Marketing Privacy: HIPAA's New Sales Pitch

Harry Rhodes, MBA, RHIA, AHIMA


Direct marketing is the direct contact between a seller and a consumer. This type of targeted marketing has gained wide popularity as a marketing strategy in the late 20th century because it can be addressed directly. With increasing amounts of specific information available on individuals, direct marketers have enjoyed an economical means of providing product information directly to targeted consumers.

Direct marketing has become an American institution, primarily because overwhelmed consumers have benefited from product marketing tailored to their needs.

Consumers have learned to welcome, accept, or ignore direct marketing. Consumers who don't want to receive direct marketing have learned to avoid filling out sweepstakes entries or product registration cards. Many organizations and businesses that hold consumer demographic databases have become more restrictive in the distribution of the information they hold. Many direct marketers have also learned to operate their direct marketing efforts within certain acceptable parameters.

The area of healthcare direct marketing has always been a particularly sensitive one. The most valuable demographic information used in the healthcare marketing effort is not simply name, address, age range, and questions like "do you plan on purchasing a new car in the next year?" The most valuable information used in a healthcare direct marketing effort and the questions asked are far more sensitive, serious, and potentially damaging.

Prior to the recent introduction of the HIPAA Standards for Privacy of Individually Identifiable Health Information final rule on December 28, 2000, healthcare marketers have relied on personal, employer, and professional guidelines when conducting direct marketing campaigns. No specific laws address the use of individually identifiable health information for marketing purposes. Commencing on April 14, 2001, the final rule set into motion a 24-month implementation period that will radically change the practice of healthcare marketing. Because of the sensitive nature of individually identifiable health information, the majority of healthcare marketers have avoided using individually identifiable health information as a resource for identifying potential target markets. An environment scan conducted by this author, revealed that the most common types of direct marketing resources were limited to facility registration logs and lists of potential clients purchased on the basis of economic, not health, criteria. Most often lists are purchased from credit card companies or other financial institutions.

The HIPAA privacy final rule has succeeded in bringing some definite guidelines and limits to the conducting of healthcare marketing efforts that use individually identifiable health information. Yet the final rules still leave many marketing issues unanswered. Marketing professionals will still need to use their professional judgment when carrying out direct marketing campaigns.

Elements of the HIPAA Privacy Final Rule that Will Effect Marketing

The HIPAA privacy final rule calls for the establishment of a process to allow individuals to complain to the covered entity (healthcare provider, health plan, or clearing house) and/or to the Secretary of the Department of Health and Human Services (DHHS) if they believe their privacy rights have been violated.

The covered entity is required to provide instructions on how to make complaints to the covered entity or the Secretary of DHHS. The covered entity is further required to provide the name and telephone number of a contact person or office. These requirements also extend to any business associates that the covered entity may contract with. The privacy final rule requires the business contract between covered entities and their business associates to ensure the confidentiality of any protected health information used or disclosed under the contract. Marketers that "go too far" with marketing efforts based on individually identifiable health information may find their practices formally questioned.

Furthermore, the final rule establishes a right for individuals to receive adequate notice of how covered healthcare providers and health plans use and disclose protected health information, and of the individual's rights with respect to that information.

If your organization intends to use individually identifiable health information for marketing purposes, your organization will need to disclose that fact in the Notice of Privacy Practices.

Key Elements of the Notice of Privacy Practices

  • Written in plain language
  • Description of uses and disclosures expected to be made without individual authorization
  • Description of uses and disclosures made only with individual authorization
  • Right to revoke an authorization
  • Right to request restrictions
  • Right to inspect and copy protected health information
  • Right to amend and correct protected health information
  • Right to receive and accounting of disclosures of protected health information

The final rule does expressly authorize disclosures of protected individually identifiable health information for marketing purposes without patient consent.

Under the privacy final rule mandates, a covered entity does not need patient authorization to use or disclose protected health information for marketing under any of these three situations:

