Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Definitions: Marketing - § 164.501

    As Contained in the HHS HIPAA Privacy Rules

    HHS Guidance: Marketing

    HHS Guidance: Refill Reminders and Other Communications about a Drug or Biologic

     

    HHS Regulations as Amended January 2013
    Definitions: Marketing - § 164.501

     

    (1) Except as provided in paragraph (2) of this definition, marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

    (2) Marketing does not include a communication made:

    (i) To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity's cost of making the communication.

    (ii) For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:

    (A) For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;

    (B) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or

    (C) For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.

    (3) Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

     

    HHS Description and Commentary From the January 2013 Amendments
    Definitions: Marketing

     

    Proposed Rule

    The Privacy Rule requires covered entities to obtain a valid authorization from individuals before using or disclosing protected health information to market a product or service to them. See § 164.508(a)(3). Section 164.501 defines “marketing” as making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

    Paragraph (1) of the definition includes a number of exceptions to marketing for certain health-related communications: (1) communications made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communications, including communications about: the entities participating in a healthcare provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; (2) communications made for the treatment of the individual; and (3) communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. A covered entity is permitted to make these excepted communications without an individual’s authorization as either treatment or health care operations communications, as appropriate, under the Privacy Rule. In addition, the Privacy Rule does not require a covered entity to obtain individual authorization for face-to-face communications or to provide only promotional gifts of nominal value to the individual. See § 164.508(a)(3)(i). However, a covered entity must obtain prior written authorization from an individual to send communications to the individual about non-health related products or services or to give or sell the individual’s protected health information to a third party for marketing. Still, concerns have remained about the ability under these provisions for a third party to pay a covered entity to send health-related communications to an individual about the third party’s products or services.

    Section 13406(a) of the HITECH Act limits the health-related communications that may be considered health care operations and thus, that are excepted from the definition of “marketing” under the Privacy Rule, to the extent a covered entity receives or has received direct or indirect payment in exchange for making the communication. In cases where the covered entity would receive such payment, the HITECH Act at section 13406(a)(2)(B) and (C) requires that the covered entity obtain the individual’s valid authorization prior to making the communication, or, if applicable, prior to its business associate making the communication on its behalf in accordance with its written contract.

    Section 13406(a)(2)(A) of the HITECH Act includes an exception to the payment limitation for communications that describe only a drug or biologic that is currently being prescribed to the individual as long as any payment received by the covered entity in exchange for making the communication is reasonable in amount.

    Section 13406(a)(3) of the Act provides that the term “reasonable in amount” shall have the meaning given to such term by the Secretary in regulation. Finally, section 13406(a)(4) of the Act clarifies that the term “direct or indirect payment” does not include any payment for treatment of the individual. We believe Congress intended that these provisions curtail a covered entity’s ability to use the exceptions to the definition of “marketing” in the Privacy Rule to send communications to the individual that are motivated more by commercial gain or other commercial purpose rather than for the purpose of the individual’s health care, despite the communication being about a health-related product or service.

    To implement the marketing limitations of the HITECH Act, we proposed a number of modifications to the definition of “marketing” at § 164.501. In paragraph (1) of the definition of “marketing,” we proposed to maintain the general concept that “marketing” means “to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” In paragraph (2) of the definition, we proposed to include three exceptions to this definition to encompass certain treatment and health care operations communications about health related products or services. First, we proposed to exclude from the definition of “marketing” certain health care operations communications, except where, as provided by the HITECH Act, the covered entity receives financial remuneration in exchange for making the communication. This would encompass communications to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, as well as communications for case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions (to the extent these activities did not constitute “treatment”). Although the HITECH Act uses the term “direct or indirect payment” to describe the limitation on permissible health care operations disclosures, the proposed rule substituted the term “financial remuneration” to avoid confusion with the term “payment,” which is defined in the Privacy Rule to mean payment for health care, and for consistency with the Privacy Rule’s current authorization requirement for marketing at § 164.508(a)(3), which uses the term “remuneration.” We proposed to define “financial remuneration” in paragraph (3) of the definition of “marketing” to mean direct or indirect payment from or on behalf of a third party whose product or service is being described.

