HIPS Series > Privacy Issues for Marketers

How to take this course

As discussed at length in the introductory privacy course, protections for health information are required by Federal laws, such as HIPAA.  Every state also has its own requirements.  So do private certification organizations, such as JCAHO.

If you have access to health information, it is required that you know how to protect it.  And if you use health information for marketing, you need to know the specific legal limitations that apply to that activity.

Federal regulations (under HIPAA) generally require that a covered entity obtain prior written authorization for use or disclosure of protected health information (PHI) for marketing purposes. 

Few things have raised more consumer ire than marketing abuses of health information, so many states' statutes also address the issue of marketing using health information.

In the most restrictive jurisdictions, a specific written release or authorization is required to permit utilization of patient information for solicitation or marketing.

As with other aspects of privacy compliance, it is essential to determine if a state-level requirement stricter than the federal one exists where your organization operates.

HIPAA's marketing regulations have two definitions for marketing.  It is when a covered entity:

• makes "a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service"; or
   
• discloses information "in exchange for direct or indirect remuneration," so that "another entity or its affiliate [may] make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service."

States' statutes may have their own definitions -- and, of equal or greater importance, may or may not allow the kinds of exceptions that are discussed in the next four sections.

HIPAA's first definition -- relating to communications by or on behalf of the covered entity itself -- is qualified by huge exemptions.

First, information provided for the purpose of furthering or managing the treatment of an individual, such as "directing or recommending to that individual alternative treatments, therapies, health care providers or settings of care" isn't marketing. 

Nor are activities in furtherance of "case management" and "care coordination," such as referrals to or recommendations of particular products, facilities or providers, considered marketing under HIPAA.  This too is considered part of treatment.

Second, it isn't marketing for a covered entity to convey information about benefits.  That includes data "about entities participating in a provider network or health plan, including the services offered by those providers," or about "the benefits covered by a health plan, including replacements to and enhancements for coverage under the plan."

Information about existing benefits, as well as other products or services optionally available to a health plan enrollee, are also exempted by HIPAA.  (The latter must be truly value-adding, and not simply a pass-through for items available on the same terms to the general public.)

Third, population-oriented communications that promote health in "a general manner" are also excluded, provided there is no endorsement of a specific product or service.

This includes newsletters and other general circulation materials with information about health-promoting activities -- e.g., screenings for certain diseases.

Note again that these three exemptions categories relate to communications by the covered entity on its own behalf -- or where it hires a third-party business associate to do so on the covered entity's behalf.

Fourth, and finally, HIPAA provides for a pair of exemptions especially relevant to the treatment setting. 

Gifts of "nominal value" are still permitted.  (For example, dentists may continue to give toothbrushes, floss and toothpaste samples.  Mugs, pens, and the like are ok too.)  

Face-to-face communications with the patient are also unrestricted -- even if marketing-like, in the sense of promoting particular products or services.

The presence of remuneration to the covered entity for making such gifts or communications doesn't change the exemption, at least from the perspective of federal privacy regulations. 

Note, however, that anti-kickback, fraud and self-referral statutes may still apply.  (Accordingly, your organization's policies may limit these practices for other than privacy reasons.)

And, to reiterate, these four exemptions may or may not be paralleled in states' statutory definitions of marketing.

You may be wondering if using truly de-identified information for marketing is permitted.  Health information ceases to be protected, and can be used without authorization, if every possible link to the individual is removed.  This is useful for some research applications, for example.

Unfortunately, information that was truly stripped would probably be useless in this context -- precisely because it could not be used to target marketing efforts. 

Even a list of names and addresses derived from a facility's patient database, stripped of all medical data, would still be protected because it is considered to convey health information (namely, that those persons got health services of some kind).

As noted, a covered entity may make disclosures to a third party (business associate), so that the latter can undertake communications on the covered entity's behalf, and still have the benefit of all the exemptions discussed. 

But what about the second HIPAA definition of marketing?  For that there are no exemption:.  Disclosures to a third party for the purposes of the third party's marketing efforts are ALWAYS marketing, and ALWAYS require a specific authorization from the patient.

If the arrangement involves direct or indirect remuneration to the covered entity for this kind of disclosure, the authorization must so state.

When required, marketing authorizations must be executed in writing --oral agreement is not sufficient -- "in plain language so that individuals can understand the information contained in the form, and thus be able to make an informed decision."

That includes a specific description of the purposes of the disclosure, and a specific expiration date.  (And, as noted, the details of remuneration, if that is applicable.)  It is not permissible to ask for generalized, open-ended authorizations for a range of unspecified future marketing disclosures.

(Authorizations have many other format and content requirements. Read about them here.)

It has been common to mix marketing and fundraising communications -- for example, to include solicitations for donations in a targeted newsletter that otherwise contains information qualifying as "not marketing" under the exemptions discussed above.

Communications which include fundraising material are subject to fundraising rules too.  Absent an authorization, fundraising can only be targeted to patients using demographic information and dates of past service, not any data on treatment or condition.  So mixing may no longer be a good idea. 

(For more information, see the Privacy Issues for Fundraisers course.)

To summarize, the rules for marketing and fundraising are:

• Marketing (not meeting the exemptions) -- authorization is required for any use of PHI.
   
• Fundraising -- authorization required for any use of PHI beyond demographic information and dates of past service.
   
• "Not-marketing" (exempted activities) -- no authorization required for PHI use.
   
• Communications which mix information types are subject to the more restrictive rules.

Fundraising communications must have an opt-out -- so persons can indicate that they do not wish to receive future solicitations. 

"Not-marketing" (exempted) communications are not required to offer opt-outs.  And, of course, true (un-exempted) marketing can only occur with specific authorization -- which means the person has specifically opted-in.

Offering opt-outs may still be a customer-friendly gesture to consider.  Annoying your customers with unwanted communications is rarely a good strategy, even if the letter of the law permits it.  It should be obvious that once you offer an opt-out, you must create mechanisms to honor it.

Here are the key points:

(1) Federal (HIPAA) restrictions on the use of health information for marketing are strict -- requiring specific prior written authorization.  State requirements vary.

(2) HIPAA regulations exempt from the definition of marketing much of what normally is considered marketing.  (If state statutes do not contain specific definitions, it will usually be assumed that the federal exemptions are allowed.)

(3) If what you do is exempted -- i.e., "not marketing" -- there are few restrictions.  So it is critical to know whether what you're doing meets the exemption.  

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •