regulations, marketing is defined as "mak[ing] a communication
about a product or service that encourages the recipients
of the communication to purchase or use the product or service."
In general, marketing communications using protected
health information (PHI) require a prior written authorization.
This broad definition
is qualified by important exceptions. First, neither of the
following types of communications by covered
entities are considered marketing:
provided for the purpose of furthering or managing the treatment
of an individual, such as directing or recommending to that
individual alternative treatments, therapies, health care
providers or settings of care;
about entities participating in a provider network or health
plan, including the services offered by those providers;
or the benefits covered by a health plan, including replacements
to and enhancements for coverage under the plan.
As regards the
former, both the regulations and DHHS commentary are explicit
that use and disclosure of protected health information (PHI)
in furtherance of "case management" and "care
coordination" for individual patients are not marketing
The latter exception
includes information about existing benefits as well as other
products or services optionally available to a health plan
enrollee. However, the items must be "health-related"
and "value-adding" to the plan, not merely a pass-through
for discounts or items available to the general public.
communications that promote health in "a general manner"
are also excepted, provided they do not endorse a specific
product or service. So newsletters and other general circulation
materials with information about health-promoting activities
(e.g., screenings for certain diseases) may be provided to
patients/members without an authorization.
may be conducted using via a business
associate (provided an appropriate contract is in place)
or the covered entity directly. The key to the exceptions
lies in the connection to furthering treatment.
what remains is marketing, there is a additional exception
communications made by a covered entity to an individual;
gifts of nominal value provided by the covered entity.
The presence of
remuneration for the covered entity in these excepted situations
does not convert a communication to the kind of marketing
that requires an authorization for the purposes of HIPAA.
Anti-kickback, fraud and abuse, or self-referral statutes
and regulations may nonetheless apply. (While it is not required
in these excepted circumstances, covered entities are still
advised to disclose any remuneration arrangements when it
is practical to do so.)
Marketing is also
defined as "any arrangement between a covered entity
and any other entity whereby the covered entity discloses
[PHI] to the other entity, in exchange for direct or indirect
remuneration, for the other entity or its affiliate to make
a communication about its own product or service that encourages
recipients of the communication to purchase or use that product
this second definition are marketing, regardless of whether
a business associate relationship exists. So, for example,
selling of lists of patients with particular conditions or
taking particular medications to another entity requires an
authorization, regardless of whether that third party is completely
unaffiliated or part of a business associate contract.
As noted, covered
entities must obtain a prior authorization for any use or
disclosure of PHI that meets the definitions of marketing
(and that doesn't qualify for the exceptions). If the marketing
involves direct or indirect remuneration to the covered entity
from a third party, the authorization must state that such
remuneration is involved (in contrast to the rule for exceptions).
Authorizations must be specific about the kind(s) of marketing
contemplated; a blanket authorization for such purposes is
Under earlier versions
of the regulations, definitions of a marketing activity looked
to the purpose or intent of a communication; now, the definition
is simply about effects: "If, on its face, the communication
encourages recipients of the communication to purchase or
use the product or service, the communication is marketing."
As for the exceptions:
"The purpose of the exclusions from the definition of
marketing is to facilitate those communications that enhance
the individual's access to quality health care." Hence
the broad exception for communications about treatment, case
management, care coordination, and the recommendation of alternative
This also justifies
the exceptions for information about payment for treatment:
"[A] health plan is not engaging in marketing when it
advises its enrollees about available health plan [options]
that could enhance or substitute" for existing coverage.
DHHS has also clarified that communications about government
and government-sponsored programs do not fall within the definition
of marketing. "There is no commercial component to communications
about benefits available through public programs ... [t]herefore,
a covered entity is permitted to use and disclose protected
health information to communicate about eligibility for Medicare
supplemental benefits, or SCHIP."
Note that the marketing
regulations have always been among the most contentious of
HIPAA's specifications. And in the prior specification, they
were also, not coincidently, among the most complex and confusing.
While simpler now, they are still controversial. Covered entities
may wish, in the name of preserving good will with current
and potential customers, to interpret them narrowly.
In this context,
that means conservative interpretation of the exceptions to
the definition of marketing, and liberal interpretation of
the requirements for disclosures of "details" like
remuneration arrangements. It is also a good idea to consider
providing "opt out" options for communications,
even though the regulations do not require it for "not
Few things irritate
patients/customers more than communications that they have
come to consider burdensome and intrusive, and from which
they find no escape. Patients tend to be particularly unforgiving
if they feel their health information has been "sold"
without their knowledge or approval, for purposes that appear
to benefit the covered entity more than themselves.
DHHS has noted
that organizations that receive identifiable health information
and misuse it may be subject to action taken under other consumer
protection statutes by other Federal agencies, such as the
Federal Trade Commission. They may also be subject to state
consumer-protection statutes and regulations. The definition
and rules for marketing here apply solely to HIPAA's Privacy
Rule and its associated sanctions.