What are HIPAA’s new rules for marketing?
Answer Common HIPAA Questions
By Marcia L. Brauchler, MPH, CMPE, CPC, CPC-H, CPC-I, CPHQ
The marketing rules under HIPAA have always been complicated. Larger providers have incurred hours of legal time to make sure they are in compliance. Smaller providers tend to hold their breath and hope they aren’t running afoul of any marketing rules. And HIPAA’s final rule, effective September 23, 2013, didn’t simplify anything.
The government will tell you that marketing rules have been “tightened” to restrict occurring activities involving patient protected health information (PHI) under the previous (2002) HIPAA regulations. Privacy officers will tell you it has became a lot more difficult to determine whether an activity you’ve been doing for years now constitutes as “marketing.” The activity might be marketing; it might be marketing, but exempt from the definition of marketing under HIPAA rules; or it might be marketing, but of a particular type that doesn’t require authorization from the patient. Yikes!
The bottom line: Providers need to assess their activities that use PHI, and that are “communications” (verbal or written), to find out if they are marketing (as defined by HIPAA) to their patients. And if they are marketing, they need to get authorization from patients.
What Is “Marketing?”
Marketing (as defined by present and previous HIPAA regulations) is a communication (verbal or written) that encourages an individual to use or purchase a product or service. If PHI is used to generate a list of patients to whom a communication is being sent on behalf of a third party, you are probably flirting with “marketing” under HIPAA, and are required to obtain patient authorization before undertaking the activity, mailing, etc.
- Must you get the patient’s written permission for everything? Not quite. There are a few marketing activities that the federal government has said do not required patient authorization. The following activities constitute marketing, but do not require patient authorization:
- Face-to-face communications with patients that promote a product or service. This is the case even if the provider is paid to have the face-to-face discussion with the patient. For example, a prosthetics company pays Dr. Smith $15 each time he hands the patient a brochure on their product and talks about how good the product might be for the patient. This is marketing under HIPAA, but the provider can do this without authorization from the patient.
- Gifts of nominal value, such as pens and notepads, may be given to patients, even if they promote a particular product, without having to get permission from the patient beforehand.
- If the communication is about a drug or biologic that the patient is already taking, patient authorization is not required, provided the amount of money a provider receives to supply the list of patients taking the drug or biologic is reasonably related to the provider’s cost of sending out the reminder. This is a statutory exception to HIPAA’s marketing rule that requires patient authorization. When Congress passed the Health Information Technology for Economic and Clinical Health Act under the American Recovery and Reinvestment Act of 2009, it carved out this exception so pharmaceutical companies and other providers could remind patients when their prescription refills were due without running afoul of HIPAA.
If a provider does not receive any payment in exchange for making certain communications to patients, the communications are not considered marketing under HIPAA and do not require patient authorization. These types of communications include:
- Communications that involve treatment activities (e.g., case management, care coordination, recommending alternative therapies or treatments, etc.)
- Descriptions of a health-related product or service that is provided by, or included in, the patient’s plan of benefits
- Case management or care coordination and other related functions that aren’t considered treatment.
The key here is that the provider isn’t receiving any payment in exchange for making the communication. If the provider is receiving payment from a third party, these activities are considered marketing under the new HIPAA rules and require patient authorization.
One final exception to consider: Government benefit programs cannot be considered marketing because there is no commercial component to them; sending or explaining services available through Medicare or Medicaid, for example, shouldn’t trigger any marketing or authorization concerns for your practice.
Comply with HIPAA’s Marketing Rules
If you enter into relationships with third parties to send communications to your patients, and if that third party is giving you money to do so, get clients to sign an authorization stating it’s OK with them that you do so. Better yet, use common sense with your patients’ PHI, and don’t allow your patients’ information to be used to send communications to promote a product or service based on what you know about your patients.
It’s OK to let patients know their health plan will cover a visit to a chiropractor or to suggest that getting a massage every two weeks might help with their recovery from an auto accident. You may even hand them a brochure of your favorite massage center down the street, as long as you do it face to face while the patient is in your office. If your practice is complex with many third-party relationships who send multiple communications (newsletters, coupons, etc.) to patients, consider consulting with a healthcare lawyer or privacy expert to be sure these communications don’t constitute marketing. If they do, decide how to get patient authorization before moving forward.
Marcia L. Brauchler, MPH, CMPE, CPC, CPC-H, CPC-I, CPHQ, is the president and founder of Physicians’ Ally, Inc. Since the company’s formation in 2000, Brauchler and her team of employees and consultants, have provided advice and counsel to hundreds of physicians and practice administrators, resulting in improved and enhanced efficiencies in their business operations. Brauchler and her team provide education and assistance on how best to negotiate managed care contracts, increase reimbursements to the practice, and stay in compliance with healthcare laws. Services also include professional credentialing, coding, and coding certification education. Brauchler sells the Physicians’ Ally HIPAA Policies and Procedures Manual and its general Compliance Manual on the company’s website at www.physicians-ally.com.