    We also proposed to make clear, in accordance with section 13406(a)(4) of the HITECH Act, that financial remuneration does not include any direct or indirect payment for the treatment of an individual.

    Additionally, because the HITECH Act refers expressly to “payment,” rather than remuneration more generally, the proposed rule specified that only the receipt of financial remuneration in exchange for making a communication, as opposed to in-kind or any other type of remuneration, is relevant for purposes of the definition of marketing. We also proposed a conforming change to the required authorization provisions for marketing communications at § 164.508(a)(3) to add the term “financial” before “remuneration” and to refer to the new definition of “financial remuneration.”

    The proposed rule emphasized that financial remuneration for purposes of the definition of “marketing” must be in exchange for making the communication itself and be from or on behalf of the entity whose product or service is being described. Thus, under these proposed provisions, an authorization would be required prior to a covered entity making a communication to its patients regarding the acquisition of, for example, new state of the art medical equipment if the equipment manufacturer paid the covered entity to send the communication to its patients; but not if a local charitable organization, such as a breast cancer foundation, funded the covered entity’s mailing to patients about new state of the art mammography screening equipment.

    Furthermore, it would not constitute marketing and no authorization would be required if a hospital sent flyers to its patients announcing the opening of a new wing where the funds for the new wing were donated by a third party, since the financial remuneration to the hospital from the third party was not in exchange for the mailing of the flyers.

    Second, we proposed to include the statutory exception to marketing at section 13406(a)(2)(A) for communications regarding refill reminders or otherwise about a drug or biologic that is currently being prescribed for the individual, provided any financial remuneration received by the covered entity for making the communication is reasonably related to the covered entity’s cost of making the communication.

    The Act expressly identifies these types of communications as being exempt from the remuneration limitation only to the extent that any payment received for making the communication is reasonable in amount. We requested comment on the scope of this exception, that is, whether communications about drugs that are related to the drug currently being prescribed, such as communications regarding generic alternatives or new formulations of the drug, should fall within the exception. We also requested comment on the types and amount of costs that should be allowed under this provision.

    We noted that we had considered proposing a requirement that a covered entity could only receive financial remuneration for making such a communication to the extent it did not exceed the actual cost to make the communication. However, because we were concerned that such a requirement would impose the additional burden of calculating the costs of making each communication, we proposed to allow costs that are reasonably related to a covered entity’s cost of making the communication.

    Third, we proposed to exclude from marketing treatment communications about health-related products or services by a health care provider to an individual, including communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual, provided, however, that if the communications are in writing and financial remuneration is received in exchange for making the communications, certain notice and opt out conditions are met. While section 13406(a) of the HITECH Act expressly provides that a communication to an individual about a health-related product or service where the covered entity receives payment from a third party in exchange for making the communication shall not be considered a health care operation (emphasis added) under the Privacy Rule, and thus is marketing, it is unclear how Congress intended these provisions to apply to treatment communications between a health care provider and a patient. Specifically, it is unclear whether Congress intended to restrict only those subsidized communications about products and services that are less essential to an individual’s health care (i.e., those classified as health care operations communications) or all subsidized communications about products and services, including treatment communications. Given this ambiguity and to avoid undue interference with treatment communications between the individual and a health care provider, we proposed to continue to allow subsidized treatment communications, but conditioned on providing the individual with notice and an opportunity to opt out of receiving such communications.

    Specifically, to ensure the individual is aware that he or she may receive subsidized treatment communications from his or her provider and has the opportunity to elect not to receive them, the proposed rule would have required at § 164.514(f)(2) that: (1) the covered health care provider’s notice of privacy practices include a statement informing individuals that the provider may send treatment communications to the individual concerning treatment alternatives or other health related products or services where the provider receives financial remuneration from a third party in exchange for making the communication, and the individual has a right to opt out of receiving such communications; and (2) the treatment communication itself disclose the fact of remuneration and provide the individual with a clear and conspicuous opportunity to elect not to receive any further such communications. We requested comment on how the opt out should apply to future subsidized treatment communications (i.e., should the opt out prevent all future subsidized treatment communications by the provider or just those dealing with the particular product or service described in the current communication?). We also requested comment on the workability of requiring health care providers that intend to send subsidized treatment communications to individuals to provide an individual with the opportunity to opt out of receiving such communications prior to the individual receiving the first communication and what mechanisms could be put into place to implement such a requirement.

