What are the HIPAA Marketing Rules?
The HIPAA marketing rules are that direct B2C marketing communications must be for a permitted purpose and that any uses or disclosures of Protected Health Information (PHI) for marketing purposes must be authorized by the subject of the PHI or their personal representative. Other HIPAA rules may apply depending on the nature of the marketing activities and the services used to create, receive, maintain, or transmit electronic PHI.
Healthcare marketing has evolved dramatically since the passage of HIPAA in 1996 and the publication of the first HIPAA Privacy Final Rule in 2000. At the time, healthcare business-to-consumer marketing primarily consisted of newspaper advertising, mail shots, and telephone marketing. A quarter of a century later, healthcare marketing is dominated by digital channels such as email, social media, website optimization, and other forms of inbound marketing.
The HIPAA marketing rules published at the time had sufficient flexibility to still be relevant. The only additional factors HIPAA regulated entities have to take into account are the confidentiality, integrity, and availability of electronic PHI created, received, maintained, or transmitted digitally, FDA and FTC regulations governing the content and frequency of direct B2C marketing communications, and state laws with affirmative opt-in requirements.
What Does HIPAA Say about Marketing?
In the preamble to the first HIPAA Privacy Final Rule, the rationale for isolating marketing from other healthcare operations is that marketing is unrelated to treatment and payment activities. To reinforce the point, the HIPAA Privacy Rule defines marketing as: “to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Thereafter, the only other reference to marketing appears in the section of the HIPAA Privacy Rule regarding uses and disclosures of PHI for which an authorization is required (§164.508). This standard states: “a covered entity must obtain an authorization for any use or disclosure of Protected Health information for marketing, except if the communication is in the form of:
- A) A face-to-face communication made by a covered entity to an individual; or
- B) A promotional gift of nominal value provided by the covered entity.”
The marketing HIPAA standard not only prohibits the use of PHI in marketing communications (without an authorization), but it also prohibits disclosures of PHI to other entities “in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” (as per the preamble to the second HIPAA Privacy Final Rule).
The Department of Health and Human Services (HHS) has published guidance on the two scenarios in which authorization is not necessary for HIPAA compliant marketing. In the first, (“A”), HHS suggested when an insurance agent sells a health insurance policy in person and also markets a life insurance policy. In the second scenario (“B”), HHS suggested when a hospital provides a free package of formula to new mothers as they leave the maternity ward.
Exceptions to the HIPAA Marketing Rules
The definition of marketing in the HIPAA Privacy Rule has a list of exceptions following it. These are generally communications related to treatment and payment activities that could qualify as health care operations provided healthcare providers receive no remuneration, or remuneration equivalent “to the cost of making the communications”. (The inclusion of the word “making” further implying the HIPAA marketing rules only apply to direct outbound B2C marketing).
Among the exceptions to the HIPAA marketing rules are communications for refill reminders, to recommend alternative treatments, therapies, healthcare providers, or care settings, or to describe a health-related product or service or payment for the product or service. Healthcare providers can also make marketing communications about case management and care coordination when these activities do not fall within the definition of health care operations.
In these circumstances, healthcare providers need to be conscious of HHS’ Anti-Kickback Regulations and the Stark Law in order to avoid accidently violating federal fraud and abuse regulations. Healthcare providers also need to be conscious of FDA regulations regarding the compliant marketing of dietary supplements, foods, drugs, devices, and other health-related products, and FTC regulations regarding the frequency of marketing communications.
HIPAA Compliant Marketing in the Digital Age
HIPAA compliant marketing in the digital age can consist of outbound marketing (i.e., HIPAA compliant email marketing), inbound marketing (i.e., HIPAA compliant social media marketing), or a combination of both. In all cases, it is important to understand how the HIPAA marketing rules apply to PHI created, received, maintained, or transmitted electronically, and how Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices” in marketing communications.
For example, PHI must not be included in the subject line of an email (because email metadata is not usually encrypted), PHI must never be disclosed in a social media post because it can not be retracted, and – when contact forms on a website collect PHI – not only must the forms be HIPAA compliant, but the channel of communication used to transmit the content of the forms from the website to a marketing management or CRM system must also be HIPAA compliant.
With regards to Section 5 of the FTC Act, this regulation is designed to protect consumers by preventing businesses from engaging in misleading or harmful practices. Many states have similar consumer protection laws which, in addition to protecting consumers against misleading marketing, may have more stringent data privacy and security requirements than HIPAA, and/or have more stringent opt-in/out regulations than the HIPAA marketing rules.
Why Get Help with Healthcare Marketing and HIPAA?
There are three reasons why healthcare organizations might need help with healthcare marketing and HIPAA. The first is that the HIPAA marketing rules are not straightforward. While the definition of marketing and the authorization requirements are clear, it is necessary to review the preamble to various HIPAA Rules and subsequent HHS guidance to fully understand how the HIPAA marketing rules may be applied.
The second reason why organizations might need help with healthcare marketing and HIPAA is that managing a combination of inbound and outbound digital HIPAA compliant marketing activities can leave gaps in marketing channels, or lead to mistakes being made and impermissible disclosures of PHI. For this reason, it can be beneficial to outsource some or all of your marketing activities to business associates with experience in healthcare marketing.
The third reason is that different states have different regulations regarding data privacy, data security, and data breaches. Some state regulations extend across state boundaries and apply nationwide. Finding out which regulations apply to an organization’s marketing activities, and what measures are necessary to comply with them, can be costly and time-consuming. For this reason, it is recommended that organizations reach out to HIPAA training, healthcare marketing, and legal professionals when necessary.
