DRAFT
Version 5: 3/1/14
Per January 23, 2014 Rule
HIPAA COW
PRIVACY NETWORKING WORKGROUP
USE/DISCLOSURE OF PROTECTED HEALTH INFORMATION
FOR MARKETING PURPOSES
Disclaimer
This Use/Disclosure of Protected Health Information for Marketing Purposes Policy is Copyright
 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in
its entirety provided that this copyright notice is not removed. When information from this
document is used, HIPAA COW shall be referenced as a resource. It may not be sold for profit or
used in commercial documents without the written permission of the copyright holder. This
Use/Disclosure of Protected Health Information for Marketing Purposes Policy is provided “as
is” without any express or implied warranty. This Use/Disclosure of Protected Health
Information for Marketing Purposes Policy is for educational purposes only and does not
constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA
COW has not yet addressed all state pre-emption issues related to this Policy and Procedure.
Therefore, this document may need to be modified in order to comply with Wisconsin/State law.
****
State Preemption Issues:
Sections 341.17(9)(c)3, 343.235(3(b) and 343.24(4)(c)(2) Wis. Stats. state that insurers
(including disability and long-term care insurers) who have received personal identifier
information from the Department of Transportation to pay claims or benefits and are prohibited
from disclosing the personal identifier information to any party for marketing purposes.
Policy:
It is the policy of [PROVIDER/PLAN] to secure an authorization to use or disclose protected
health information (“PHI”) for marketing purposes as defined in and in compliance with the
Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability
and Accountability Act of 1996. [45 CFR 164.501, 164.508(a)(3)]
Definitions (45 CFR 164.501):
Marketing means to make a communication about a product or service that encourages recipients
of the communication to purchase or use the product or service.
Marketing does not include a communication made:
1. To provide refill reminders or otherwise communicate about a drug or biologic that is
currently being prescribed for the individual, only if any financial remuneration received
by the covered entity in exchange for making the communication is reasonably related to
the covered entity's cost of making the communication.
NOTE: permissible costs are only those costs of labor, supplies, and postage to
make the communication. Where financial remuneration received in exchange for
 Copyright HIPAA COW
Page 1
DRAFT
Version 5: 3/1/14
Per January 23, 2014 Rule
making a communication generates a profit or includes payments for other costs,
such financial remuneration is not reasonable. See 78 Fed. Reg.5597 for a
discussion of reasonable costs.
2. For the following treatment and health care operations purposes, except where the
covered entity receives financial remuneration in exchange for making the
communication:
a. For treatment of an individual by a health care provider, including case management
or care coordination for the individual, or to direct or recommend alternative
treatments, therapies, health care providers, or settings of care to the individual;
b. To describe a health-related product or service (or payment for such product or
service) that is provided by, or included in a plan of benefits of, the covered entity
making the communication, including communications about: the entities
participating in a health care provider network or health plan network; replacement
of, or enhancements to, a health plan; and health-related products or services
available only to a health plan enrollee that add value to, but are not part of, a plan of
benefits; or
c. For case management or care coordination, contacting of individuals with information
about treatment alternatives, and related functions to the extent these activities do not
fall within the definition of treatment.
Financial remuneration means direct or indirect payment from or on behalf of a third party
whose product or service is being described. Direct or indirect payment does not include any
payment for treatment of an individual.
NOTE: Financial remuneration does not include non-financial benefits, e.g., in-kind
benefits, provided to [PROVIDER/PLAN] in exchange for making a communication
about a product or service. Financial remuneration includes when a business associate
(including a subcontractor), as opposed to [PROVIDER/PLAN], receives financial
remuneration from a third party in exchange for making a communication about a
product or service. Direct payment means financial remuneration that flows from the
third party whose product or service is being described directly to [PROVIDER/PLAN].
Indirect payment means financial remuneration that flows from an entity on behalf of the
third party whose product or service is being described to [PROVIDER/PLAN].
78 Fed. Reg.5595-96.
The following situations are exceptions or exclusions to or do not meet the definition of
marketing1:
1. [PROVIDER/PLAN] can convey information to beneficiaries and members to describe a
health-related product or service (or payment for such product or service) that is provided
by, or included in a plan of benefits of [PROVIDER/PLAN], including: the entities
participating in a health care provider network or health plan network, health insurance
products offered by [PROVIDER/PLAN] that could enhance or substitute for existing
health plan coverage and health-related products or services available only to a health
plan enrollee that add value to, but are not part of, a plan of benefits. 45 CFR 164.501
1
Please note, the preamble to the Omnibus Rule notes that future guidance to address examples and situations that
fall within and outside the marketing authorization exception is forthcoming. See 78 Fed. Reg. 5596.
