USA: Understanding the HIPAA marketing restrictions
The Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and the regulations promulgated thereunder, the HIPAA Privacy and Security Rules, Part 160 and 164 of Title 45 of the Code of Federal Regulations ('HIPAA Rules') initially prohibited a covered entity (as defined under HIPAA) from using or disclosing protected health information ('PHI') for marketing purposes without the patient's written HIPAA authorisation. In 2009, HIPAA was amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH Act'), which further refined the restrictions in the HIPAA Rules on the use and disclosure of PHI for marketing. In 2013, the HIPAA Omnibus Rule was released by the Department of Health & Human Services ('HHS') to amend the HIPAA Rules to implement the HITECH Act requirements, including with respect to marketing. Vimala Devassy and Kyle Gregory, Counsel and Associate respectively at Baker & Hostetler LLP, analyse the marketing restrictions applicable under the aforementioned laws and regulations.
What constitutes marketing under HIPAA?
The HIPAA Rules define 'marketing' as making 'a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.' According to guidance1 ('the OCR Guidance') issued by the Office for Civil Rights of the HHS ('OCR'), marketing also means 'an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.'
What constitutes remuneration under HIPAA?
The receipt of remuneration is generally a key factor in determining whether a communication constitutes marketing under HIPAA. The HIPAA Rules define remuneration in the context of marketing as a direct or indirect payment from or on behalf of a third party whose product or service is being described. Notably, however, the HIPAA Rules also expressly provide that such 'direct or indirect payment does not include any payment for treatment of an individual' for purposes of the definition of remuneration.
The HHS also confirmed in the regulatory commentary of the HIPAA Rules that the term 'financial remuneration' does not include non-financial benefits, such as in-kind benefits, provided to a covered entity in exchange for making a communication about a product or service. Rather, financial remuneration includes only those payments made in exchange for making the marketing communications. The HHS further emphasised in the regulatory commentary that the financial remuneration a covered entity receives from a third party must be for the purpose of making a marketing communication and such communication must encourage individuals to purchase or use the third party's product or service in order for it to be deemed remuneration for the purposes of marketing, whereas financial remuneration received by the covered entity for any purpose other than for making the marketing communication would not necessarily trigger the marketing provisions of the HIPAA Rules.
HIPAA authorisation requirements for marketing
Generally, the HIPAA Rules require that an individual's written authorisation must be obtained before his or her PHI can be used or disclosed for marketing purposes. However, a number of notable exceptions to this authorisation requirement exist for certain categories of communications either because the communication has been specifically excluded from the definition of marketing or because an exception applies to such communication even if it is marketing. Each of these categories of communications is discussed in greater detail below.
When HIPAA marketing authorisation is not required
An individual's prior authorisation is not required for the following communications pursuant to the HIPAA Rules (45 C.F.R. § 164.508.):
- Face-to-face communications: A covered entity may communicate with an individual in a face-to-face encounter, even if it is a marketing communication. For example, an insurance agent who sells a health insurance policy in person to a customer is permitted to also market a casualty and life insurance policy as well during the face-to-face encounter without the need to obtain a HIPAA authorisation. It is important to note that HIPAA does not consider face-to-face encounters to include telephone communications. Therefore, if the communication in the above example was made via telephone, it would be viewed as marketing and require prior authorisation.
- General health promotion communications: A covered entity may make a general communication that promotes health in a general manner if it does not promote a specific product or service from a particular provider2. An authorisation is not required because HIPAA does not consider such a communication to be marketing for the purposes of HIPAA3. These communications may include population-based activities related to health education or disease prevention, such as annual mammogram reminders or mailings providing information about how to lower cholesterol.
- Promotional gifts: A covered entity may provide promotional gifts of nominal value to an individual. For example, a hospital may provide a free package of formula and other baby products to new mothers as they leave the maternity ward. While such a communication constitutes marketing, HIPAA specifically exempts such communications from the authorisation requirement.
Authorisation is not required unless remuneration is involved
An individual's prior authorisation is also not required for the following types of marketing communications as long as the covered entity does not receive any financial remuneration for making the communication (45 C.F.R. § 164.501):
Health-related product or service exception
A communication is not deemed marketing under the HIPAA Rules if it is made to describe a health-related product or service that is provided by the covered entity making the communication as long as the covered entity does not receive any remuneration for making the communication. This exception to the marketing definition provides that communications by a covered entity about its own products or services would not constitute marketing under HIPAA.
Example from OCR Guidance: According the OCR Guidance, a hospital may use its patient list to announce the arrival of a new specialty group or the acquisition of new equipment (e.g., an x-ray machine) at the hospital, and this communication would fit within the health-related products or services exception to the definition of marketing under the HIPAA Rules.
As long as the covered entity is making a communication about its own health-related services (such as a flyer about its own disease management program or weight loss program), the communication would be acceptable under HIPAA and would not be deemed marketing that would require a HIPAA authorisation from the patient. It is important that the communication be limited to the hospital's own products or services to fit within this exception, as the OCR notes in its Guidance that, 'a communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice' would be deemed a marketing communication under HIPAA, thereby requiring the patient's HIPAA authorisation.
