Marketing Restrictions Enhanced due to HIPAA Omnibus Rule

by | May 7, 2013

The passing of the Omnibus Final Rule, also referred to as the HIPAA Mega Rule due to the extent of that it amends the current legislation, clears up many loose ends that were in place from the HIPAA Privacy Rule in relation to marketing.

The use of Protected Health Information (PHI) for marketing activity was restricted by the Privacy Rule, which asked patients to provide written consent allowing the use of their health information for marketing activity. Further security measures were placed on the use of PHI data with the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This final piece of legislative change stopped further marketing practices that could have before been performed without prior consent being received.

The passing of the Omnibus Final Rule in January this year brought an end to the changes concerning marketing, and all organizations now must abide with the new rules, with the final date for full adoption set as October 23, 2013; the date the Final Rule will be applicable by law.

Marketing has long been a focus for the Department of Health and Human Services, and access to PHI has slowly been further controlled over the years. PHI is intended for healthcare use only, and the legislation serves to enhance access to data for healthcare workers to improve the level of care patients receive. However, marketing has been seen as an area that requires close regulation, which in the run up to the release of the Final Rule was the cause of a number of accidental data exposures.

There have been many instances of patients receiving marketing information via email and regular mail which has revealed the PHI of other patients. Marketing leaflets have been issued with their PHI clearly viewable without opening the correspondence or in one remarkable case, a woman received a marketing leaflet from a pharmaceutical firm offering treatment for high cholesterol only a few weeks after she had been diagnosed by a doctor.

One example of the overdue need for regulation came from the identification of a company that had acquired the contact details of 5 million incontinent women, which it was using to target its marketing strategies. The HHS completed a survey regarding the confidentiality of information and how it must be properly secured and found 85% support for its proposed amendments to make PHI more secure.

The Privacy Rule severely restricted the use of data to decide which products and services should be marketed to patients, and has vaguely, prohibited marketing using PHI without authorization being first supplied by the patient. The definition of marketing used has lead to some exceptions, with the legislation relating to written correspondence. Personal data could be used to conduct face to face communications on products and small value promotional gifts can be provided.

Before HITECH, marketing was allowed if a product or service was covered by the recipient’s health plan, a product supplied treatment for the patient and correspondence relating to alternative treatments and the provision of coordinate care and case management were still permitted. When HITECH was introduced, those three loopholes were shut if the organization carrying out the marketing was receiving payment for the communication, such as when people purchased products, signed up for a service or payment was received for providing access to the data or issuing the correspondence.

HITECH does allow marketing on drugs and treatments that are currently being received as well as notifications to patients to receive repeat prescriptions; provided any difference in cost is nominal or otherwise deemed reasonable in relation to the cost of the product. Under HITECH, the HHS was necessary to determine what constituted a reasonable amount and details of how the rule should be put in place was not covered by the bill.

The Final Rule has now taken away any area of confusion and generally calls for authorization to be obtained in most cases before marketing can use PHI, although exceptions do still exist if no payment is given for the communication. Face to face communications and promotional gifts of nominal value are still permitted.

If refill reminders must be issue, this is still ok if the organization receives some payment to help cover the costs involved, but only if those payments are reasonable, such as covering the cost of printing and postage.

Provided no payment is made, marketing is possible under HIPAA when:

  1. They are made for treatment reasons by a healthcare provider, for case management, coordination of the service or to recommend different therapies, treatments or providers of healthcare services needed by the patient in question.
  2. To advise patients about communicate health-related products and services including those that must be paid for, provided that payment is born by the insurance company or health care plan owned by the patient. This includes policy amendments, enhancements, additions to the plan that add value but are not actually part of the plan of benefits, or replacement of the services supplied.
  3. Case management and case coordination correspondence relating to treatment alternatives “and related functions to the extent these activities do not fall within the definition of treatment”.

Marketing is not allowed if financial remuneration is made, with the definition being “direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.”

While the Final Rule does clear up most matters, there is still some potential for interpretation. For instance, if a covered-body receives payment from a company, but the payment is not directly for marketing purposes, the rule would not be applicable.

The example the HHS gives is if a drug therapy or treatment program is being funded by a third party, marketing would be allowable without prior authorization if the patients were asked to join the program, even if the organization was being paid to run the study. The vital point is that the organization is not paid for the marketing. Therefore if marketing intended for the patient of the program, and not the products and services provided by that third party, it would be permissible without previous authorization.

Another instance where marketing without prior authorization is allowed is if a company service is being promoted, yet payment for marketing originates from a separate third party, i.e. one other than the firm providing the service. This exception covers charitable organizations aiming to supply a new treatment, such as a cancer screening program.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy