The HIPAA Privacy Rule regulates how patients' protected health information (PHI) can be used for marketing. In general, HIPAA requires written authorization before a covered entity can use PHI for marketing purposes. However, there are a many types of communication that HIPAA does not consider marketing. HIPAA is not intended to restrict providers' ability to communicate about goods and services that are essential for quality healthcare. Also, HIPAA doesn't imply that doctors cannot market to clients—simply that in some instances patient authorization is required. Remember also that all marketing email including for healthcare purposes must abide by the CAN SPAM Act as well. You can find the official definition of marketing under HIPAA here. However, in this blog post we will attempt to provide a more user friendly summary of what marketing means for healthcare providers.
What is marketing according to HIPAA?HIPAA defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Covered entities can market to patients, but they must receive prior authorization. For example:
- A hospital informs former patients about a new cardiac facility as an FYI. (Since they are former patients, this communication is not part of treatment.)
- A healthcare insurance company tells patients about a home and casualty insurance product that they also offer.
Marketing under HIPAA also includes when a business associate pays a covered entity to share patient information so the business associate can market its own product or service. In this case, the authorization that patients sign must indicate that a third party is paying for contact information. It is marketing when:
- A health plan sells a list of its members to a company that sells blood glucose monitors so it can share information about the benefits of using the product.
- A drug manufacturer pays a healthcare provider for a list of patients to distribute discount coupons for a new anti-depressant medication.
When prior authorization is NOT necessary for marketingA communication does not require an authorization—even if it is marketing—if it is in the form of a face-to-face communication, or when a healthcare provider offers a promotional gift of nominal value to a patient. For example, no prior authorization is necessary when:
- A hospital provides a free package of formula to new parents as they leave the maternity ward.
- An insurance agent sells a health insurance policy in person to a customer and discusses a casualty and life insurance policy as well.
What is NOT marketing according to HIPAA?
HIPAA carves out a number of exceptions to its definition of marketing which do not require prior authorization to discuss with patients.
It is not marketing for a covered entity to share information about a health-related product or service that it provides.Some examples in this category are:
- An insurance provider shares information about the entities in its network.
- An insurance provider tells enrollees about enhancements to a health plan.
- A hospital announces to current patients the arrival of a new specialty group or the acquisition of new equipment.
- A health plan informs subscribers approaching Medicare eligible age about its Medicare supplemental plan.
A communication is not marketing if it is made for treatment purposes.For example, it is not marketing when:
- A pharmacy sends prescription refill reminders to patients.
- A primary care physician refers an individual to a specialist for a follow-up test or provides free samples of a prescription drug.
It is not marketing to communicate with patients about case management or care coordination, or to recommend alternative treatments or providers.Some examples of communications under this exception are:
- An endocrinologist shares a patient’s medical record with several behavior management programs to determine which program best suits the patient's ongoing needs.
- A social worker shares medical record information with various nursing homes while trying to transfer the patient.
Of course, for any these exceptions to HIPAA's definition of marketing, the activity must otherwise be permissible under HIPAA. Also, a covered entity can hire a business associate to make the communication (as long as they have a signed business associate agreement between them). However, the business associate it must sign a contract stating it will only use the information to communicate on behalf of the covered entity.
Frequently asked questions
Now that we've got the HIPAA definition of marketing and non-marketing communication out of the way, let's go over some frequently asked questions which the US Department of Health and Human Services (HHS) provides on its website. The details can be found here, but we've translated the government-speak into plain English below.
Can PHI be used to market goods and services to patients without prior authorization?No. HIPAA requires patient authorization for the following:
- Selling PHI to third parties. For example, a hospital may not sell names of pregnant women to baby formula manufacturers without authorization.
- Disclosing PHI to outsiders to be used in marketing. For example, doctors may not provide patient lists to pharmaceutical companies for those companies’ drug promotions without authorization.
Do disease management, health promotion, preventive care, and wellness programs fall under the HIPAA definition of marketing?
Generally, no. A covered entity can communicate about its own health-related services without prior authorization. For example, a hospital’s wellness department could start a weight-loss program and send a HIPAA compliant marketing email to all obese patients seen in the hospital over the past year, even if those individuals were not specifically seen for obesity when they were in the hospital.
Moreover, a communication that merely promotes health in a general manner and does not recommend a specific product or service is not considered marketing. Such communications may include educating a patient population about health education or disease prevention. Examples of general health promotional material include:
- Reminding women to get an annual mammogram
- Providing information about how to improve one's health or new developments in healthcare
- Support groups
- Organ donation
- Cancer prevention
Is it marketing for a covered entity to describe the entities participating in a healthcare network?
No. HIPAA does not consider it marketing for a health plan or insurer to send members a list of healthcare providers in the health plan network or for an independent physicians association to send patients a preferred provider list.
Can a health plan communicate about health-related products or services to enrollees that add value which are not part of the plan?
Yes. In fact this is a common practice, particularly for managed care organizations. However, remember that only communication about health-related products do not require patient authorization. Also, service must demonstrably add value to enrollees and not merely be a discount or item available to the public at large. So, a Medicare organization could offer a discount for eyeglasses without obtaining patient authorization if the discount were only available to members. However if members were able to obtain the discount directly from the eyeglass store, authorization is required.
Can a covered entity use information regarding a patient's clinical condition to communicate about related products or services without prior authorization?
Yes, if the communication is for the individual’s treatment, care coordination, or the recommendation of alternative therapies. Similarly, population-based activities in the areas of health education or disease prevention are not considered marketing when they promote health in a general manner. For example, a hospital can use clinical information about patients to target them for a public education campaign.
What are examples of "alternative treatments" that are excepted from the HIPAA definition of marketing?
Alternative treatments are any treatments within the range of treatment options available for a condition. For example, a doctor, in response to a patient asking about treatment options for a skin rash, sends a HIPAA compliant email recommending that the patient purchase various ointments and medications.
Alternative treatment also includes alternative medicine. For example a midwife recommends or sells vitamins and herbal preparations to her pregnant patients.
Are communications concerning information about government programs or government-sponsored programs marketing?
No. There is no commercial component to communications about benefits available through public programs. Therefore, a covered entity is permitted to use and disclose PHI to communicate about eligibility for Medicare or Medicaid for example without authorization.
How Paubox Marketing can help
There are many ways that healthcare providers can communicate with patients for marketing as well as non-marketing purposes: in person, on the phone, snail mail, etc. However, there is a better way: healthcare email marketing. Paubox Marketing allows healthcare providers to benefit from the powerful tool of personalized email marketing. Recipients view marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient. You can segment your recipients and send secure email including PHI to increase engagement and build your business while remaining HIPAA compliant.
In addition, Paubox Marketing is HITRUST CSF certified. Although you might see HIPAA as a roadblock to implementing an email marketing strategy, it doesn’t have to be.