Compliance Tool: Model Policy on Use of HIPAA-Protected Health Information for Marketing Purposes
This template helps lab leaders implement a written policy limiting and establishing procedures governing use of PHI for marketing.
The HIPAA Privacy Rule bans labs and other covered entities from using or disclosing protected health information (PHI) for marketing purposes without the individual’s authorization. Implementing a written policy limiting and establishing procedures governing use of PHI for marketing can help ensure compliance. Here’s a template policy that lab leaders can adapt for use in their organizations:
Restrictions on Use of PHI for Marketing
The Health Insurance Portability and Accountability Act of 1996 and its regulations, including the HIPAA Privacy Rule (which this policy will refer to collectively as “HIPAA”), prohibits the use or disclosure of a patient’s protected health information (PHI) for marketing purposes without the patient’s prior authorization. The purpose of this policy is to ensure that [Insert Lab Name Here] complies with HIPAA requirements by explaining the procedures that must be followed when using or disclosing PHI for marketing purposes.
All marketing communications involving the use or disclosure of PHI must either: (i) be carried out in accordance with a patient authorization, or (ii) meet an applicable exception set out in Section 4 below and be permissible under HIPAA and applicable state law without patient authorization.
3. DEFINITION OF “MARKETING”
For purposes of this policy, “marketing” for which HIPAA patient authorization is required means:
- a “communication about a product or service that encourages recipients of the communication to purchase or use the product or service” unless specific exceptions apply, or
- an arrangement in which [Insert Lab Name Here] discloses PHI to another entity “in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.”
4. EXCEPTIONS: COMMUNICATIONS NOT REQUIRING HIPAA AUTHORIZATION
In accordance with HIPAA, the following communications are NOT considered marketing communications requiring patient authorization:
- Communications to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed to the patient, as long as any financial remuneration received is reasonably related to [Insert Lab Name Here]’s cost of making the communication;
- For the following treatment and healthcare operations purposes where [Insert Lab Name Here] does NOT receive any financial remuneration in exchange for making the communication:
- Communication for treatment of a patient, including case management or care coordination, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the patient
- Communication for case management or care coordination, contacting of patients with information about treatment alternatives, and related functions, to the extent these activities do not fall within the definition of treatment
- Communication “to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits for,” [Insert Lab Name Here], “including communications about the entities participating in a healthcare provider network; replacement of, or enhancements to, a health plan; and health-related products or services available only to health plan enrollees that add value to, but are not part of, a plan of benefits;”
- A face-to-face communication made by an [Insert Lab Name Here] employee or staffer to a patient; or
- “A promotional gift of nominal value provided by” [Insert Lab Name Here]”
5. NEED TO DETERMINE WHETHER A COMMUNICATION IS MARKETING
Before using or disclosing PHI for communication that might be perceived as encouraging or promoting the purchase or use of a product or service, regardless of whether those products or services are offered by [Insert Lab Name Here] or third parties, employees must evaluate whether such communication would constitute a marketing communication requiring authorization in accordance with HIPAA by referring to the definitions and exemptions set out, respectively, in Sections 3 and 4 above. Where it is unclear whether the communication constitutes marketing or staff members contemplating the communication have any HIPAA-related questions or concerns, such staff members must seek assistance and clearance from the [Insert Lab Name Here] compliance officer or chief privacy officer before going through with the communication in question.
6. NEED TO OBTAIN AUTHORIZATION TO DISCLOSE OR USE PHI FOR MARKETING COMMUNICATIONS
If a communication that uses or discloses PHI is determined to be a marketing communication that does not meet any of the exceptions listed in Section 3 above, the communication may not be made unless and until a patient provides written authorization to use or disclose in accordance with [Insert Lab Name Here]’s HIPAA Policy, HIPAA, and any applicable state law. Where [Insert Lab Name Here] has or will receive any financial remuneration for making the marketing communication, the patient authorization must state that remuneration to [Insert Lab Name Here]’s HIPAA Policy, HIPAA, and any applicable state law. Where [Insert Lab Name Here] has or will receive any financial remuneration for making the marketing communication, the patient authorization must state that remuneration to [Insert Lab Name Here] is involved.
Subscribe to view Essential
Start a Free Trial for immediate access to this article