Marketing, Fundraising, and the Sale of PHI – 2013 HIPAA Final Rule Updates

sale of phi


With less than a month left until the HIPAA Omnibus Final Rule of 2013 is implemented, it’s time for Covered Entities (CE’s) and Business Associates (BA’s) to get cracking on meeting the new or updated requirements if they haven’t done so already.

In this post, we’ll be going over three very important updates regarding the use of Protected Health Information (PHI) involving:

  • marketing of PHI,
  • fundraising using PHI, and
  • the sale of PHI

What defines marketing using PHI?

It is considered marketing if the CE (or a BA) receives financial remuneration for communicating about health-related services or products to patients. Under the 2013 HIPAA Omnibus Final Rule, the CE must have the patient’s authorization for such communications. Furthermore, the CE must disclose the fact that they have received financial remuneration for marketing the product or service before the communication actually occurs. As with every rule, however, there are exceptions. For example, patient authorization for the use of PHI for marketing is not necessary in the following cases:

  • if the CE engages in a face-to-face communication with the patient,
  • if the CE provides a promotional gift of nominal value to the patient,
  • for drug refill reminders, and
  • for communications about programs sponsored by the government.

The sale of PHI is allowed only after the patient’s authorization

The sale of PHI is defined as a disclosure of PHI by a CE or a BA that directly or indirectly receives remuneration from or on behalf of the recipient of the PHI, in exchange for the PHI. Any PHI ownership transfer, licensing, or lease agreement would all constitute the sale of PHI.  A CE or a BA may not sell PHI without a patient authorization except when certain conditions apply:

  • The PHI is being disclosed in accordance with the requirements of the Privacy Rule and remuneration is limited to the cost of preparing and transmitting the PHI – no profit is permitted.
  • The disclosure is for:
  • treatment and payment
  • public health information
  • legal requirements
  • sale or merger of a CE where the new entity is a CE

And if you are asking for authorization for the sale of PHI, the authorization must indicate if the CE is receiving remuneration for the sale of the PHI.

Patients can opt-out of fundraising communications

The use and disclosure of certain elements of PHI for fundraising purposes is permitted by the 2013 HIPAA Omnibus Final Rule. This information includes:

  • demographic information of the patient,
  • information about the patient’s physician,
  • the department the patient visited,
  • the outcome of the treatment and
  • status of the patient’s health insurance.

The 2013 HIPAA Omnibus Final Rule also states that the CE is required to provide options for the patient that wishes to opt-out of any fundraising communications, whether those occur through phone calls or mailings. The method to opt-out can be chosen by the CE, however, it cannot cause a burden on the patient choosing to stop the fundraising communication. Some examples of appropriate opt-out methods for patients that a CE can offer are:

  • providing a toll-free number that the patient can call,
  • providing the patient with a pre-paid postcard that the patient would simply fill out and drop in the mailbox, or
  • providing the patient an opt-out capability through email

Also note that the CE must state, in the Notice of Privacy Practices, that it will be participating in fundraising communications with the patient, and that the patient can opt-out of them if he or she chooses.

To recap, Covered Entities and Business Associates should understand:

  • that they must gain patient authorization before marketing PHI and disclose the fact that they have received financial remuneration,
  • that the sale of PHI can only occur after the patient’s authorization, and
  • that they must provide the patient with opt-out capability for fundraising communications that would not cause a burden on the patient.

September 23, 2013, is just a few weeks away, so now is the time for CE’s and BA’s to actively review and update their policies to ensure compliance with the new 2013 HIPAA Omnibus Final Rule.


When you need proven expertise and performance

Neha Sharma, MBBS

Dr. Neha Sharma is a physician, trained in China, working in the US, with experience in eHealth, mHealth and related healthcare technologies.