    Given that the new marketing limitations on the receipt of remuneration by a covered entity would apply differently depending on whether a communication is for treatment or health care operations purposes, and that distinguishing such communications may in many cases call for close judgments, we requested comment on the alternatives of excluding treatment communications altogether even if they involve financial remuneration from a third party or requiring individual authorization for both treatment and health care operations communications made in exchange for financial remuneration.

    Finally, we proposed to remove the language defining as marketing an arrangement between a covered entity and any other entity in which the covered entity discloses protected health information to the other entity, in exchange for remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service, since such activity would now constitute a prohibited “sale” of protected health information under section 13405(d) of the HITECH Act and the proposed rule.

    Overview of Public Comments

    Several commenters asked as a general matter that the final rule retain the current definition of “marketing” and that no changes to this provision be implemented.

    With respect to subsidized treatment communications, many commenters expressed support for the decision in the NPRM to not require authorizations for such communications, and several argued for removing even the opt out requirement. Other commenters believed that all communications in which the covered entity receives financial remuneration for making the communication, regardless of whether the communication is for treatment purposes, should be considered marketing and require authorization.

    While many commenters were generally in support of not requiring authorization for treatment communications, at the same time, several commenters expressed concern with the difficulty of distinguishing between treatment communications and communications for health care operations purposes. These commenters stated that additional clarification regarding this distinction would be needed to be able to implement the NPRM’s marketing provisions. Several commenters stated that while the distinction may be clear in some limited circumstances, there are other circumstances where it may be difficult for covered entities to determine what type of communication they are sending and whether authorization or just disclosure in the notice of privacy practices and the opportunity to opt out would be required. For example, while the NPRM stated that whether a communication is being made for treatment purposes or for health care operations purposes would depend on the extent to which the covered entity is making the communication in a population-based fashion (health care operations) or to further the treatment of a particular individual’s health care status or condition (treatment), many commenters stated that there may be circumstances in which a covered entity provides a population-based communication to further the treatment of the health care status or condition of an entire group of individuals. Other commenters suggested that the distinction between communications for treatment and those for health care operations purposes should be made based on the entity providing the communication: if a health care provider is providing the communication, it should be deemed for treatment purposes; however, if the communication is made by a covered entity other than a health care provider, the determination should be based on whether the communication is individual (treatment) or population based (health care operations).

    With respect to the subsidized treatment communications, commenters opposed to the opt out notification generally took one of three positions: all such communications should require authorizations to best protect patient privacy; an opt in method would better permit individuals to make more informed choices about whether to receive such communications; or a covered entity should be permitted to make these communications without an opportunity to opt out, because of unintended effects that may adversely affect the quality of care provided. Some commenters asked, if the opt out requirement is retained, that OCR ensure that covered entities are given significant flexibility in determining how best to implement the opt out requirement. Additionally, the vast majority of commenters did not believe there should be an opportunity to opt out of receiving subsidized treatment communications prior to receipt of the first such communication. The commenters believed that requiring an opportunity to opt out prior to the first communication would be too costly and burdensome for most covered entities. Many also noted that the statement in the notice of privacy practices, which would inform individuals of their option to opt out of receiving subsidized treatment communications, could serve as an opportunity to opt out before the first communication. Some commenters expressed concern even with including a statement in the notice of privacy practices because of the cost associated with modifying notices to do so.