 Copyright HIPAA COW
Page 2
DRAFT
Version 5: 3/1/14
Per January 23, 2014 Rule
2.
3.
4.
5.
6.
(see 78 Fed. Reg. 5593 for a discussion of this exclusion). For example, if a child is about
to age out of coverage under a family’s policy, this provision will allow the plan to send
the family information about continuation coverage for the child. This does NOT extend
to excepted benefits such as accident-only policies or to other lines of insurance.
[PROVIDER/PLAN] may make communications that are merely promoting good health
and not about a specific product or service does not meet the definition of “marketing.”
So mailings reminding women to get an annual mammogram, or with information about
how to lower cholesterol, about new developments in health care or about health or
“wellness” classes, support groups and health fairs are permitted and not considered
marketing. 45 CFR 164.501 (see 78 Fed. Reg. 5597 for a discussion of this exemption).
[PROVIDER/PLAN] may make communications about government-sponsored programs
do not fall within the definition of marketing. There is no commercial component to
communications about benefits available through public programs. [PROVIDER/PLAN]
is permitted to use/disclose PHI to communicate about eligibility for Medicare, Medicaid,
or CHIP. See 78 Fed. Reg. 5597.
[PROVIDER/PLAN] may make communications in newsletter format without
authorization so long as the content of such newsletter does not fit the definition of
“marketing.”
[PROVIDER/PLAN] may make communications for treatment of an individual by a
health care provider, including case management or care coordination for the individual,
or to direct or recommend alternative treatments, therapies, health care providers, or
settings of care to the individual (to the extent these activities did not constitute
treatment). 45 CFR 164.501 (see 78 Fed. Reg. 5593 for a discussion of this exclusion).
[PROVIDER/PLAN] may make communications promoting health in general and that
do not promote a product or service from a particular provider, such as communications
promoting a healthy diet or encouraging individuals to get certain routine diagnostic tests,
such as annual mammograms, do not constitute marketing and thus, do not require
individual authorization. See 78 Fed. Reg. 5597.
Procedure for Authorization to Use or Disclose PHI for Marketing Purposes:
1. [PROVIDER/PLAN] will obtain an authorization for any use or disclosure of PHI for
marketing, except if the communication is in the form of a:
a. face-to-face (i.e., in person, not via phone, mail, or email) communication with the
patient; or
b. a promotional gift of nominal value provided by [PROVIDER/PLAN].
2. If the marketing involves [PROVIDER/PLAN] (or [PROVIDER/PLAN]’s business associate
or subcontractor) receiving financial remuneration by a third party, the authorization will
state that such remuneration is involved. Please see the HIPAA COW WI Authorization
form for additional requirements for a valid authorization.
Examples that do not require authorization:
1. A hospital sent flyers to its patients announcing the opening of a new wing where the
funds for the new wing were donated by a third party, since the financial remuneration to
 Copyright HIPAA COW
Page 3
DRAFT
Version 5: 3/1/14
Per January 23, 2014 Rule
2.
3.
4.
5.
6.
7.
8.
9.
the hospital from the third party was not in exchange for the mailing of the flyers. See 78
Fed. Reg. 5593 for a discussion of this example.
If a third party provides financial remuneration to a covered entity to implement a
program, such as a disease management program, the covered entity could provide
individuals with communications about the program without obtaining individual
authorization as long as the communications are about the covered entity’s program
itself. See 78 Fed. Reg. 5596 for a discussion of this example.
A health care provider could, in a face-to-face conversation with the individual,
recommend, verbally or by handing the individual written materials such as a pamphlet,
that the individual take a specific alternative medication, even if the provider is otherwise
paid by a third party to make such communications. See 78 Fed. Reg. 5596 for a
discussion of this example.
Communications about the generic equivalent of a drug being prescribed to an individual.
See 78 Fed. Reg. 5596 for a discussion of this example.
Communications encouraging individuals to take their prescribed medication. See 78
Fed. Reg. 5596 for a discussion of this example.
Communications regarding all aspects of a drug delivery system, including, for example,
an insulin pump, where an individual is prescribed a self-administered drug or biologic.
See 78 Fed. Reg. 5596 for a discussion of this example.
Communications where the materials describing a member-exclusive value added health
product or service were provided by the entity to the health plan or its business associate
and no payment was made by the entity relating to the mailing or distribution of the
materials. See 78 Fed. Reg. 5597 for a discussion of this example.