Treatment/care coordination exception
The HIPAA Rules further provide that a communication is not marketing if it is made for treatment, case management, or care coordination for the individual or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual as long as the covered entity does not receive any financial remuneration for making the communication. As set forth above, remuneration excludes any payment for the actual treatment of an individual. The OCR Guidance provides a number of illustrative examples of permissible care coordination communications that would not constitute marketing, which are summarised below.
Examples from OCR Guidance:
- A physician may share a patient's medical records with several behaviour management programs to determine which program best suits the patient's ongoing needs.
- A hospital employee may share PHI with various nursing homes in the course of recommending that the patient be transferred from a hospital bed to a nursing home.
- Following an inquiry from a patient with a skin rash about the range of treatment options, the doctor may mail the patient a letter recommending various ointments and medications described in brochures enclosed with the letter as an alternative treatment communication.
Notably, for any of these enumerated exceptions to the definition of marketing, the activity must also be otherwise permissible under the HIPAA Rules.
Authorisation is not required as long as remuneration is reasonably related to cost
In addition to the above categories of communications, a special category exists for communications regarding currently prescribed drugs. The HIPAA Rules also provide that the definition of marketing under HIPAA does not include a communication made to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual as long as any 'financial remuneration' received by the covered entity in exchange for making the communication is limited to that which is reasonably related to the covered entity's cost of making the communication ('the Refill Reminder Exception'). In order to fit within the Refill Reminder Exception, the communication must be related to an individual's currently prescribed medication and any remuneration received for making the communication must be reasonably related to the costs of making the communication.
The OCR Guidance clarifies the meaning of 'currently prescribed medication' as follows:4
- Where an individual is prescribed a self-administered drug or biologic such as insulin, communications regarding all aspects of a drug delivery system, such as an insulin pump, fall within the Refill Reminder Exception.
- Communications about a recently lapsed prescription (one that has lapsed within the past 90 calendar days) fall within the Refill Reminder Exception.
- Adherence communications encouraging individuals to take prescribed medicines as directed fall within the Refill Reminder Exception.
- Communications about new formulations of currently prescribed drug do not fall within the Refill Reminder Exception but may qualify under the treatment exception discussed above.
- Communications encouraging an individual to switch from a prescribed medicine to an alternative medicine do not fall within the Refill Reminder Exception but may qualify under the treatment exception discussed above.
As set forth above, if any remuneration is received by an entity for making the refill reminder communication, the remuneration must be reasonably related to the costs of making the communication in order for the communication to fit within the Refill Reminder Exception. The HHS has interpreted this to permit payments 'which cover only the costs of labor, supplies, and postage to make the [refill reminder] communication. Where the financial remuneration a covered entity receives in exchange for making the communication generates a profit or includes payment for other costs, such financial remuneration would run afoul of [HIPAA's] 'reasonable in amount' language5.'
Entities wishing to utilise this Refill Reminder Exception need to ensure that any communications and remuneration that may be received fit within these parameters.
Requirements for HIPAA marketing authorisation
If a marketing communication does not fit within one of the exceptions set forth above and a HIPAA marketing authorisation is required, the authorisation must contain the following elements pursuant to the HIPAA Rules (45 C.F.R. § 164.508):
- a meaningful description of the information to be disclosed;
- the name of the individual or the name of the person authorised to make the requested disclosure;
- the name or other identification of the recipient of the information;
- a description of each purpose of the disclosure.
- an expiration date or an expiration event that relates to the individual;
- a statement that the marketing involves financial remuneration from a third party if financial remuneration is involved;
- a statement regarding the individual's right to revoke the authorisation and the potential for redisclosure; and
- a signature of the individual or their personal representative and the date.
Finally, the authorisation must be written in plain language and the provider is required to provide the individual with a signed copy of it.
Marketing by business associate
The restrictions in the HIPAA Rules on the use of PHI for marketing also apply where a business associate receives financial remuneration for making communications about products or services offered by a third party6. A business associate may make such communications on behalf of a covered entity if consistent with the written business associate agreement between the business associate and the covered entity. If a covered entity utilises a business associate to engage in marketing, the business associate is subject to the same marketing restrictions as is the covered entity under the HIPAA Rules.
Review of marketing practices
Covered entities should also be aware that a number of standard marketing practices may run afoul of the HIPAA Rules if the patient's written HIPAA authorisation is not obtained in advance. For example, using a patient's photo or publishing a patient's testimonial is generally not permissible under HIPAA if a written HIPAA authorisation to do so is not obtained from the patient. In addition, responding to social media posts, media requests or Internet reviews can land the provider in hot water if the provider discloses or confirms any PHI related to the patient, including the mere fact that the provider is treating the patient. Thus, it is important for covered entities to review their marketing practices across the organisation to ensure compliance with HIPAA.
1. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html
2. 78 Fed. Reg. 5597 (2013).
4. See: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/refill-reminders/index.html.
5. HHS Rulemaking Commentary, p. 126.
6. See: https://www.hhs.gov/hipaa/for-professionals/faq/276/can-business-associates-use-protected-health-information-for-marketing/index.html.