    With respect to the scope of the proposed opt out, most commenters believed that the opt out should apply only to subsidized treatment communications related to a specific product or service and should not apply universally to all similar future communications from the covered entity. These commenters stated that it would be difficult for an individual to elect, in a meaningful way, not to receive all future subsidized treatment communications because he or she would not know exactly what he or she is opting out of without receiving at least one communication. Other commenters believed that while a product or service-specific application of the opt out would be ideal, it is simply unrealistic and infeasible for covered entities to be able to implement such a policy. These commenters stated that a universal opt out, which would apply to all future subsidized treatment communications, would be much simpler and easier for covered entities to implement. Additionally, while some commenters believed that individuals should be able to decide whether they want to opt out of specific subsidized treatment communications or all future such communications, most commenters supported giving covered entities the flexibility to determine the scope of this opt out provision based on their own specific capabilities. Many of these commenters also suggested that the final rule permit individuals who have opted out of receiving such communications to opt back in to receive future notices using the same methods through which the individuals had opted out.

    The Department also received several comments on the definition of “financial remuneration.” Several commenters supported the NPRM’s definition of “financial remuneration”; however, many commenters asked for clarification regarding the scope of the definition and the meaning of the phrase “direct or indirect payment.” For example, some commenters asked for confirmation that non-financial benefits did not constitute financial remuneration, while other commenters wanted the exception for refill reminders (that is, the communication is not marketing as long as the financial remuneration does not exceed the related costs of the communication) to apply more broadly to all marketing communications. Additionally, some commenters suggested that the final rule clarify that only financial remuneration in exchange for sending a communication triggers either the authorization or the statement of notice and opt out requirement and not the exchange of financial remuneration for the development or funding for programs, which may include the sending of a communication. These commenters generally suggested that the final rule give covered entities the flexibility to determine whether the financial remuneration received is truly in exchange for making the communication.

    We received a great deal of public comment on the exception to the definition of “marketing” for providing refill reminders or to otherwise communicate about a drug or biologic currently being prescribed for the individual where the only financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication. In general, most commenters supported this exception; however, a few commenters disagreed with the exception and felt that refill reminders should be treated as treatment communications requiring a statement in the notice and an opportunity to opt out if the communication is subsidized. Many commenters expressed the need for guidance on the scope of this exception and stated that certain communications should fall into the exception, such as communications about generic alternatives and drug adherence, and communications related to every component of a drug or biologic delivery system (especially where patients must self-administer medication). Some commenters specifically asked that the final rule exclude certain types of communications from this exception.

    With respect to the proposed cost limitation on the refill reminder exception, while some commenters suggested that the cost be limited to either the actual cost or the fair market value of providing the communication, generally, most commenters supported the position that reasonably related costs should not be limited to actual costs. Many of the commenters in support of a broad interpretation of costs “reasonably related” to providing the communication suggested specific costs that should be permitted under this exception, such as costs of personnel, data storage, data processing, data analysis, data security, software, hardware, employee training, message content development, clinical review, postage, materials, drug adherence program development, formulary development, and the creation and implementation of analytics to measure the effectiveness of the communication. Several commenters noted that it would be unrealistic to expect a covered entity to perform such non-essential functions as sending refill reminders and other related communications if they could not recoup both their direct and indirect costs as well as a modest profit.

    Final Rule

    The final rule significantly modifies the proposed rule’s approach to marketing by requiring authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed.

    Many of the comments we received in response to the proposed marketing provisions concerned the distinction between communications for treatment and those for health care operations purposes and sought clarification on the line between such communications. We acknowledge that the distinction between what constitutes a treatment versus a health care operations communication may be difficult to make with precision in all cases, placing covered entities at risk for violating the authorization requirement for marketing communications.

    We, therefore, believe that requiring authorizations for all subsidized communications that market a health related product or service is the best policy. Such a policy will ensure that all such communications are treated as marketing communications, instead of requiring covered entities to have two processes in place based on whether the communication provided to individuals is for a treatment or a health care operations purpose. We decline to retain the Privacy Rule’s definition of what constitutes “marketing” unchanged, as suggested by some commenters, as doing so would be inconsistent with the provisions of the Section 13406(a) of the HITECH Act.

    Because the final rule treats subsidized treatment communications as marketing communications that require authorization, we have not adopted the notice requirement at proposed § 164.520(b)(1)(iii)(A) that a covered entity’s notice of privacy practices include a statement informing individuals that the provider may send treatment communications to the individual concerning treatment alternatives or other health related products or services where the provider receives financial remuneration from a third party in exchange for making the communication, and the individual has a right to opt out of receiving such communications. We also do not retain the notice requirement that existed at § 164.520(b)(1)(iii) prior to this final rule that a covered entity include in its notice of privacy practices a statement that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual.

