1 min read

Can you sell PHI?

Picture of Tshedimoso Makhene Tshedimoso Makhene Dec 30, 2024 4:31:22 PM

HIPAA compliance
Digital shield with keyhole on blue tech background

Selling protected health information (PHI) is a sensitive topic that has legal, ethical, and practical concerns. Under the Health Insurance Portability and Accountability Act (HIPAA), the sale of PHI is strictly regulated, and unauthorized transactions can lead to severe penalties.

 

What HIPAA says about selling PHI

According to the U.S. Department of Human and Health Services (HHS), “The Privacy Rule prohibits you from selling PHI unless you obtain an authorization stating that you will receive remuneration from making the disclosure.”

 

Key points about selling PHI

Written authorization

Covered entities and business associates must obtain explicit, written consent from the individual whose information is being sold. This authorization must detail:

  • The purpose of the sale.
  • The recipient of the PHI.
  • The specific information to be disclosed.

 

Fair compensation vs. profit

HIPAA allows for cost-based remuneration in cases where PHI is disclosed. For example, charging for the labor involved in transferring records is acceptable. However, transactions aiming for profit are not permitted under the law.

 

Best practices for compliance

  • Understand HIPAA regulations: Ensure your organization is well-versed in HIPAA rules and exceptions.
  • Obtain consent: When in doubt, secure written authorization before disclosing PHI.
  • Implement safeguards: Use robust data protection measures to prevent unauthorized access or misuse of PHI.
  • Seek legal advice: Consult legal or compliance experts to navigate complex situations involving PHI.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is considered the sale of PHI under HIPAA?

The sale of PHI involves disclosing PHI in exchange for direct or indirect payment or remuneration. This includes any transaction where PHI is exchanged for monetary or non-monetary value.

 

How can organizations ensure compliance with HIPAA when handling PHI?

Organizations should understand HIPAA regulations, implement robust safeguards, obtain written authorization when necessary, and seek legal advice to navigate complex scenarios.

Download the HIPAA compliant email checklist

Download the HIPAA compliant email checklist
Healthcare workers with hands joined together in unity

Who does HIPAA apply to?

Picture of Liyanda Tembani Liyanda Tembani : Sep 21, 2024 8:17:19 PM

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business...

HIPAA compliance
Read More
Wooden gavel on desk with computer keyboard

Legal considerations for healthcare marketing and HIPAA

Picture of Farah Amod Farah Amod : Sep 5, 2024 4:53:37 PM

Marketing efforts in healthcare must work with requirements outlined in the Health Insurance Portability and Accountability Act (HIPAA), like keeping...

HIPAA compliance Email marketing
Read More
Image of a nurse talking to a patient.

How home-based care providers can comply with HIPAA

Gugu Ntsele : Apr 8, 2025 6:21:04 AM

Often, many home health providers assume that they don’t need to comply with HIPAA. Unfortunately, that couldn’t be further from the truth. According...

HIPAA compliance
Read More