General Rule

• HIPAA outlaws hospitals and health plans from using protected patient data to market products and services outside the patient's treatment or benefit plan without the patient or the member's written authorization, according to the U.S. Department of Health and Human Services (HHS), the agency that drafted the rule. Hospitals, health plans and companies that store protected health data can't sell information or offer lists of patient or member names to third-party businesses seeking leads for marketing products and services without patients' permission.
  
  

Definition of Marketing

• In guidance explaining the rule, the HHS defines marketing as "communication about a product or service that encourages recipients of the communication to purchase or use the product or service." The HHS also sees marketing as an arrangement between hospitals and health plans in which they receive direct or indirect payment from a third-party business in exchange for patient information or a list of patient or plan participant names.
  
  

Permitted Communications

• HIPAA allows hospitals to communicate with patients about their own health-related products or services and allows health plans to communicate information on services included in the member's benefit plan or that add value to the plan. Marketing does not include communications about products and services related to the patient's treatment plan, case management and to coordinate the patient's care. For these permitted uses, hospitals and health plans can disclose patient data to their business associates to communicate with patients and members without obtaining written authorization.
  
  

Patient Rights

• The privacy rule requires hospitals and health plans to obtain written authorization from patients granting permission to use protected health information for specific marketing campaigns conducted in-house or by a third-party business associate. The authorization form must state direct or indirect remuneration for the exchange of protected health information, and include an expiration date. Patients have the right to revoke a written authorization at any time.
  
  

Exceptions

• The privacy rule requires authorization for all uses or disclosures of protected health information for marketing with two exceptions. Face-to-face communications between hospital or health plan representatives and the patient don't require written authorization, even if they involve marketing activities. Authorization also isn't required when the hospital or health plan offers the patient a promotional gift featuring third-party products and services, according to the HHS.