    Where the sending of such communications involves financial remuneration, the individual will be notified of such communications through the authorization process.

    Other communications for such purposes that do not involve financial remuneration are adequately captured in a covered entity’s description in its notice of privacy practices of treatment and health care operations. However, covered entities that wish to continue to include such a specific statement in their notices of privacy practices may do so. For further discussion about the Notice of Privacy Practices, please see the discussion addressing the provisions at § 164.520.

    We adopt the term “financial remuneration” and its definition as proposed without modification in the final rule. Most commenters were generally satisfied with the proposed use of the term and its definition. There was, however, some confusion among commenters as to what constitutes direct or indirect payment from or on behalf of a third party. We clarify that under this provision direct payment means financial remuneration that flows from the third party whose product or service is being described directly to the covered entity. In contrast, indirect payment means financial remuneration that flows from an entity on behalf of the third party whose product or service is being described to a covered entity.

    We also clarify that where a business associate (including a subcontractor), as opposed to the covered entity itself, receives financial remuneration from a third party in exchange for making a communication about a product or service, such communication also requires prior authorization from the individual. The HITECH Act at Section 13406(a)(2)(C) provides that a business associate may make such communications on behalf of a covered entity if consistent with the written contract required by the Privacy Rule between the business associate and covered entity. The Privacy Rule a § 164.504(e)(2)(i) provides that the contract may not authorize the business associate to further use or disclose the protected health information in a manner that would violate the Rule if done by the covered entity (except in two limited circumstances not relevant here). Thus, individual authorization also must be obtained if a business associate is to send these communications instead of the covered entity.

    We also confirm, in response to comments, that the term “financial remuneration” does not include non-financial benefits, such as in-kind benefits, provided to a covered entity in exchange for making a communication about a product or service. Rather, financial remuneration includes only payments made in exchange for making such communications. In addition, we continue to emphasize that the financial remuneration a covered entity receives from a third party must be for the purpose of making a communication and such communication must encourage individuals to purchase or use the third party’s product or service. If the financial remuneration received by the covered entity is for any purpose other than for making the communication, then this marketing provision does not apply. For example, if a third party provides financial remuneration to a covered entity to implement a program, such as a disease management program, the covered entity could provide individuals with communications about the program without obtaining individual authorization as long as the communications are about the covered entity’s program itself. There, the communications would only be encouraging individuals to participate in the covered entity’s disease management program and would not be encouraging individuals to use or purchase the third party’s product or service.

    Under the final rule, for marketing communications that involve financial remuneration, the covered entity must obtain a valid authorization from the individual before using or disclosing protected health information for such purposes, and such authorization must disclose the fact that the covered entity is receiving financial remuneration from a third party. See § 164.508(a)(3). The scope of the authorization need not be limited only to subsidized communications related to a single product or service or the products or services of one third party, but rather may apply more broadly to subsidized communications generally so long as the authorization adequately describes the intended purposes of the requested uses and disclosures (i.e., the scope of the authorization) and otherwise contains the elements and statements of a valid authorization under § 164.508. This includes making clear in the authorization that the individual may revoke the authorization at any time he or she wishes to stop receiving the marketing material.

    Because the final rule will treat all subsidized treatment communications as marketing communications for which an authorization is required, the final rule also removes the language at proposed § 164.514(f)(2), which proposed to require that such communications be accompanied by a statement in the notice and an opportunity for the individual to opt out of receiving such communications. We believe that the removal of the notice and opt out requirements for such communications and the addition of the requirement to obtain an authorization will provide covered entities with a more uniform system for treating all remunerated communications. Because the individual must now sign an authorization before the covered entity can make subsidized treatment communications, there is no longer any need to require each such communication to contain a clear and conspicuous opportunity for the individual to elect not to receive any more of these communications. Where the individual signs an authorization to receive such communications, the covered entity may use and disclose the individual’s protected health information for the purposes of making such communications unless or until the individual revokes the authorization pursuant to § 164.508(a)(5).

