Fundraising Under HIPAA —The Privacy Rule—
AHP's Special Analysis

From Stuart R. Smith, FAHP - Chair
William C. McGinly, Ph.D., CAE - President, Chief Executive Officer
Reviewed and Presented by AHP Legal Counsel - Peter Parvis, Esq., Venable,
Washington, D.C.

Question 5 - Newsletters, Patient Education
What effect will the regulations have on marketing efforts such as the distribution of newsletters, seminars, patient education, and health fairs?

Long Answer
Response/Conclusion:
See also: Short Answer

Although the main area of concern for AHP is fundraising, it is important to understand how the final regulations will affect marketing efforts. The 2000 Final Rule permitted the use of PHI in marketing without the patient's consent pursuant to an opt-out provision similar to that required for fundraising. Newsletters and similar items were not required to contain an opt out.

However, in the 2002 Final Rule the marketing provisions were substantially amended. The Final Rule requires the patient's authorization to use any PHI in connection with marketing, except for face-to-face communications and use of promotional gifts with a nominal value. 45 CFR 164.508(a) (3). The example used by the Office of Civil Rights to explain this exception is a health care provider providing “a free package of formula and other baby products to new mothers as they leave the maternity ward”. Marketing is defined as any communication about a product or service that encourages the recipient to buy or use the good or service, with limited carve outs. 45 CFR § 164.501. The carve outs are important, but the line between marketing (which requires the patient's authorization if their PHI will be used in, for instance, a marketing mailing list) and treatment can be blurred.

Marketing is no longer defined as part of health care operations. Since use or disclosure of PHI without authorization is effectively limited to uses for treatment, payment or health care operations, there is no exception under HIPAA available for pure marketing. The result is that most marketing efforts (in the absence of authorization, which is impracticable) must either be based on information that is not PHI (i.e., not based on a mailing list of patients), or fall within one of the categories of carve outs discussed below. Covered entities should take care in the use of directed communications or newsletters to either fall outside the definition of marketing or avoid using PHI to target the recipients.

Marketing is defined in the Privacy Rule as:

  1. to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made:

    1. To describe a health-related product or service ...that is provided by ... the covered entity making the communication,...

    2. For treatment of the individual; or

    3. For case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

  2. An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. 45 CFR §164.501

Additional guidance was recently provided in the Frequently Asked Questions (FAQ) released on December 3, 2002 by the Office of Civil Rights of HHS. This guidance attempts to explain what is and is not permitted without authorization. Exerpts are given below:

What is NOT “Marketing”? The Privacy Rule carves out exceptions to the definition of marketing under the following three categories:

  1. A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:

    • health care provider uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.

The Frequently Asked Questions provide this additional guidance, with an additional warning. Basically, if something fits a carve out as a treatment communication or description of the entity's own services, it is permitted, and the covered entity can use PHI in making communications that would otherwise constitute marketing within the broad definition contained in the Privacy Rule. However, if the covered entity is wrong, then the communication is simply marketing and the health care provider would have committed a violation if PHI (e.g., a patient list) was used to send the communication as the following FAQ illustrates.

Q: How can I distinguish between activities for treatment or health care operations versus marketing activities?

A: The overlap among common usages of the terms “treatment,” “healthcare operations,” and “marketing” is unavoidable. For instance, in recommending treatments, providers and health plans sometimes advise patients to purchase goods and services. Similarly, when a health plan explains to its members the benefits it provides, it too is encouraging the use or purchase of goods and services.

The HIPAA Privacy Rule defines these terms specifically, so they can be distinguished. For example, the Privacy Rule excludes treatment communications and certain health care operations activities from the definition of “marketing.” If a communication falls under one of the definition's exceptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization. See the fact sheet on this web site about marketing, as well as the definition of “marketing” at 45 CFR 164.501, for more information.

However, if a health care operation communication does not fall within one of these specific exceptions to the marketing definition, and the communication falls under the definition of “marketing,” the Privacy Rule's provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual's authorization is required before a covered entity may use or disclose protected health information. (emphasis added)

The FAQ provides more useful guidance when it explains that wellness programs and preventative care do not generally fall within the definition of marketing.

Q: Do disease management, health promotion, preventive care, and wellness programs fall under the HIPAA Privacy Rule's definition of “marketing”?

A: Generally, no. To the extent the disease management or wellness program is operated by the covered entity directly or by a business associate, communications about such programs are not marketing because they are about the covered entity's own health-related services. So, for example, a health care provider's Wellness Department could start a weight-loss program and send a flyer to all patients seen in the health care provider over the past year who meet the definition of obese, even if those individuals were not specifically seen for obesity when they were in the health care provider.

Moreover, a communication that merely promotes health in a general manner and does not promote a specific product or service from a particular provider does not meet the definition of “marketing.” Such communications may include population-based activities in the areas of health education or disease prevention. Examples of general health promotional material include mailings reminding women to get an annual mammogram; mailings providing information about how to lower cholesterol, new developments in health care (e.g., new diagnostic tools), support groups, organ donation, cancer prevention, and health fairs.

Q: Is it “marketing” for a covered entity to describe products or services that are provided by the covered entity to its patients, or to describe products or services that are included in the health plan's plan of benefits to members of the health plan?

A: No. The HIPAA Privacy Rule excludes from the definition of “marketing” communications made to describe a covered entity's health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication. Thus, it would not be marketing for a physician who has developed a new anti-snore device to send a flyer describing it to all of her patients (whether or not each patient has actually sought treatment for snoring). Nor would it be marketing for an ophthalmologist or health plan to send existing patients or members discounts for eye-exams or eyeglasses available only to the patients and members. Similarly, it would not be marketing for an insurance plan to send its members a description of covered benefits, payment schedules, and claims procedures.

 

Previous Page

 
Copyright © 2008 Association for Healthcare Philanthropy. All Rights Reserved. Privacy Policy