On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued the final omnibus HIPAA rule (Final Rule). Covered entities and business associates must comply with applicable requirements by September 23, 2013 (Compliance Date).
This bulletin analyzes the requirements in the Final Rule related to marketing, the sale of PHI and fundraising, which largely adopt the changes in the proposed rule while making a number of important additional revisions and clarifications.
The Final Rule revises the definition of “marketing” by expanding the uses and disclosures of protected health information (PHI) that are considered marketing and, therefore, require patient authorization, as follows:
- The definition of “marketing” is modified to include communications about healthrelated products or services (whether as part of treatment or health care operations) if the covered entity receives “financial remuneration” in exchange for making the communication from or on behalf of the third party whose product or service is being described.
- “Financial remuneration” is defined to include payments in exchange for making marketing communications. It does not include non-financial benefits, such as inkind benefits provided to a covered entity in exchange for a communication about a product or service.
The following are expressly excluded from the definition of “marketing”:
- Refill reminders or other communications about a drug or biologic currently prescribed to an individual, but only if any financial remuneration received by the covered entity for making the communication is reasonably related to the covered entity’s cost of making the communication. Only labor, supplies, and postage may be included in the cost.
- Face-to-face communications even if remuneration is received from a third party, or a promotional gift of nominal value is provided by the covered entity.
- Telephone communications for marketing are not face to face.
- Communications promoting health in general that do not promote a product or service from a particular provider.
- Communications about government and government-sponsored programs.
Sale of PHI
The Final Rule defines the term “sale of PHI” for the first time as “a disclosure of protected health information by a covered entity or business associate…where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.” Unlike the marketing requirements, for purposes of the sale of PHI, remuneration is not limited to financial remuneration. The term “sale” is not limited to transfers of ownership of PHI, but also includes agreements to access PHI, licenses to use PHI, and lease agreements.
The sale of PHI without a patient authorization was prohibited under the original Privacy Rule. The Final Rule adds an express prohibition on covered entities or business associates receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless the covered entity first obtains patient authorization or an exception applies. Exceptions include the following:
- Any disclosure permitted by the Privacy Rule if the remuneration is limited to the reasonable cost of preparation and transmittal of the PHI. Permitted costs include labor, materials, supplies for generating, storing, retrieving, and transmitting PHI, and capital and overhead costs. Profits from the disclosure of PHI are not permitted.
- Disclosures for (i) public health, (ii) treatment of the individual and payment, (iii) the sale, transfer, merger or consolidation of all or part of a covered entity and related due diligence, if the recipient will become a covered entity, (iv) services rendered by a business associate under a business associate agreement at the request of the covered entity, (v) disclosures to provide individuals with access to their PHI or an accounting of disclosures, and (vi) other disclosures required by law, even though there may be a transfer of compensation as a result of these types of disclosures (e.g., a copying fee for medical records, a cost-based fee for an accounting, service fees under a BA agreement, payment for the sale or transfer of a business, etc.).
Further, the following activities are not considered a “sale” under the Final Rule:
- Payments from grants, contracts or other arrangements to perform programs or activities such as research studies.
- The exchange of PHI through a health information exchange that is paid fees assessed on participants.
The Final Rules treats disclosures as a sale of PHI when the covered entity or business associate is being compensated primarily to supply data it maintains in its role as a covered entity or business associate. For example, a covered entity’s disclosure of PHI to a third party researcher in exchange for remuneration would be a sale of PHI, unless the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the data for such purposes. The Final Rule also clarifies that the prohibition on the sale of PHI applies to the receipt of remuneration not only from a third party that receives the PHI, but also from another party on behalf of the recipient of the PHI.
In addition, patient authorizations for the sale of PHI must specifically state that the covered entity is receiving remuneration in exchange for the PHI and whether the PHI can be further exchanged for remuneration by the recipient. However, covered entities may continue to rely on the following:
- Authorizations obtained prior to the Compliance Date that do not indicate the disclosure is in exchange for remuneration.
- Documentation of a waiver of authorization from an institutional review board or privacy board to release PHI to a researcher, even if the covered entity receives remuneration that is more than a reasonable, cost-based fee to prepare and transmit the data.
- An existing data use agreement, including for research purposes, until the data use agreement is renewed or modified, or until one year from the Compliance Date, whichever is earlier, even if the disclosure would otherwise constitute a sale of PHI.
The Final Rule makes several changes to the rules governing the use of PHI for fundraising, as follows:
- Permits new types of PHI to be used for fundraising purposes. The original Privacy Rule permitted covered entities to use or disclose only an individual’s demographic information and dates of health care services for fundraising communications. The Final Rule expands the types of PHI which can be used to include department of service, treating physician, and outcomes (to allow covered entities to screen out individuals with sub-optimal outcomes from fundraising). This means that a covered entity seeking to raise funds for a specific program or facility can target its fundraising campaign to patients who have experienced positive outcomes in that program or facility.
- Clarifies that covered entities have flexibility to decide what methods individuals can use to opt out of receiving fundraising communications, as long as the method does not impose an undue burden on individuals. The Final Rule does not adopt the proposal to require covered entities to have a toll-free telephone number as a method of opting out; however, HHS encourages this method. But under the Final Rule, HHS continues to take the position that requiring individuals to write and send a letter to the covered entity asking to opt out would constitute an undue burden; however, requiring an individual to send back a pre-printed, pre-paid postcard would not constitute an undue burden.
- Clarifies that covered entities have similar flexibility to decide what methods individuals can use to opt back into receiving fundraising materials, as long as the individual takes affirmative steps to opt back in (e.g., making a donation is not in and of itself sufficient to opt in).
- Gives covered entities discretion regarding whether an opt out will apply for all future fundraising or only for a specified fundraising campaign.
- Prohibits covered entities from sending further fundraising communications to those individuals who have already opted out.
- Prohibits conditioning treatment or payment on an individual’s choice to receive fundraising communications.
- Requires covered entities to inform individuals in their notice of privacy practices that they may be contacted for fundraising purposes and the individual has a right to opt out.
This joint e-alert is the third in a series analyzing the final HIPAA omnibus rule.