    If the individual does not authorize the covered entity to use and disclose the individual’s protected health information for the purposes of making subsidized treatment communications, then the covered entity is prohibited from doing so.

    We clarify that the final rule does nothing to modify the exceptions to the authorization requirement for marketing communications at § 164.508(a)(3)(i)(A) and (B). Therefore, no authorization is required where a covered entity receives financial remuneration from a third party to make a treatment or health care operations communication (or other marketing communication), if the communication is made faceto- face by a covered entity to an individual or consists of a promotional gift of nominal value provided by the covered entity. For example, a health care provider could, in a face to face conversation with the individual, recommend, verbally or by handing the individual written materials such as a pamphlet, that the individual take a specific alternative medication, even if the provider is otherwise paid by a third party to make such communications. However, communications made over the phone (as well as all communications sent through the mail or via e-mail) do not constitute face to face communications, and as such, these communications require individual authorization where the covered entity receives remuneration in exchange for making the communications.

    With respect to the exception for refill reminders or to otherwise communicate about a drug or biologic currently being prescribed to the individual, we adopt the exception as proposed. We continue to provide a stand-alone exception for refill reminders, given that the HITECH Act expressly does so. We therefore decline to adopt the suggestions of commenters to consider these communications to specifically be treatment communications (which would have required, under the provisions of the proposed rule, notice and an opportunity to opt out where the covered entity receives financial remuneration), or health care operations communications (which require authorization if financial remuneration is received).

    Many commenters asked for guidance and clarification regarding the scope of this exception, and we received a wide array of examples of communications that commenters suggested should fall within this exception. At this time, we clarify that we consider communications about the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed fall within the scope of this exception. Additionally, we clarify that where an individual is prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system, including, for example, an insulin pump, fall under this exception. With respect to the array of other examples and suggestions provided by commenters as to what should fall within or outside of the exception, we intend to provide future guidance to address these questions.

    The proposed rule contained the Act’s limitation that the financial remuneration received in exchange for providing a refill reminder or to otherwise communicate about a drug or biologic currently being prescribed to the individual must be “reasonable in amount,” by providing that such remuneration must be reasonably related to the covered entity’s cost of making the communication for the exception from marketing to apply.

    We adopt this provision in the final rule. In response to comments regarding what types of costs fall within permissible remuneration, we clarify that we consider permissible costs for which a covered entity may receive remuneration under this exception are those which cover only the costs of labor, supplies, and postage to make the communication.

    Where the financial remuneration a covered entity receives in exchange for making the communication generates a profit or includes payment for other costs, such financial remuneration would run afoul of the Act’s “reasonable in amount” language. Thus, under this final rule, if a pharmacy receives financial remuneration from a drug manufacturer to provide refill reminders to individuals taking a particular drug that covers only the pharmacy’s cost of drafting, printing, and mailing the refill reminders, the exception would apply and no authorization would be required.

    However, where the drug manufacturer also provides the pharmacy with a financial incentive beyond the cost of making the communication to encourage the pharmacy’s continued willingness to send such communications on behalf of the drug manufacturer, the exception would not apply and the pharmacy must obtain individual authorization. We note, however, that if a pharmacy provides refill reminders to individuals only when they visit the pharmacy (in face to face encounters), such communications would be permitted under § 164.508(a)(3)(i)(A) and thus, authorization would not be required even if the pharmacy receives financial remuneration above and beyond what is reasonably related to the pharmacy’s cost of making the communication.

    Finally, in addition to the communications that fall within the refill reminder exception, two other types of communications continue to be exempt from the marketing provisions. First, as explained in the NPRM, communications promoting health in general and that do not promote a product or service from a particular provider, such as communications promoting a healthy diet or encouraging individuals to get certain routine diagnostic tests, such as annual mammograms, do not constitute marketing and thus, do not require individual authorization.

    Second, communications about government and government-sponsored programs do not fall within the definition of “marketing” as there is no commercial component to communications about benefits through public programs. Therefore, a covered entity may use and disclose protected health information to communicate with individuals about eligibility for programs, such as Medicare, Medicaid, or the State Children’s Health Insurance Program (CHIP) without obtaining individual authorization.

