HIPAA Marketing and Sale Provisions Under HIPAA

The privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its regulations (the "HIPAA Rules") were designed to protect personal health information ("PHI") from unfettered use for commercial purposes. The amendments to HIPAA under the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH Act") strengthen these protections by implementing new requirements on the use and disclosure of PHI for marketing ("Marketing") and sale ("Sale") purposes. Amendments under the HITECH Act to the HIPAA Rules (the "2013 Amendments") became effective on March 26, 2013. The 2013 Amendments directly apply to healthcare providers, plans and clearinghouses as "covered entities," as well as their subcontractors and vendors as "business associates" (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.

Covered entities and business associates are subject to fines of up to $1.5 million per year for HIPAA violations, and criminal sanctions also apply. Even if an entity is not directly subject to HIPAA but uses PHI or other personal information inappropriately, it may face an enforcement action by the Federal Trade Commission ("FTC") or other government entity.

I. Marketing

The HIPAA Rules on Marketing are byzantine. The premise is that the individual should be aware of and be able to opt out of many Marketing activities, except in limited circumstances. The rules define Marketing as making a communication that encourages the recipient to use a product or service, with certain excepted activities that relate to an individual's specific treatment (e.g., communications about refills, treatment plans, alternatives to treatment, new services, additional benefits, case management services, etc.) or the operations of a provider or plan to provide general information about case management and other services. The 2013 Amendments significantly modify the existing HIPAA Rules to require that if there is financial remuneration related to the communication (e.g., a payment by a device manufacturer or advertising broker to a physician) then even treatment- or operations-related communications constitute Marketing. (See full definition of Marketing at 45 CFR § 164.501.) Once it is established that an activity satisfies the definition of Marketing, then the covered entity or business associate must obtain the individual's authorization ("Authorization"), with certain exceptions. More specifically:

  • A covered entity or business associate may communicate with an individual about his or her treatment plan, alternatives to treatment, case management and other purposes related to treatment and operations without an Authorization if there is no financial remuneration.
  • If a covered entity or business associate uses PHI for purposes of Marketing and receives financial remuneration from a third party, in most situations, that transaction is Marketing and requires that the covered entity or business associate first obtain the individual's Authorization.
  • A covered entity or its business associate may accept payment for marketing health-related products and services offered by a third party, without the individual's Authorization to provide refill reminders or other information related to a drug or biologic that the individual is currently using, as long as the payment is reasonably related to the costs of the communication (e.g., labor, supplies and postage).
  • Those activities that constitute Marketing require the individual's Authorization except for communications made by the covered entity during a face-to-face encounter with the individual or a promotional gift of nominal value provided by the covered entity. The Authorization must state that remuneration is involved.
  • A covered entity's notice of privacy practices ("Notice") must inform individuals about the prohibitions on remunerated communications about health-related products or services offered by a third party without an Authorization.

Key Additional Points on Marketing

Financial Remuneration: "Financial remuneration" is defined as direct or indirect payment that flows from or on behalf of a third party whose product or service is being described, and does not include payment for the treatment of an individual. Also, non-financial or in-kind benefits do not constitute financial remuneration for Marketing purposes (compare with the Sale definition below). This raises the question of whether a third party could provide an in-kind service in return for the provision of a marketing communication without violating the HIPAA Rules (e.g., an acupuncturist helps set up a clinic's health fair in return for an agreement by the clinic to send out a brochure on the acupuncturist's services).

Authorization: The Preamble states that an Authorization for Marketing may apply to all subsidized communications, as long as it contains the required elements for a valid authorization under HIPAA and states that remuneration from a third party to the covered entity is involved.

Business Associate: The HIPAA Rules on Marketing apply where a business associate (including a subcontractor) receives financial remuneration for making communications about products or services offered by a third party. A business associate may make such communications on behalf of a covered entity if consistent with the written business associate agreement between the business associate and covered entity. Relying on a business associate to engage in Marketing does not relieve the covered entity from obtaining an Authorization. (For further information on business associates under the 2013 Amendments, including certain effective dates for business associate agreements, please see Duane Morris' January 23, 2013, Alert.)

For advertisers and others that develop and distribute Marketing communications: HIPAA applies differently to advertisers depending on their activities. An advertiser that is promoting a product on behalf of a party that is unrelated to a covered entity (e.g., a drug manufacturer that wishes to distribute information on its products to a health plan's beneficiaries) must be apprised of the Marketing provisions to provide good services to its client (the drug manufacturer). Further, the advertiser could face scrutiny from the FTC or other agency for activities that are not consumer-friendly. On the other hand, an advertiser that provides services to a covered entity to promote the covered entity's product or service is a business associate under HIPAA and is subject to HIPAA requirements and fines that apply to business associates.

Possible Examples Under the Marketing Provisions

  • A physician sends her diabetic patients a brochure on a new diabetes care coordination mobile application offered by a third-party software developer. The developer pays for the costs of the brochure and the time for the physician's staff to organize the mailing, and provides an additional placement payment to the physician. The physician would have to obtain the patient's Authorization prior to sending the brochure because financial remuneration is involved. On the other hand, an Authorization would not be required if the physician gives the patient a pencil with the name of the app on it.
  • A hospital sends patients a mailing that is entirely funded by a local breast cancer foundation about the availability of new state-of-the-art mammography screening equipment. No Authorization is necessary because the hospital would not be receiving remuneration from or on behalf of the equipment's manufacturer.
  • A pharmacy receives a financial incentive from a drug company beyond the cost of providing refill reminders to individuals taking a drug manufactured by the company. An Authorization is required. By contrast, if the pharmacy provides refill reminders to individuals only when they visit the pharmacy (in face-to-face encounters), such communications would be permitted without an Authorization. The refill reminder exception also applies to communications regarding the generic equivalent of a drug being prescribed and all aspects of a drug delivery system (e.g., an insulin pump) for a self-administered drug that has been prescribed.
  • A health plan hires an advertising company to prepare and distribute emails on products and services offered by the health plan. As such, the advertising company is a business associate and has to ensure that its activities comply with the HIPAA Rules in the same manner that the rules apply to the plan.

