covered entities may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list.
What is not marketing. The HIPAA Privacy Rule has three exceptions for permissible communications that will not be considered to be “marketing” for purposes of the Rule. A communication is not marketing if it is made:
- to describe a health-related product or service that is provided by or included in a plan of benefits of the covered entity
- for treatment of the individual
- for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
The HIPAA Privacy Rule has many other features that will be discussed in future articles.
Editor’s Note: Adherence to the HIPAA Privacy Rule should be part of an overall health marketing compliance strategy. For further information on how to develop and manage a health brand and marketing compliance program, contact the author.