Without these Privacy Rule restrictions, these activities could occur with no authorization from the individual in most jurisdictions. In addition, if a State law provided additional limitations on disclosures of information for related activities, the Privacy Rule generally would not interfere with those laws.

Moreover, under the “business associate” provisions of the Privacy Rule, a covered entity may not give protected health information to a telemarketer, door-to-door salesperson, or other third party it has hired to make permitted communications (for example, about a covered entities’ own goods and services) unless that third party has agreed by contract to use the information only for communicating on behalf of the covered entity. Without the Privacy Rule, there may be no restrictions on how third parties re-use information they obtain from health plans and providers. See the fact sheet and frequently asked questions on this web site about the business associate standard for more information.

Back to Top


Q: Can contractors (business associates) use protected health information to market to individuals for their own business purposes?

A: No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes. Although, under the HIPAA statute, the Privacy Rule cannot govern contractors directly, the Rule does set clear parameters for how covered entities may contract with business associates. See 45 CFR 164.502(e) and 164.504(e), and the definition of “business associate” at 45 CFR 160.103.

Further, the Privacy Rule expressly prohibits health plans and covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list.

Back to Top


Q: Can telemarketers gain access to protected health information and call individuals to sell goods and services?

A: Under the HIPAA Privacy Rule, a covered entity can share protected health information with a telemarketer only if the covered entity has either obtained the individual’s prior written authorization to do so, or has entered into a business associate relationship with the telemarketer for the purpose of making a communication that is not marketing, such as to inform individuals about the covered entity’s own goods or services.

If the telemarketer is a business associate under the Privacy Rule, it must agree by contract to use the information only for communicating on behalf of the covered entity, and not to market its own goods or services (or those of another third party).

Back to Top


Q: When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?

A: The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances: (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value.

If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

Back to Top


Q: How can I distinguish between activities for treatment or health care operations versus marketing activities?

A: The overlap among common usages of the terms “treatment,” “healthcare operations,” and “marketing” is unavoidable. For instance, in recommending treatments, providers and health plans sometimes advise patients to purchase goods and services. Similarly, when a health plan explains to its members the benefits it provides, it too is encouraging the use or purchase of goods and services.

The HIPAA Privacy Rule defines these terms specifically, so they can be distinguished. For example, the Privacy Rule excludes treatment communications and certain health care operations activities from the definition of “marketing.” If a communication falls under one of the definition’s exceptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization. See the fact sheet on this web site about marketing, as well as the definition of “marketing” at 45 CFR 164.501, for more information.

However, if a health care operation communication does not fall within one of these specific exceptions to the marketing definition, and the communication falls under the definition of “marketing,” the Privacy Rule’s provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual’s authorization is required before a covered entity may use or disclose protected health information.

Back to Top


Q: Do disease management, health promotion, preventive care, and wellness programs fall under the HIPAA Privacy Rule’s definition of “marketing”?

A: Generally, no. To the extent the disease management or wellness program is operated by the covered entity directly or by a business associate, communications about such programs are not marketing because they are about the covered entity’s own health-related services. So, for example, a hospital’s Wellness Department could start a weight-loss program and send a flyer to all patients seen in the hospital over the past year who meet the definition of obese, even if those individuals were not specifically seen for obesity when they were in the hospital.

Moreover, a communication that merely promotes health in a general manner and does not promote a specific product or service from a particular provider does not meet the definition of “marketing.” Such communications may include population-based activities in the areas of health education or disease prevention. Examples of general health promotional material include mailings reminding women to get an annual mammogram; mailings providing information about how to lower cholesterol, new developments in health care (e.g., new diagnostic tools), support groups, organ donation, cancer prevention, and health fairs.

Back to Top


Q: Is it “marketing” for a covered entity to describe products or services that are provided by the covered entity to its patients, or to describe products or services that are included in the health plan’s plan of benefits to members of the health plan?

A: No. The HIPAA Privacy Rule excludes from the definition of “marketing” communications made to describe a covered entity’s health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication. Thus, it would not be marketing for a physician who has developed a new anti-snore device to send a flyer describing it to all of her patients (whether or not each patient has actually sought treatment for snoring). Nor would it be marketing for an ophthalmologist or health plan to send existing patients or members discounts for eye-exams or eye-glasses available only to the patients and members. Similarly, it would not be marketing for an insurance plan to send its members a description of covered benefits, payment schedules, and claims procedures.

