Editor's note: This update supplants the 2002 practice brief "Release of Information for Marketing or Fund-raising Purposes."
Since its original compliance date in 2003, the HIPAA privacy rule required covered entities (CEs) to adhere to certain standards relative to the use and disclosure of protected health information (PHI) for the purposes of marketing and fund raising. In January 2013, HHS published the long-awaited "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act." Known as the HIPAA omnibus rule, its aim is to strengthen the privacy and security protections established under HIPAA. The rule includes significant changes that impact CEs that use or disclose PHI for marketing and fund raising. This practice brief is intended to provide an overview of the current requirements as related to marketing and fund raising under the HIPAA omnibus rule.
Standards for Use and Disclosure of Protected Health Information for Marketing
Under the original HIPAA privacy rule (§164.508), covered entities were required to obtain a valid authorization from individuals before using or disclosing their PHI for any activities that met the definition of marketing. The original rule defined marketing as "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." Communications for treatment, to describe health-related products or services, and certain healthcare operations were specifically excluded from the definition. Additionally, face-to-face communications or promotional gifts of nominal value were allowed to be made without authorization. The HIPAA omnibus final rule significantly modifies the definition of marketing to now require authorization for treatment and healthcare operations communications where the covered entity receives financial remuneration from a third party whose product or service is being marketed.
The final rule still defines marketing as "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service" but now modifies the exceptions to the definition. Under the final rule, the definition of marketing does not include a communication made:
- To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity's cost of making the communication
- For the following treatment and healthcare operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
- For treatment of an individual by a healthcare provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual
- To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about the entities participating in a healthcare provider network or health plan network; replacement of or enhancements to a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
- For case management or care coordination, contacting individuals with information about treatment alternatives and related functions to the extent these activities do not fall within the definition of treatment
"Financial remuneration" is defined as "direct or indirect payment from or on behalf of a third party whose product or service is being described." For example, if a third party provides new iPads to all residents, that is a form of remuneration. Direct or indirect payment does not include any payment for treatment of an individual. "Direct payment" is defined as financial remuneration that flows from the third party whose product or service is being described directly to the covered entity. In contrast, indirect payment means financial remuneration that flows from an entity on behalf of the third party whose product or service is being described to the covered entity. Financial remuneration does not include non-financial benefits, such as in-kind benefits, provided to a covered entity in exchange for making a communication about a product or service. Rather, financial remuneration includes only payment made in in exchange for making such communications. It is noted that if financial remuneration is received by the covered entity for any purpose other than for making the communication, then the marketing provisions do not apply.
A business associate (including subcontractors) that receives financial remuneration (instead of the covered entity) by a third party in exchange for making the communication about a product or service must also obtain an authorization from the individual prior to making the communication.
Under the final rule, for marketing communications that involve financial remuneration, the covered entity must obtain a valid authorization from the individual before using or disclosing PHI for such purposes, and such authorization must disclose the fact the covered entity is receiving financial remuneration from a third party. The scope of the authorization need not be limited only to subsidized communications related to a single product or service or the products or services of one third party, but rather may apply more broadly to subsidized communication generally, so long as the authorization adequately describes the intended purposes of the requested uses and disclosures (i.e. the scope of the authorization) and otherwise contains the elements and statements of a valid authorization. Marketing authorizations can be combined with other HIPAA authorizations, but this is not required.
Under §164.508, the final rule continues to allow these marketing communications as exceptions without requiring an authorization, even if the covered entity receives remuneration from a third party to make the communication:
- a face-to-face communication by the covered entity to the individual (note: phone, mail, and/or e-mail do not constitute as a face-to-face communication and therefore do not apply to this exception)
- A promotional gift of nominal value provided by the covered entity
Marketing activities that do not use PHI to target a specific group of individuals are not subject to HIPAA. Mass mailings and communications such as newsletters that do not use PHI to identify the recipients of the mailing would not fall under the HIPAA regulations. Additionally, communications promoting health in general and that do not promote a product or service from a particular provider, such as communications promoting a healthy diet or encouraging individuals to get certain routine diagnostic tests, do not constitute marketing and do not require individual authorization. Communications about government and government-sponsored programs do not fall within the definition of marketing, as there is no commercial component to communications about benefits through public programs.
Standards for the Use and Disclosure of Protected Health Information for Fundraising
Section 164.514 (f) of the original HIPAA privacy rule allowed a covered entity to use and disclose demographic information and dates of service for the purpose of fund raising without requiring an authorization from the individual. With the enactment of the HIPAA omnibus final rules, the standards for fund-raising communications expanded the ability to use and disclose PHI for fund raising purposes.
