According to the U.S. Department of Health and Human Services (HHS) Health Information Privacy page, “the overlap among common usages of the terms ‘treatment,’ ‘healthcare operations,’ and ‘marketing’ is unavoidable.”
For example, when a physician recommends a particular medication, therapy, or medical device as part of a patient’s treatment plan or when a health insurance company informs its members about the benefits it provides, encouraging them to use specific health services.
In both cases, the covered entities promote certain services or products, but they do not necessarily fall under HIPAA’s marketing definition.
How HIPAA defines marketing
The HIPAA Privacy Rule “excludes treatment communications and certain health care operations activities from the definition of ‘marketing,’” the HHS explains.
If communication is directly related to treatment or certain healthcare operations, it is not considered marketing under HIPAA, and the organization does not need to obtain patient authorization before sending it.
For example, if a doctor recommends a particular prescription drug to a patient during a consultation, this falls under treatment, not marketing.
If a health plan sends a letter to members explaining a new wellness program covered under their benefits, this is a healthcare operation, not marketing. In these cases, HIPAA does not require the patient’s authorization.
When does communication become marketing?
Although HIPAA provides treatment exemptions and some healthcare operations, not all communications qualify for these exclusions.
HHS explains, “If a health care operation communication does not fall within one of these specific exceptions to the marketing definition, and the communication falls under the definition of ‘marketing,’ the Privacy Rule’s provisions restricting the use or disclosure of protected health information for marketing purposes will apply.”
So, when does communication become marketing?
According to HIPAA, a message is considered marketing if it encourages a patient to use or purchase a product or service and does not fall under one of the permitted exceptions.
So, if a healthcare provider, insurer, or other covered entity wants to send a communication that promotes a product or service unrelated to a patient’s direct care or health plan benefits, it is considered marketing.
Marketing examples include:
- When a hospital partners with a pharmaceutical company to send patients promotional materials about a new drug.
- If a health insurer sends members information about a third-party wellness app that is not part of their covered benefits.
- When a medical practice shares patient information with an outside company for advertising purposes.
In these cases, HIPAA requires the patient’s explicit authorization before using or disclosing individuals’ protected health information (PHI).
Understanding patient authorization in marketing
Under HIPAA’s Privacy Rule, if a communication is classified as marketing, a health care provider, health plan, or other covered entity must obtain written authorization from the patient before using or sharing their PHI.
As evidenced by the HHS stating, “For these marketing communications, the individual’s authorization is required before a covered entity may use or disclose protected health information.”
Ultimately, the rule gives patients over how their personal health information is used and helps prevent unwanted solicitations from healthcare organizations.
The bottom line
1. Treatment and certain healthcare operations are not considered marketing under HIPAA, so providers and health plans don’t need patient authorizations to engage in these communications.
2. If a communication does not meet the HIPAA exemptions, it is considered marketing, and covered entities must get patient authorization before PHI can be used or disclosed.
3. Any promotional activity involving PHI that falls outside treatment or covered healthcare operations must comply with HIPAA’s marketing rules.
FAQs
What is considered marketing under HIPAA?
Marketing involves communications that promote a product or service not directly related to treatment or certain healthcare operations.
What is PHI?
Protected health information (PHI) includes any information about health status, provision of health care, or payment for healthcare that can be linked to an individual.
What are healthcare operations under HIPAA?
Healthcare operations include administrative, financial, legal, and quality improvement activities necessary for running a healthcare business.