Q: Is it marketing for a covered entity to describe the entities participating in a health care provider network or a health plan network?

A: No. The HIPAA Privacy Rule excludes from the definition of “marketing,” communications by a covered entity to describe the entities participating in a health care provider network or a health plan network. Thus, it would not be marketing for a health plan or insurer to mail its members or enrollees a list of health care providers in the health plan network or for an independent physicians association to send its patients a preferred provider list.

Back to Top


Q: Is it marketing for an insurance plan or health plan to send enrollees notices about changes, replacements, or improvements to existing plans?

A: No. The HIPAA Privacy Rule excludes from the definition of “marketing,” communications about replacements of, or enhancements to, a health plan. Therefore, notices about changes in deductibles, co-pays and types of coverage, such as prescription drugs, are not marketing. Likewise, a notice to a family warning that a student reaching the age of majority on a parental policy will lose coverage, then offering continuation coverage, would not be considered marketing. Nor are special health care policies such as guaranteed issue products and conversion policies considered marketing. Similarly, notices from a health plan about its long term care benefits would not be considered marketing.

It would be considered marketing, however, for a health plan to send to its members promotional material about insurance products that are considered to be “excepted benefits” (described in section 2791(c)(1) of the Public Health Service Act), such as accident only policies. It would likewise be marketing for health plans to describe other lines of insurance, such as life insurance policies. Generally, such communications require authorizations.

Back to Top


Q: Can health plans communicate about health-related products or services to enrollees that add value to, but are not part of, a plan of benefits?

A: Yes. The provision of value-added items or services (VAIS) is a common practice, particularly for managed care organizations. Under the HIPAA Privacy Rule, communications may qualify under the marketing exception for a communication about a health plan’s plan of benefits, even if the VAIS are not considered plan benefits for the Adjusted Community Rate purposes. To qualify for this exclusion, however, the VAIS must meet two conditions. First, they must be health-related. Therefore, discounts offered by Medicare + Choice or other managed care organizations for eyeglasses may be considered part of the plan’s benefits, whereas discounts to attend movie theaters will not. Second, such items and services must demonstrably “add value” to the plan’s membership and not merely be a pass-through of a discount or item available to the public at large.

So, a Medicare + Choice or other managed care organization could offer its members a special discount opportunity for eyeglasses and contact lenses without obtaining authorizations if the discount were only available through membership in the managed care organization. However, such communications would need an authorization if the members would be able to obtain such discounts directly from the eyeglass store. Similarly, a Medicare + Choice or other managed care organization could offer its members a special discount opportunity for a prescription drug card benefit or for a health/fitness club membership, which is not available to consumers on the open market. On the other hand, a Medicare+Choice or other managed care organization would need an authorization to notify its members of a discount to a movie theater available only to its members.

Back to Top


Q: Can a doctor or pharmacy be paid to make a prescription refill reminder without a prior authorization under the HIPAA Privacy Rule?

A: Yes. It is not marketing for a doctor to make a prescription refill reminder even if a third party pays for the communication. The prescription refill reminder is considered treatment. The communication is therefore excluded from the definition of marketing and does not require a prior authorization. Similarly, it is not marketing when a doctor or pharmacy is paid by a pharmaceutical company to recommend an alternative medication to patients. Communications about alternative treatments are excluded from the definition of marketing and do not require a prior authorization. The simple receipt of remuneration does not transform a treatment communication into a commercial promotion of a product or service.

Furthermore, covered entities may use a legitimate business associate to assist them in making such permissible communications. For instance, if a pharmacist that has been paid by a third party contracts with a mail house to send out prescription refill reminders to the pharmacist’s patients, neither the mail house nor the pharmacist needs a prior authorization. However, a covered entity would require an authorization if it sold protected health information to a third party for the third party’s marketing purposes.

Back to Top


Q: Are appointment reminders allowed under the HIPAA Privacy Rule without authorizations?

A: Yes, appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization.

Back to Top


Q: What are examples of “alternative treatments” that are excepted from the HIPAA Privacy Rule’s definition of “marketing”?

A: Alternative treatments are treatments that are within the range of treatment options available to an individual. For example, it would be an alternative treatment communication if a doctor, in response to an inquiry from a patient with skin rash about the range of treatment options, mails the patient a letter recommending that the patient purchase various ointments and medications described in brochures enclosed with the letter. Alternative treatment could also include alternative medicine. Thus, alternative treatments would include communications by a nurse midwife who recommends or sells vitamins and herbal preparations, dietary and exercise programs, massage services, music or other alternative types of therapy to her pregnant patients.

