The marketing restrictions imposed by the HITECH Act

The HITECH Act established specific marketing restrictions that tighten the rules set by HIPAA regarding the use of protected health information (PHI). The Act provides that covered entities must obtain prior written authorization from individuals before using their PHI for marketing purposes unless specific exceptions apply. 

How HITECH defines marketing

A Report on Patient Privacy notes, “...a communication is not considered “marketing,” and consequently does not require authorization, if it falls under one of the three HIPAA exceptions for treatment, payment and/or health care operations (TPO):

(1) It describes a health-related product or service (or payment for a product or service) that is provided by, or included in a plan of benefits of, the CE making the communication;

(2) It is made for treatment; or

(3) It is made for case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.”

The HITECH Act expands the definition of marketing to include any communication about a product or service that encourages recipients to purchase or use that product or service. This definition aligns with the Privacy Rule, which requires covered entities to obtain valid authorization from individuals before using their PHI for marketing purposes.

The HITECH Act also introduces stricter requirements by specifying that if a healthcare organization receives any form of financial remuneration for communication, whether it pertains to treatment or healthcare operations, it must obtain prior written consent from the patient. 

The restrictions placed on marketing

1. Healthcare organizations must obtain written authorizations from patients before using PHI for marketing purposes, especially if they receive payment. 
2. There are limited exceptions to the authorization requirement, like communications about currently prescribed drugs, provided that any payment received is reasonable and directly related to the cost of making the communication. 
3. If a healthcare organization receives payment for communications related to treatment or healthcare operations, prior authorization is required unless it falls under a narrow exception. 
4. The Act prohibits the sale of PHI for marketing purposes without patient consent, reinforcing the need for transparency in how patient information is used.  
   
   

The exceptions to the restriction on marketing under the HITECH Act

1. Communications about refill reminders for drugs or biologics currently prescribed to an individual are exempt from the marketing definition, as long as any payment received is reasonable and related to the cost of making the communication.
2. Marketing communications made face-to-face by a healthcare provider to an individual do not require prior authorization. This includes verbal recommendations or handing out written materials.
3. Healthcare organizations can provide promotional gifts of nominal value (such as pens or calendars) to individuals without needing prior authorization.
4. Certain communications that describe health-related products or services provided by the covered entity, including those included in a plan of benefits, may not require authorization if they do not involve financial remuneration.
5. Communications made for the treatment of an individual or for case management and care coordination do not require prior authorization unless they involve financial remuneration.
   
   

How it influences email marketing

When healthcare organizations receive a payment for sending an email about a new treatment or service, they must first obtain explicit consent from the patient. The Act therefore narrows the exceptions previously allowed under HIPAA to provide stricter guidelines for healthcare organizations in common marketing areas like email campaigns. The end goal is centering patient privacy through improved consent mechanisms in a way that often forces healthcare organizations to limit the scope and frequency of even HIPAA compliant email marketing efforts compared to other sectors.

FAQs

What are the TPO exceptions? 

The treatment, payment, or healthcare operations exception refers to the provisions under HIPAA that allow healthcare organizations to use and disclose PHI without patient authorization for specific purposes. 

What qualifies as explicit consent? 

Explicit consent is the clear and affirmative agreement from a patient allowing a healthcare provider to use PHI for specific purposes, particularly in marketing communications.

What is the consequence of failing to obtain explicit consent? 

Failing to obtain explicit consent before using a patient's PHI for marketing purposes can lead to financial penalties being imposed by the Department of Health and Human Services (HHS).