The recently released HIPAA regulations make numerous changes to the HIPAA regulatory framework.  This Article summarizes the changes regarding the sale of protected health information (PHI) and the use/disclosure of PHI for marketing purposes.

 

SALE OF PHI

Under the new regulations, a Covered Entity must obtain an authorization from the individual for any disclosure of the individual’s PHI that constitutes a “sale of protected health information.”  Such authorization must state that the disclosure will result in remuneration to the Covered Entity or Business Associate.  “Sale of protected health information” means a disclosure of PHI by a Covered Entity or Business Associate where the Covered Entity or Business Associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.  Remuneration includes both financial and non-financial, in-kind benefits.

“Sale of protected health information” does not include a disclosure of PHI for the following purposes:

  • For public health purposes;
  • For research purposes where the only remuneration received by the Covered Entity or Business Associate is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
  • For treatment and payment purposes;
  • For the sale, transfer, merger, or consolidation of all or part of the Covered Entity and for related due diligence;
  • To or by a Business Associate for activities that the Business Associate undertakes on behalf of a Covered Entity or other Business Associate, where the only remuneration provided is for the performance of such activities;
  • To an individual when requested in connection with the individual’s right of access to PHI or right to obtain an accounting of the disclosures of PHI;
  • When required by law; and
  • For any other permissible purpose, where the only remuneration received by the Covered Entity or Business Associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.

 

USE/DISCLOSURE OF PHI FOR MARKETING PURPOSES

Covered Entities must obtain an authorization from an individual before using or disclosing the individual’s PHI in connection with “marketing” a product or service.  “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  The foregoing rule is subject to several exceptions.  It does not apply to communication in the form of (i) a face-to-face communication made to the individual or (ii) a promotional gift of nominal value.

In addition, this rule does not apply to certain types of communications that are excluded from the definition of “marketing.”  Marketing does not include a communication made for the following treatment and health care operations purposes:

  • For treatment of an individual by a health care provider;
  • To describe a health-related product or service that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health-plan enrollee that add value to, but are not part of, a plan of benefits; or
  • For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions.

Prior to the HITECH Act, these exclusions applied regardless of whether the Covered Entity received any benefits in connection with the use or disclosure of PHI.  Under the new regulations, the above exclusions do not apply if a Covered Entity receives any financial remuneration in exchange for making the communication.

The new regulations also provide that marketing does not include a communication made to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, but only if (i) no financial remuneration is received by the Covered Entity or (ii) any financial remuneration that is received by the Covered Entity in exchange for making the communication is reasonably related to the Covered Entity’s cost of making the communication.

“Financial remuneration” means a direct or indirect payment from or on behalf of a third party whose product or service is being described.  “Direct or indirect payment” does not include a payment for the treatment of an individual.  Unlike the definition of “remuneration” discussed above in the context of sale of PHI, the definition of “financial remuneration” in the context of marketing does not include non-financial benefits, such as in-kind benefits, which may be provided to a Covered Entity in exchange for making a communication about a product or service.  Only payments made in exchange for making such communications are included within the definition.

Permissible costs for which a Covered Entity may receive financial remuneration under this exception are those that cover only the costs of labor, supplies, and postage to make the communication.  The financial remuneration a Covered Entity receives in exchange for making the communication cannot generate a profit or include payment for other costs.

Synthesizing the above-described general standard and its exceptions, the net result is that Covered Entities must generally obtain an authorization from the individual before using or disclosing the individual’s PHI for marketing communications that involve the receipt of financial remuneration.  The authorization must disclose the fact that the Covered Entity is receiving financial remuneration from a third party.  Prior authorization is also required where a Business Associate (including a subcontractor), as opposed to the Covered Entity itself, receives financial remuneration from a third party in exchange for making a communication about a product or service.