The HIPAA Privacy Rule ensures that patients retain control over how their protected health information (PHI) is used for the purposes of marketing. According to the Privacy Rule, written authorization is required before the use and disclosure of PHI for marketing. However, there are exceptions to this rule.
According to HSS, The Privacy Rule defines marketing as ‘“a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.”’
Communications that are not aimed at providing treatment advice and instead promote a product or service typically require authorization, as they are considered marketing.
Not all types of communication are considered to be marketing
The Privacy Rule differentiates marketing from information intended to improve patient health care. For example, treatment plans or recommendations for specialists and nursing homes.
What is not marketing?
According to HSS, these three categories are not considered marketing:
It is not marketing if an organization is describing a health-related product or service. This can also include:
- Payment for a product or service rendered.
- Information about products or services that they provide and may be included in a plan of benefits.
- Communication about providers that are part of a health plan network, including replacements or improvements to a health plan.
- Information about health-related products or services that are available to a health plan enrollee but are not included in their current package and could add value to it.
The second category is communication intended for the treatment of the individual. This communication includes reminders to refill prescriptions, or referrals of the individual to a specialist for additional examination.
Lastly, HIPAA does not consider communications about managing an individual’s case in terms of recommending alternative methods, therapies, treatments, and healthcare providers as marketing.
Covered entities can share communications about their products or services, ensure patient care is maintained and optimized, and provide the opportunity to advance patient care beyond their parameters through sharing patient medical information with behavioral management programs or nursing homes that offer continued support for the patient’s ongoing needs.
What is authorization?
Authorization is signed permission granted by an individual that allows the covered entity to use and disclose PHI for purposes that would otherwise not be permitted by the Privacy Rule.
What constitutes accepted authorization?
An accepted authorization should contain the following information:
- The type of information that the covered entity will use and disclose
- Indivuals who are authorized to use and disclose the information
- Indivuals/providers that may receive the information
- Why the information is being used or disclosed
- An expiration date
- The patient’s signature
Authorization vs consent
Authorization is not the same as consent. Authorization requires that permission be granted in a written and signed format, with an expiration date. After this expiration date, the covered entity no longer has permission to use and disclose PHI.
Consent is a less formal signed permission that covered entities are not required to obtain for the use and disclose PHI. Accordion to healthcare regulatory compliance consultant, Mary Brandt, MBA, RHIA, CHE, CHPS, “The Privacy Rule permits, but does not require, a CE to obtain patient “consent” for uses and disclosures of PHI for treatment, payment, and healthcare operations. There are no specific requirements for consents, and CEs are free to establish their own procedures. Since this is not required, most CEs do not obtain consent for these disclosures.”
FAQs
When to ask for authorization for marketing
A covered entity is required to obtain authorization to use and disclose PHI, unless the Privacy Rule permits the use and disclosure of PHI such as under the categories of what is not considered as marketing.
Does HIPAA allow marketing emails
Yes, HIPAA allows covered entities to send marketing emails, provided the patient has given authorization.
What is the HIPAA Privacy Rule
The Privacv Rule, according to the HHS, establishes, “a set of national standards for the protection of certain health information.”
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.