II. Sale of PHI

The 2013 Amendments distinguish between the use or disclosure of PHI for Marketing and for Sale purposes. In the case of Marketing, the disclosure of PHI is to encourage the recipient to buy a product or service; in the case of a Sale, there is simply the disclosure of PHI for remuneration. The purchaser could be any entity that seeks information, such as a market analyst; a data broker; an advertising company; the media; or an author, among many other examples.

In general, a covered entity or business associate may not exchange PHI for direct or indirect remuneration without prior Authorization, except in certain circumstances. Also, the covered entity's Notice must state that any Sale of PHI requires an Authorization. More specifically:

  • A Sale of PHI occurs when there is direct or indirect remuneration, including in-kind remuneration. (In contrast, the definition of remuneration for Marketing purposes does not include non-financial or in-kind remuneration.)
  • The definition of a Sale of PHI includes a transfer of ownership of the PHI, as well as disclosures of PHI based on an access, license or lease agreement.
  • There are a number of exclusions to the definition of a Sale of PHI, including for purposes of (i) public health; (ii) research that is covered by HIPAA (e.g., clinical research) if the payment is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI; (iii) treatment and payment; (iv) a sale and merger transaction involving the covered entity or the business associate; (v) activities performed by a business associate for or on behalf of the covered entity (or by a business associate subcontractor for or on behalf of the business associate) if the payment is for the business associate's performance of such activities (or for the subcontractor's performance of such activities); (vi) providing an access or an accounting to an individual; (vii) as required by law; and (viii) as otherwise permitted under HIPAA, where only a reasonable, cost-based fee is paid (or such other fee as permitted by law).
  • The Authorization for a Sale must specifically state that the Sale will result in remuneration.

Key Additional Points on Sale of PHI

  • Further Guidance on Remuneration: HHS tries to distinguish between those situations in which there is appropriate as opposed to inappropriate remuneration or fees for the transfer of PHI. For instance, the rule permits a covered entity to sell accounts receivable data containing PHI to a collections agency for a profit, yet limits any payment for the exchange of PHI for research purposes to a reasonable cost-based fee (which per the Preamble may include direct or indirect payment for supplies, labor, etc.). HHS has promised additional guidance on direct and indirect remuneration, costs and fees under the Sale definition.
  • Whether Remuneration Is Primarily for PHI: HHS also distinguishes between those situations in which a covered entity or business associate is "primarily" being compensated for PHI and those in which the provision of PHI is a "byproduct" of an arrangement in which payment is made between the parties. (See examples below.)
  • Ability of Third Party to Sell PHI: If PHI is properly "sold" to a third party pursuant to an Authorization or one of the exceptions to the definition of a Sale, and the third party is not subject to HIPAA, there are no restrictions on how the third party may further use, disclose or sell the data under HIPAA. However, if the third party is subject to HIPAA as a covered entity or business associate, then there must be an Authorization or an exception if the third-party covered entity or business associate wishes to "sell" the PHI to another party. The Authorization must be obtained by the covered entity.

Possible Examples

  • When a pharmaceutical company pays a physician for a list of patients who suffer from depression or take anti-depressant medication, and the pharmaceutical company then uses the list to send discount coupons for a new anti-depressant medication directly to the patients, the arrangement between the physician and pharmaceutical company would constitute a Sale of PHI, and the physician would need to obtain specific patient Authorization prior to providing the patient list.
  • A web journalist obtains data from a health plan on poor surgical outcomes following a new orthopaedic procedure. Although the data do not include names and addresses, they do include age, date of surgery and place of procedure, and thus fall under the definition of PHI. The journalist does not pay for the PHI, but secures free advertising for the plan on the journalist's website. Authorizations would be needed before the plan could disclose the PHI.
  • A market researcher purchases a set of patient data from a data broker to study different models of health insurance products that should be offered on a state's health insurance exchange. The data include first names to identify gender, approximate household earnings and ZIP codes, and thus are PHI. The data were derived from insurer records, and were disclosed by the insurer to the data broker in accordance with a proper Authorization from the patient. The data broker is not subject to HIPAA as a covered entity or a business associate. HHS does not have the authority to require that the Authorization notify the patient that his/her data would be sold to the market researcher. However, other agencies, such as the FTC, could get involved based on consumer protection concerns.
  • A hospital receives private grant funding in order to participate in a study on outcomes following certain cardiac procedures and, in return, must supply PHI to the funder. The provision of PHI is a "byproduct" of the arrangement, and thus, no prohibited Sale has occurred. Similarly, no Sale has occurred when the hospital contributes PHI to a data registry and, in return, may access the registry in order to develop quality improvement tools.


About Duane Morris

Duane Morris attorneys provide the full range of services to entities that handle healthcare and other personal data, including healthcare providers, entities involved in mobile health (mHealth), data analytic and management companies, software development and storage vendors, telemedicine entities, health information organizations/exchanges ("HIOs" or "HIEs") and many others. Attorneys in the Duane Morris Health Law Practice Group have extensive experience with counseling clients on potential data breaches under HIPAA and other privacy and security laws, and in developing and executing a data breach response plan, including reporting to federal, state, local and foreign governmental agencies and responding to formal agency investigations.

If you have any questions about this Alert or would like further information, please contact Lisa W. Clark, Emmy S. Monahan, any other member of the Health Law Practice Group or the attorney in the firm with whom you are regularly in contact.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.