Use and Disclosure of PHI for Marketing,
Fundraising and Sale
- Coverage
Insert site name(hereafter referred to as the ‘Organization’) workforce memberswho access, use, disclose or transmit confidential patient information. Our workforce includes all clinical providers, clinical supportive staff, volunteers, students and other staff members involved in the routine operations of our delivery of care.
- Create / Revision Date
March 21, 2013
- Purpose
To communicate policy of the Organization in accordance with the final HIPAA Omnibus Privacy Rule regarding use and disclosure of PHI for marketing, fundraising and the sale of Protected Health Information.
- Policy
This Organization abides by all HIPAA and State privacy regulations regarding the use of individual (patient) PHI for marketing, fundraising or sale. In general, individual authorization is required before any of these uses of his/her PHI.
Marketing
It is the policy of the Organization and the Organization's entities not to use or disclose PHI about an individual for marketing purposes without first obtaining the individual’s written authorization except as noted within this policy.
The Omnibus Final Rule significantly modifies theapproach tomarketing by requiring authorization for all treatmentand health care operations communications where the Covered Entity receives financialremuneration formakingthecommunications fromathirdpartywhoseproductorserviceis being marketed. For example, a device manufacturer cannot pay for marketing of that device to patients without their authorization.
Underthe Omnibus Final Rule, formarketing communicationsthatinvolvefinancial remuneration, the Covered Entity must obtaina valid authorization fromthe individual beforeusingordisclosingprotectedhealthinformationforsuchpurposes,andsuch authorization must disclose the fact thattheCoveredEntityisreceiving financial remuneration froma third party.
There continues to be a stand-alone exception for prescription refill reminders and certain drugs and biologics.
Fundraising
A Covered Entity may use, or disclose to a Business Associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without patient authorization.
- Demographic information relating to an individual.
- The Omnibus Final Rule addressesthescopeofdemographicinformation relating toanindividual includes names,addresses,othercontactinformation, age, gender, insurance status and dates of birth.
- Dates of health care provided to an individual.
- Omnibus Final Rule added to the categories of PHI that may be disclosed
- Department of Service information (e.g., cardiology, pediatrics)
- Treating physician information
- Outcome information (e.g., sub-optimal results and death of patient)
The Covered Entity may NOT use or disclose protected health information for fundraising purposes as otherwise permitted unless a statement required by §164.520(b)(1)(iii)(B) is included in the Covered Entity's Notice of Privacy Practices;
- The Covered Entity must include in any fundraising materials it sends to an individual under this provision a description of how the individual may opt out of receiving any further fundraising communications.
- The Covered Entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications.
There also may be state laws, rules or regulations to consider in reference to the definition and execution of marketing programs.
TheOmnibus Final Ruledoes not modify the types of communications thatarecurrently considered tobeforfundraisingpurposes.
- A communication toanindividual thatismadebya Covered Entity, an institutionally related foundation, oraBusinessAssociate onbehalfoftheCoveredEntityforthepurposeof raising fundsfor the Covered Entity is afundraising communication.
- Permissible fundraising activities include appealsformoney,sponsorshipofevents, etc.
- They do not includeroyaltiesor remittancesforthesaleofproductsofthirdparties(except auctions,rummagesales, etc.).
Sale of PHI
The Final Rule defines “saleofprotected health information”as adisclosureofPHIby a Covered Entity (CE) or Business Associate (BA),if applicable,wheretheCEorBA directly or indirectly receives remuneration fromor on behalf of the recipient of the PHI in exchange for the PHI.
A sale of PHI occurs when the CE or BA primarily is being compensated to supply data it maintains in its role as a CE or BA. Such disclosures require the individual’s authorization unless they otherwise fall within an exception.
The Final Rule permits the same types of costs under this exception as the research exception; as well as costs that are in compliance with a fee schedule provided by State law or otherwise expressly permitted by other applicable law. Thus, costs may include the direct and indirect costs to prepare and transmit the data, including labor, materials, and supplies, (but not profit margin).
Exceptions / Exclusions:
- General exception permitting a CE to receive remuneration in the form of a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for any disclosure otherwise permitted by the Privacy Rule.
- Grants, sponsors and research use of PHI may be excepted, complex rules.
- HIEs where members pay fees, which supports the service of the HIE, not the sale of ‘data’.
- Disclosures for public health purpose (definition of ‘cost based’ in the rule is quite complex; remuneration for public health activities is not required to be cost-based)
- Disclosures for research purposes are excepted from the remuneration prohibition to the extent that the only remuneration received by the CE or BA is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes.
- There is an exception for remuneration paid by a CE to a BA for activities performed on behalf of a CE.
- The prohibition on sale of PHI without patient authorization applies to the receipt of nonfinancial as well as financial benefits.
- References
- Omnibus Privacy Final Rule – published January 2013.
- §164.508:
- §164.514(f)
- §164.520(b)(1)(iii)(B)
- Stericycle Online Privacy Risk Assessment (PRA)
- PRA Line Item: C33
List additional references
Page 1 of 3Copyright © 2013 Stericycle, Inc. All rights reserved.
HIPAA Compliance Program