If a third party provides financial remuneration to a covered entity to send refill
reminders, the covered entity can provide communications if the financial remuneration
covers only the cost of drafting, printing, and mailing the refill reminder. See 78 Fed.
Reg. 5597 for a discussion of this example.
Refill reminder communications by a pharmacy to individuals only when they visit the
pharmacy (in face to face encounters) even if the pharmacy receives financial
remuneration above and beyond what is reasonably related to the pharmacy’s cost of
making the communication. See 78 Fed. Reg. 5597 for a discussion of this example.
The following are examples of situations that require authorization:
1. The final Omnibus Rule prohibits a covered entity to sell lists of patients or enrollees to
third parties or to disclose PHI to a third party for the independent marketing activities of
the third party without patient authorization. See 78 Fed. Reg. 5594 for a discussion of
this example. For example, a pharmaceutical company cannot pay a provider for a list of
patients with a particular condition or taking a particular medication and then use that list
to market its own drug products directly to those patients.
2. Authorization would be required prior to a covered entity making a communication to its
patients regarding the acquisition of, for example, new state of the art medical equipment
if the equipment manufacturer paid the covered entity to send the communication to its
patients. See 78 Fed. Reg. 5593 for a discussion of this example.
a. It would not require authorization if a local charitable organization, such as a breast
cancer foundation, funded the covered entity’s mailing to patients about new state of
 Copyright HIPAA COW
Page 4
DRAFT
Version 5: 3/1/14
Per January 23, 2014 Rule
the art mammography screening equipment. See 78 Fed. Reg. 5593 for a discussion
of this example.
3. Communications made over the phone (as well as all communications sent through the
mail or via email) do not constitute face-to-face communications, and as such, these
communications require individual authorization where the covered entity receives
remuneration in exchange for making the communications. See 78 Fed. Reg. 5596 for a
discussion of this example.
Considerations for Procedure:







Implement a tracking process for authorizations received from patients permitting the
receipt of marketing communications. Investigate the organization’s EHR capability to
include a field dedicated to recording the authorization to receive marketing
communications. If EHR does not have capability, determine a tracking process for those
individuals authorizing the receipt of marketing communications prior to distribution of
the communications.
Train departments responsible for distribution of patient communications on marketing
policy.
Consider creating a centralized review approval process requiring the Privacy Officer
signature prior to distribution of communications.
Implement a process for obtaining patient authorization.
Establish a cooperative working relationship with a third party if involved in any aspect
of marketing and distribution of communications.
Ensure that marketing is addressed in the Business Associate Agreement.
Include marketing reference in the Notice of Privacy Practices. Please see the HIPAA
COW Notice Policy for provider or health plan for sample marketing language.
References:




45 CFR 164.501 and 164.508(a)(3)
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification
Rules Under the Health Information Technology for Economic and Clinical Health Act
and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA
Rules; Final Rule, 78 Fed. Reg. 5565 (Jan. 25, 2013) (amending 45 CFR Parts 160 and
164) (aka Omnibus Final Rule) (available http://www.hhs.gov/ocr/privacy/
hipaa/administrative/omnibus/)
The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug
or Biologic Currently Being Prescribed for the Individual.
 http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketingref
illreminder.html
“Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules Under the HITECH Act,” American Health Information Management
Association, January, 2013.
.
 Copyright HIPAA COW
Page 5
DRAFT
Version 5: 3/1/14
Per January 23, 2014 Rule
Current Version: 3/1/14
Prepared by:
Content Changed:
Carrie Aiken, CHC
Julie Albright, RHIA
Cathy Boerner, JD, CHC
Laura Galloy, JD, LLM
Chrisann Lemery, MSE, RHIA, CHPS, FAHIMA
Karen Navarro
Meghan C. O'Connor, JD
Betty Rockendorf, MS, RHIA, CHTS-IM , CHPS
Judy Titera, MBA, CIPP US/IT/CIPM
Substantial changes made due
to Omnibus Rule changes in
marketing definition and
preamble comments.
**You may request a copy of
the all the changes made in
this current version by
contacting administration at
admin2@hipaacow.org.
Reviewed by: Privacy Networking Group
Original Version: 1/22/04
Prepared by:
Gail Coleman, Elder Care of Dane County
Reviewed by:
Susan Manning, JD, RHIA
 Copyright HIPAA COW
Page 6