The HIPAA Privacy Rule ensures that patients retain control over how their protected health information (PHI) is used for the purposes of marketing. According to the Privacy Rule, written authorization is required before the use and disclosure of PHI for marketing. However, there are exceptions to this rule.
According to HSS, The Privacy Rule defines marketing as ‘“a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.”’
Communications that are not aimed at providing treatment advice and instead promote a product or service typically require authorization, as they are considered marketing.
The Privacy Rule differentiates marketing from information intended to improve patient health care. For example, treatment plans or recommendations for specialists and nursing homes.
According to HSS, these three categories are not considered marketing:
It is not marketing if an organization is describing a health-related product or service. This can also include:
The second category is communication intended for the treatment of the individual. This communication includes reminders to refill prescriptions, or referrals of the individual to a specialist for additional examination.
Lastly, HIPAA does not consider communications about managing an individual’s case in terms of recommending alternative methods, therapies, treatments, and healthcare providers as marketing.
Covered entities can share communications about their products or services, ensure patient care is maintained and optimized, and provide the opportunity to advance patient care beyond their parameters through sharing patient medical information with behavioral management programs or nursing homes that offer continued support for the patient’s ongoing needs.
Authorization is signed permission granted by an individual that allows the covered entity to use and disclose PHI for purposes that would otherwise not be permitted by the Privacy Rule.
An accepted authorization should contain the following information:
Authorization is not the same as consent. Authorization requires that permission be granted in a written and signed format, with an expiration date. After this expiration date, the covered entity no longer has permission to use and disclose PHI.
Consent is a less formal signed permission that covered entities are not required to obtain for the use and disclose PHI. Accordion to healthcare regulatory compliance consultant, Mary Brandt, MBA, RHIA, CHE, CHPS, “The Privacy Rule permits, but does not require, a CE to obtain patient “consent” for uses and disclosures of PHI for treatment, payment, and healthcare operations. There are no specific requirements for consents, and CEs are free to establish their own procedures. Since this is not required, most CEs do not obtain consent for these disclosures.”
A covered entity is required to obtain authorization to use and disclose PHI, unless the Privacy Rule permits the use and disclosure of PHI such as under the categories of what is not considered as marketing.
Yes, HIPAA allows covered entities to send marketing emails, provided the patient has given authorization.
The Privacv Rule, according to the HHS, establishes, “a set of national standards for the protection of certain health information.”