Disclosures of Protected Health Information ("PHI") for "Marketing" Purposes
The HIPAA Privacy Rule, at 45 C.F.R. § 164.508(a)(3) (the “Privacy Rule”), requires that covered entities obtain a valid authorization from individuals before using or disclosing PHI to “market” a product or service. The term “marketing” means “to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” and generally excepts communications for treatment and health care operations purposes from this definition. The Final Rule changed exceptions to the definition of “marketing”, which are now dependent upon the “financial remuneration” received, if any.
The new definition specifies that “marketing” does not include a communication to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, but only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication. Included within this exception are communications about the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed. Where an individual is prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system, including, for example, an insulin pump, also fall under this exception. The Department intends to provide future guidance to address the scope of this exception.
Additionally, the definition of “marketing” does not include a communication made for the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
- For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
- To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
- For case management or care coordination, contacting individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
The Privacy Rule defines “financial remuneration” to mean “direct or indirect payment from or on behalf of a third party whose product or service is being described.” The definition clarifies that “direct or indirect payment” does not include any payment for treatment of an individual. However, the term “financial remuneration” does not include non-financial benefits, such as in-kind benefits, provided to a covered entity in exchange for making a communication about a product or service. Rather, financial remuneration includes only payments made in exchange for making such communications. In addition, the financial remuneration a covered entity receives from a third party must be for the purpose of making a communication and such communication must encourage individuals to purchase or use the third party’s product or service. If the financial remuneration received by the covered entity is for any purpose other than for making the communication, then the marketing provision does not apply.
Finally, permissible costs for which a covered entity may receive remuneration under this exception are those which cover only the costs of labor, supplies, and postage to make the communication. Where the financial remuneration a covered entity receives in exchange for making the communication generates a profit or includes payment for other costs, such financial remuneration would run afoul of the HITECH Act’s “reasonable in amount” language.
Combining the new definition of “marketing” with the Privacy Rule’s authorization requirement, it follows that for marketing communications that involve financial remuneration, the covered entity must obtain a valid authorization from the individual before using or disclosing PHI for such purposes, and such authorization must disclose the fact that the covered entity is receiving financial remuneration from a third party. Additionally, where a business associate (including a subcontractor), as opposed to the covered entity itself, receives financial remuneration from a third party in exchange for making a communication about a product or service, such communication also requires prior authorization from the individual.