  1. Face-to-face encounters with the individual: The rule does not indicate that the face-to-face encounter must directly involve the provider; business associates can assist the covered entity with such communications. The face-to-face marketing with individually identifiable health information can also be done for other health-related products or services that are not related to the primary services of the covered entity. The rule also does not indicate where the face-to-face encounter is to occur. The covered entity could potentially sell their health-related product or service door to door.
  2. Products or services of nominal value: The healthcare provider could use or disclose protected individually identifiable health information to target a group of patients with a particular diagnosis to distribute a discount coupon or rebate offer for a product or service. The covered entity could distribute calendars, pens, and other merchandise. The rule does not define nominal value.
  3. Health-related products and services of the covered entity or of a third-party business associate: The final rule permits the covered entity to engage in health-related marketing on the behalf of a third party, for a fee. The covered entity could retain an outside firm, through a business associate agreement, to conduct the actual health-related target marketing under the covered entity's name. There is no limit on the number of contracts a covered entity can enter. Privacy advocates have expressed early concerns that the provision for health-related products and services could be interpreted in the broadest of contexts. Consumers could begin to receive direct marketing promoting the health-related benefits of a myriad of products that could include diaper services, restful vacations, online pharmacies, insurance plans, and diet and exercise programs. Furthermore, there are concerns that healthcare providers will enter into numerous business associate arrangements for the express purpose of distributing marketing information.

Mandated Conditions for Health-related Marketing Communications

The HIPAA final rule establishes conditions that direct marketing communications must meet to be in compliance:

  1. The marketing communication must clearly and prominently identify the entity as the party making the marketing communication. Privacy advocates have expressed concern that should the communication come from a business associate of the healthcare provider, the business associate may not be required to reveal the contractual relationship in the communication because they are acting as an agent of the healthcare provider. Concern has also been raised that business associates could be allowed to make disclosures to other business associates they contract with.
  2. The communication must disclose whether the covered entity has received or will receive direct or indirect remuneration for making the communication. This condition would require the healthcare provider to reveal the fact that a business associate is paying them directly or indirectly to distribute the offer.
  3. With the exception of mass marketing distributions, such as newsletters, the communication must contain instructions describing how individuals may opt out of receiving future communications. For general communications distributed to a broad cross section of individuals, an opt-out opportunity is not required. Privacy advocates have found several problems with the opt-out provision in the final rule. The final rule does not specify an opt-out procedure. The covered entity could make the procedure for requesting to opt out extremely onerous. For example, would a request to opt out of a marketing effort have to be sent for each individual promotion received, or could the individual be allowed to submit a single universal request to opt out of all marketing activities with one request? Finally, the covered entity is required to make only a reasonable effort to ensure that individuals who decide to opt out of receiving future marketing communications are not sent such communications.
  4. The covered entity is required to make a determination prior to distributing the communication that the product or service being marketed may be beneficial to the health of the type or class of individual being targeted, if the covered entity uses or discloses protected individually identifiable health information to target the communication to individuals on the basis of their health status or condition.
  5. The marketing communication must explain why the individual has been targeted and how the product or service relates to health of the individual.

Many Issues Remain to Be Resolved

The marketing provisions of the HIPAA privacy final rule succeed in taking a step toward setting limits on the use of individually identifiable protected health information for direct marketing communications.

However, the rule contains many hotly contested issues that privacy advocates would like to see resolved:

  • The rule allows for disclosures without the patient's permission.
  • All protected health information, with the exception of psychotherapy notes, is available for marketing use.
  • There is no opportunity to opt out of marketing communications in advance.
  • There is no clear direction on how the "opt-out" process should be performed.
  • Marketing is permissible on behalf of third parties.

Consumer privacy advocates would like to see the opt-out requirements of the HIPAA privacy final rule changed to an opt-in requirement. Requiring covered entities to seek permission in advance to use protected health information for marketing purposes would put healthcare consumers in direct control of their personal health information. For the covered entity, requiring consumers to opt in would only slow and complicate marketing efforts.

Much work still will need to be done to clarify definitions and acceptable practices. The mandates of the privacy final rule will certainly be hotly debated for many years to come. By design, there are mandates within the final rule that will ensure that controversial issues will not go unresolved:

  • The mandated complaint process will give consumers a forum to express their concerns to the covered entities and, ultimately, the Secretary of DHHS.
  • A provision exists in the final rule that allows for the passage of state laws related to the privacy of health information that are more stringent than the standard established by the HIPAA privacy final rule. States could pass legislation that would further restrict the use of patient records for marketing.

For certain, many aspects of the privacy final rule are complex, the mandates give individuals more control over their protected health information, and it will take some time before consensus is reached on how to best implement it.


Department of Health and Human Services Administrative Simplification Web site. Available at

Federal Register, Government Printing Office. Available at

Office of Civil Rights, Department of Health and Human Services. Available at, 1-866-OCR-PRIV (1-866-627-7748).

"Standards for the Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 through 164. Federal Register 65, no. 250 (December 28, 2000). Available at

Source: AHIMA Convention Proceedings, October 2001