HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Omnibus Rule Places Further Restrictions on Marketing

The introduction of the Omnibus Final Rule, also known as the HIPAA Mega Rule due to the extent of that it alters the current legislation, tightens up many loose ends that existed from the HIPAA Privacy Rule with regards to marketing.

The use of Protected Health Information (PHI) for marketing purposes was restricted by the Privacy Rule, which required patients to provide written consent allowing the use of their health information for marketing purposes. Further restrictions were placed on the use of PHI data with the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This last piece of legislative change prevented further marketing practices that could previously be performed without prior consent being obtained.

The introduction of the Omnibus Final Rule in January this year completed the changes concerning marketing, and all organizations are now required to abide by the new rules, with the final date for full adoption being October 23, 2013; the date the Final Rule will be enforced.

Marketing has long been a target for the Department of Health and Human Services, and access to PHI has slowly been restricted over the years. PHI is intended for healthcare use only, and the legislation serves to improve access to data for healthcare professionals to improve the level of care patients receive. However, marketing has been seen as an area much in need of close regulation, which in the run up to the release of the Final Rule was the cause of a number of accidental data exposures.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

There have been many examples of patients receiving marketing information via email and regular mail which has disclosed the PHI of other patients. Marketing leaflets have been sent with their PHI clearly viewable without opening the correspondence or in one notable case, a woman received a marketing leaflet from a pharmaceutical company offering treatment for high cholesterol only a few weeks after she had been diagnosed by a doctor.

One example of the dire need for regulation came from the discovery of a company that had acquired the contact details of 5 million incontinent women, which it was using to target its marketing campaigns. The HHS conducted a survey regarding the confidentiality of data and how it must be properly protected and found 85% support for its proposed changes to make PHI more secure.

The Privacy Rule severely restricted the use of data to determine which products and services should be marketed to patients, and has broadly speaking, prohibited marketing using PHI without authorization being first provided by the patient. The definition of marketing used has created some exceptions, with the legislation relating to written correspondence. Information could be used to conduct face to face communications on products and small value promotional gifts can be provided.

Before HITECH, marketing was possible if a product or service was covered by the recipient’s health plan, a product provided treatment for the patient, and communications relating to alternative treatments and the provision of coordinate care and case management were still allowed. When HITECH was passed, those three loopholes were closed if the organization conducting the marketing was receiving payment for the communication, such as when individuals purchased products, signed up for a service or payment was received for providing access to the data or sending the correspondence.

HITECH does permit marketing on drugs and treatments that are currently being received as well as notifications to patients to obtain repeat prescriptions; provided any difference in cost is nominal or otherwise deemed reasonable in relation to the price of the product in question. Under HITECH, the HHS was required to determine what constituted a reasonable amount and details of how the rule should be implemented was not covered by the bill.

The Final Rule has now removed any area of confusion and generally calls for authorization to be obtained in the majority of cases before marketing can use PHI, although exceptions do still exist if no payment is received for the communication. Face to face communications and promotional gifts of nominal value are still acceptable.

If refill reminders must be sent, this is still permissible if the organization receives some payment to help cover the costs, but only if those payments are reasonable, such as covering the cost of printing and postage.

Provided no payment is received, marketing communications are possible under HIPAA when:

  1. They are made for treatment purposes by a healthcare provider, for case management, coordination of the service or to recommend alternative therapies, treatments or providers of healthcare services required by the patient in question.
  2. To communicate health-related products and services including those that must be paid for, provided that payment is born by the insurance company or health care plan owned by the individual. This includes policy changes, enhancements, additions to the plan that add value but are not actually part of the plan of benefits, or replacement of the services provided.
  3. Case management and case coordination communications relating to treatment alternatives “and related functions to the extent these activities do not fall within the definition of treatment”.

Marketing is prohibited if financial remuneration is received, with the definition being “direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.”

While the Final Rule does clarify most matters, there is still some room for interpretation. For instance, if a covered-entity receives payment from a company, but the payment is not directly for marketing purposes, the rule would not apply.

The example the HHS provides is if a drug therapy or treatment program is being funded by a third party, marketing would be permitted without prior authorization if the patients were invited to join the program, even if the organization was being paid to run the study. The important point is that the organization is not paid for the marketing. Therefore if marketing directed the patient to the program, and not the products and services offered by that third party, it would be permissible without prior authorization.

Another instance where marketing without prior authorization is permissible is if a company service is being promoted, yet payment for marketing comes from a separate third party, i.e. one other than the company providing the service. This exception covers charitable organizations wishing to promote a new treatment, such as a cancer screening program.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.