Back to Top


Q: Are prior authorizations required when a doctor or health plan distributes promotional gifts of nominal value?

A: No. In a specific exception, the HIPAA Privacy Rule allows covered entities to distribute items commonly known as promotional gifts of nominal value without prior authorization, even if such items are distributed with the intent of encouraging the receiver to buy the products or services. This authorization exception generally applies to items and services of a third party, whether or not they are health-related, or items and services of the covered entity that are not health-related. A covered doctor, for instance, may send patients items such as pens, note-pads, and cups embossed with a health plan’s logo without prior authorization. Similarly, dentists may give patients free toothbrushes, floss and toothpaste.

Back to Top


Q: Are health care providers required to seek a prior authorization before discussing a product or service with a patient, or giving a product or service to a patient, in a face-to-face encounter?

A: No. In face-to-face encounters, the HIPAA Privacy Rule allows covered entities to give or discuss products or services, even when not health-related, to patients without a prior authorization. This exception prevents unnecessary intrusion into the doctor-patient relationship. Physicians may give out free pharmaceutical samples, regardless of their value. Similarly, hospitals may give infant supplies to new mothers. Moreover, the face-to-face exception would allow providers to leave general circulation materials in their offices for patients to pick up during office visits.

Back to Top


Q: Must insurance agents that are business associates of a health plan seek a prior authorization before talking to a customer in a face-to-face encounter about the insurance company’s other lines of business?

A: No. In the specific case of face-to-face encounters, the HIPAA Privacy Rule allows health plans and their business associates to market both health and non-health insurance products to individuals.

Back to Top


Q: What effect do the “marketing” provisions of the HIPAA Privacy Rule have on Federal or State fraud and abuse statutes?

A: The Privacy Rule makes it clear that nothing in the marketing provisions of the Privacy Rule are to be construed as amending, modifying, or changing any rule or requirement related to any other Federal or State statutes or regulations, including specifically anti-kickback, fraud and abuse, or self-referral statutes or regulations, or to authorize or permit any activity or transaction currently proscribed by such statutes and regulations. Examples of such laws include the anti-kickback statute (section 1128B(b) of the Social Security Act), safe harbor regulations (42 CFR Parts 411 and 424), and HIPAA statute on self-referral (section 1128C of the Social Security Act). The definition of “marketing” is applicable solely to the Privacy Rule and the permissions granted by the Rule are only for a covered entity’s use or disclosure of protected health information. In particular, although the Privacy Rule defines the term “marketing” to exclude communications to an individual to recommend, purchase, or use a product or service as part of the treatment of the individual or for case management or care coordination of that individual, such communication by a health care professional may violate the anti-kickback statute. Similar examples of pharmacist communications with patients relating to the marketing of products on behalf of pharmaceutical companies were identified by the Office of the Inspector General (OIG) as problematic in a 1994 Special Fraud Alert (December 19, 1994, 59 FR 65372). Other violations have involved home health nurses and physical therapists acting as marketers for durable medical equipment companies. Although a particular communication under the Privacy Rule may not require patient authorization because it is not “marketing,” or may require patient authorization because it is “marketing” as the Rule defines it, the arrangement may nevertheless violate other statutes and regulations administered by the Department of Health and Human Services, Department of Justice, or other Federal or State agencies.

Back to Top


Q: May covered entities use information regarding specific clinical conditions of individuals in order to communicate about products or services for such conditions without a prior authorization?

A: Yes, if the communication is for the individual’s treatment or for case management, care coordination, or the recommendation of alternative therapies. The HIPAA Privacy Rule permits the use of clinical information to the extent it is reasonably necessary for these communications. Similarly, population-based activities in the areas of health education or disease prevention are not considered marketing when they promote health in a general manner. Again clinical information may be used for such communications, such as in targeting a public education campaign.

Back to Top


Q: Are communications concerning information to beneficiaries about government programs or government-sponsored programs “marketing” under the HIPAA Privacy Rule?

A: No. Communications about government and government-sponsored programs do not fall within the definition of “marketing.” There is no commercial component to communications about benefits available through public programs. Therefore, a covered entity is permitted to use and disclose protected health information to communicate about eligibility for such programs as Medicare, Medicaid, or the State Children’s Health Insurance Program (SCHIP).

Back to Top