Q&A: PHI for marketing
Q: What type of protected health information (PHI) can be used for marketing? Are authorizations always necessary when using PHI for marketing purposes? If not, what are some situations when patient authorization would not be required?
A: Under the Privacy Rule, marketing involves making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. It also includes arrangements in which a covered entity (CE) discloses PHI to another entity, so that entity can contact patients to sell its products or services.
Written authorization from patients is required before their PHI can be used for marketing purposes. The authorization must include all the elements required by the Privacy Rule. If your organization will receive some form of payment from a third party, you must include that information on the authorization form. You may use whatever types of PHI the patient authorizes you to use.
The definition of marketing excludes communications made:
- To describe a health-related product or service provided by the CE
- For treatment of the individual
- For case management or care coordination
- To recommend alternate treatments, therapies, healthcare providers, or settings of care to an individual
In these cases, PHI may be used without authorization.
Editor's note: Mary Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to editor Kevin Duffy at kduffy@hcpro.com.