While HIPAA’s marketing rule isn’t new, it can still be a bet messy for healthcare providers who want to grow their practices while preserving the integrity of patient information. Full knowledge and understanding of how HIPAA marketing compliance works is essential, both for the providers for the marketing agencies and other business associates that support them.
So What Is the HIPAA Marketing Rule?
Like most of HIPAA’s Privacy Rule, the marketing rules focus on the usage and the disclosure of protected health information (PHI) by HIPAA covered entities. This protected information includes any demographic detail that can be used to identify the patient. Examples of such information include the patient's name, date of birth, phone number, address, SSN or tax ID number, insurance ID number, and of course, a full-face photograph.
The ultimate goal of the Privacy Rule is to give individuals control over how their PHI can be used and disclosed. The rules therefore require written authorization from a patient (in most cases) before PHI can be used or disclosed for marketing purposes. 45 C.F.R. § 164.508(a)(3).
Why It's Not Exactly Clear When the Rule Applies
The Privacy Rule defines marketing as "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." 45 C.F.R. § 164.501. However, the definition does not include:
Prescription refill reminders or other communications about a drug currently prescribed to an individual, so long as any financial remuneration received for making the communication is related to the cost of making the communication;
Communications made for treatment of an individual, such as communications for case management or care coordination purposes, or to recommend alternative treatments or providers, unless the covered entity receives financial remuneration for making the communication; or
Descriptions of health-related products or services provided by the covered entity or included in a benefits plan (including payment for such products or services), unless the covered entity receives financial remuneration for making the communication.
The challenge facing any covered entity is therefore to distinguish goods and services essential for a patient's healthcare from marketing communications.
Some examples of what might be considered marketing under the rule are:
A health insurance company communicating about home insurance products that it also offers.
A hospital system communicating about a neighboring physiotherapy facility, which is not part of their system and where the communication does not provide treatment advice.
On the other hand, the following communications are most likely not marketing:
An e-mail reminder from a pharmacy to refill a prescription.
A referral from a primary care physician to a specialist for follow-up treatment.
The line between the two, however, is not always so clear. Even the Department of Health and Human Services acknowledges that overlap between communications for marketing purposes and communications for treatment purposes is inevitable.
Hang on, There’s More to "Marketing"!
Marketing is not just about a covered entity’s own marketing practices. It’s also about the sale of PHI to third parties who may want to use that PHI for their own purposes. “Marketing” also includes arrangements between a covered entity or business associate in which the covered entity or business associate “directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.” 45 C.F.R. § 164.502(a)(5)(ii).
This definition has no exceptions. There must be written patient authorization before the sale of PHI can take place.
Examples of this type of “marketing” are pretty straightforward:
An insurance plan sells member details to a company selling healthcare apps, which then intends to target those members with ads regarding the benefits of a subscription to the app.
A drug manufacturer receives a list of patients taking one of its medications from a provider, in exchange for benefits to that provider, then uses that list to offer discounts on other medications.
Who Must Follow the Marketing Rule
The marketing rule must be followed by all covered entities and the service providers that receive PHI from them. And remember - business associates of the covered entity must use PHI only for the communication activities dictated by the covered entity. They may not communicate with patients for their own purposes or sell the PHI to another party without proper authorization.
Authorization is not required in all situations, however. Face-to-face interactions are allowed without authorizations even if they constitute marketing. Gifts of nominal value are also allowed - so don't get bent out of shape if your hospital gives you free samples of baby formula as you are walking out of the maternity ward!
Questions About the New HIPAA Marketing Rule?
If you still have questions about the HIPAA marketing rule, I’d be happy to sit down with you and answer your questions. Whether you are a covered entity or a business associate, I can help you review your organization’s practices to make sure you are in compliance with HIPAA. Give me a call today at (704) 940-5581 to set up a time to talk.