Under the final rules, a covered entity may use or disclose to a business associate or to an institutionally related foundation the following PHI for the purpose of raising funds for its own benefit, without an individual's authorization:
- Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth
- Dates of healthcare provided to an individual
- Department of service information (such as cardiology, oncology, or pediatrics)
- Treating physician
- Outcome information (includes information regarding the death of the patient or any sub-optimal result of treatment or services)
- Health insurance status
The addition of these elements will allow covered entities to focus fund-raising communications more directly to the appropriate individuals or to screen and eliminate certain individuals from fund-raising communications.
With each communication made to an individual, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fund-raising communications. Under the rule, entities are free to decide what methods individuals can use to opt out of receiving further fund-raising communications, as long as the chosen methods do not impose an undue burden or more than a nominal cost. Examples to consider include a toll-free phone number, an e-mail address, or similar opt-out mechanisms that provide individuals with a simple, quick, and inexpensive way to opt out of further fund-raising communications. Entities may employ multiple opt-out methods, allowing individuals to determine which method is the simplest and most convenient for them, or a single method that is reasonably accessible to all who wish to opt out. The scope of the opt-out is left to the discretion of the entity.
If the covered entity intends to use or disclose PHI for the purpose of fund raising, the organization's notice of privacy practices must include a description about the use or disclosure of individually identifiable health information for fund raising, including a statement that the individual has a right to opt out of receiving such communications. It is not required that the notice describe the mechanism for opting out, although a covered entity may include a description if desired.
The final rule strengthened the requirements when an individual has elected to opt out of receiving further fund-raising communications, by prohibiting covered entities from sending further fund-raising communications to those individuals who have opted out. The covered entity must treat an individual's request to opt out the same as a revocation of an authorization. An opt-out request not complied with is a privacy breach.
A covered entity may not condition treatment or payment on the individual's choice with respect to the receipt of fund-raising communications.
The rule applies to fund-raising communications made in any form, including communications made over the phone. Even with these types of communications, the entity must still clearly inform the individual that they have a right to opt out of further solicitations. If the entity does not use PHI to make the fund-raising communications, such as the use of a public directory, these rules do not apply.
Individual states may also have laws or regulations relative to the use of patient health information for marketing or fund raising. As the HIPAA standards for privacy will preempt state law (except where state law is more stringent than HIPAA or provides individuals with greater control over their PHI), organizations may find it necessary to consult legal counsel when developing their own policies and procedures.
- Review and update existing policies and procedures for use and disclosure of PHI for the purposes of marketing and fund raising
- Educate staff regarding the issues, policies, and procedures related to the use and disclosure of PHI for marketing and fund raising
- Determine if remuneration is received for any communications that would now fall under the definition of marketing
- Review the authorization for marketing purposes to assure that remuneration language is included
- Review opt-out statement on fund-raising communications to determine that the statement is clear and conspicuous
- Review the fund-raising opt-out mechanism to assure that the mechanism does not impose an undue burden or more than a nominal cost
Peg Schmidt, RHIA, CHPS
Kathy Downing, MA, RHIA, CHP, PMP
Ben Burton, JD, MBA, RHIA, CHP, CHC
Becky Buegel, RHIA, CHP, CHC
Kaye Connor, RHIT, CHC
Julie A. Dooling, RHIA
Elisa R. Gorton, RHIA, CHPS
Sandra L. Joe, MJ, RHIA
Lesley Kadlec, MA, RHIA
Joyce M. Matheson, RHIT
Kelly McLendon, RHIA, CHPS
Angela Dinh Rose, MHA, RHIA, CHPS
Kim Turtle Dudgeon, RHIT, HIT PRO-IS/TS, CMT
Diana Warner, MS, RHIA, CHPS, FAHIMA
Revised by (2002)
Harry Rhodes, MBA, RHIA
Originally prepared by Gwen Hughes, RHIA
Beth Hjort, RHIA, CHP
Mary Brandt, MBA, RHIA, CHE
Jill Callahan Dennis, JD, RHIA
Cheryl M. Smith, BS, RHIT, CPHQ
US Department of Health and Human Services. "Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule." Federal Register 75, no. 134 (July 14, 2010).
US Department of Health and Human Services. "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule." Federal Register vol. 78, no. 17 (January 25, 2013).
US Department of Health and Human Services. "Standards for the Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 through 164. Federal Register 65, no. 250 (December 28, 2000).
"Standards for Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 and 164. Federal Register 67, no. 157 (August 14, 2002).
"Standards for Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 and 164. Federal Register 65, no. 250 (December 28, 2000).
Schmidt, Peg; Downing, Kathy. "Release of Information for Marketing or Fund-raising Purposes (Updated)." (AHIMA Practice Brief, updated August 2013).