HIPAA Training,HIPAA regulations
HIPAA regulations home Visit the HIPAA Store for HIPAA Training Products FAQ Contact us  
         
Back        

Standards for Privacy of Individually Identifiable Health Information

Guidance issued July 6, 2001

Health-Related Communications and Marketing

[45 CFR §§ 164.501, 164.514(e)]

General Requirements

The Privacy Rule addresses the use and disclosure of protected health information (PHI) for marketing purposes in the following ways:

  • Defines what is "marketing" under the rule;
  • Removes from that definition certain treatment or health care operations activities;
  • Set limits on the kind of marketing that can be done as a health care operation; and
  • Requires individual authorization for all other uses or disclosures of PHI for marketing purposes.

What Is Marketing

The Privacy Rule defines "marketing" as "a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service." To make this definition easier for covered entities to understand and comply with, we specified what "marketing" is not, as well as generally defined what it is. As questions arise about what activities are "marketing" under the Privacy Rule, we will provide additional clarification regarding such activities.

Communications That Are Not Marketing

The Privacy Rule carves out activities that are not considered marketing under this definition. In recommending treatments or describing available services, health care providers and health plans are advising us to purchase goods and services. To prevent any interference with essential treatment or similar health-related communications with a patient, the rule identifies the following activities as not subject to the marketing provision, even if the activity otherwise meets the definition of marketing. (Written communications for which the covered entity is compensated by a third party are not carved out of the marketing definition.)

Thus, a covered entity is not "marketing" when it:

  • Describes the participating providers or plans in a network. For example, a health plan is not marketing when it tells its enrollees about which doctors and hospitals are preferred providers, which are included in its network, or which providers offer a particular service. Similarly, a health insurer notifying enrollees of a new pharmacy that has begun to accept its drug coverage is not engaging in marketing.
  • Describes the services offered by a provider or the benefits covered by a health plan. For example, informing a plan enrollee about drug formulary coverage is not marketing.

Furthermore, it is not marketing for a covered entity to use an individual's PHI to tailor a health-related communication to that individual, when the communication is:

  • Part of a provider's treatment of the patient and for the purpose of furthering that treatment. For example, recommendations of specific brand-name or over-the-counter pharmaceuticals or referrals of patients to other providers are not marketing.
  • Made in the course of managing the individual's treatment or recommending alternative treatment. For example, reminder notices for appointments, annual exams, or prescription refills are not marketing. Similarly, informing an individual who is a smoker about an effective smoking-cessation program is not marketing, even if that program is offered by someone other than the provider or plan making the recommendation.

Limitations on Marketing Communications

If a communication is marketing, a covered entity may use or disclose PHI to create or make the communication, pursuant to any applicable consent obtained under § 164.506, only in the following circumstances:

  • It is a face-to-face communication with the individual. For example, sample products may be provided to a patient during an office visit.
  • It involves products or services of nominal value. For example, a provider can distribute pens, toothbrushes, or key chains with the name of the covered entity or a health care product manufacturer on it.
  • It concerns the health-related products and services of the covered entity or a third party, and only if the communication:

- Identifies the covered entity that is making the communication. Thus, consumers will know the source of these marketing calls or materials.

- States that the covered entity is being compensated for making the communication, when that is so.

- Tells individuals how to opt out of further marketing communications, with some exceptions as provided in the rule. The covered entity must make reasonable efforts to honor requests to opt-out.

- Explains why individuals with specific conditions or characteristics (e.g., diabetics, smokers) have been targeted, if that is so, and how the product or service relates to the health of the individual. The covered entity must also have made a determination that the product or service may be of benefit to individuals with that condition or characteristic.

For all other communications that are "marketing" under the Privacy Rule, the covered entity must obtain the individual's authorization to use or disclose PHI to create or make the marketing communication.

Business Associates

Disclosure of PHI for marketing purposes is limited to disclosure to business associates that undertake marketing activities on behalf of the covered entity. No other disclosure for marketing is permitted. Covered entities may not give away or sell lists of patients or enrollees without obtaining authorization from each person on the list. As with any disclosure to a business associate, the covered entity must obtain the business associate's agreement to use the PHI only for the covered entity's marketing activities. A covered entity may not give PHI to a business associate for the business associate's own purposes.
HIPAA Training,HIPAA regulations