    Response to Other Public Comments

    Comment: One commenter asked whether it is marketing where an entity promotes its discounts on covered benefits or member-exclusive value-added health products and services by paying a mailing house that is the health plan’s business associate to send its written promotional material to health plan members. The commenter stated that only the mailing house, and not the covered entity, is paid to send the communications.

    Response: Even where a business associate of a covered entity, such as a mailing house, rather than the covered entity itself, receives the financial remuneration from the entity whose product or service is being promoted to health plan members, the communication is a marketing communication for which prior authorization is required.

    As stated above, under the Privacy Rule, a business associate generally may not use or disclose protected health information in a manner that would be impermissible if done by the covered entity. We note, however, that non-financial or in-kind remuneration may be received by the covered entity or its business associate and it would not implicate the new marketing restrictions. Thus, if the materials describing a member-exclusive value-added health product or service were provided by the entity to the health plan or its business associate and no payment was made by the entity relating to the mailing or distribution of the materials, the covered entity or its business associate would be able to provide the material to its members without requiring an authorization.

     

    HHS Description From the August 2002 Revisions
    Definitions: Marketing

     

    December 2000 Privacy Rule. The Privacy Rule defined "marketing" at § 164.501 as a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service, subject to certain limited exceptions. To avoid interfering with, or unnecessarily burdening communications about, treatment or about the benefits and services of health plans and health care providers, the Privacy Rule explicitly excluded two types of communications from the definition of "marketing" (1) communications made by a covered entity for the purpose of describing the participating providers and health plans in a network, or describing the services offered by a provider or the benefits covered by a health plan; and (2) communications made by a health care provider as part of the treatment of a patient and for the purpose of furthering that treatment, or made by a provider or health plan in the course of managing an individual's treatment or recommending an alternative treatment. Thus, a health plan could send its enrollees a listing of network providers, and a health care provider could refer a patient to a specialist without either an authorization under § 164.508 or having to meet the other special requirements in § 164.514(e) that attach to marketing communications. However, these communications qualified for the exception to the definition of "marketing" only if they were made orally or, if in writing, were made without remuneration from a third party. For example, it would not have been marketing for a pharmacy to call a patient about the need to refill a prescription, even if that refill reminder was subsidized by a third party; but it would have been marketing for that same, subsidized refill reminder to be sent to the patient in the mail.

    Generally, if a communication was marketing, the Privacy Rule required the covered entity to obtain the individual's authorization to use or disclose protected health information to make the communication. However, the Privacy Rule, at § 164.514(e), permitted the covered entity to make health-related marketing communications without such authorization, provided it complied with certain conditions on the manner in which the communications were made. Specifically, the Privacy Rule permitted a covered entity to use or disclose protected health information to communicate to individuals about the health-related products or services of the covered entity or of a third party, without first obtaining an authorization for that use or disclosure of protected health information, if the communication: (1) identified the covered entity as the party making the communication; (2) identified, if applicable, that the covered entity received direct or indirect remuneration from a third party for making the communication; (3) with the exception of general circulation materials, contained instructions describing how the individual could opt-out of receiving future marketing communications; and (4) where protected health information was used to target the communication about a product or service to individuals based on their health status or health condition, explained why the individual had been targeted and how the product or service related to the health of the individual.

    For certain permissible marketing communications, however, the Department did not believe these conditions to be practicable. Therefore, § 164.514(e) also permitted a covered entity to make a marketing communication that occurred in a face-to-face encounter with the individual, or that involved products or services of only nominal value, without meeting the above conditions or requiring an authorization. These provisions, for example, permitted a covered entity to provide sample products during a face-to-face communication, or to distribute calendars, pens, and the like, that displayed the name of a product or provider.

    March 2002 NPRM. The Department received many complaints concerning the complexity and unworkability of the Privacy Rule's marketing requirements. Many entities expressed confusion over the Privacy Rule's distinction between health care communications that are excepted from the definition of "marketing" versus those that are marketing but permitted subject to the special conditions in § 164.514(e). For example, questions were raised as to whether disease management communications or refill reminders were "marketing" communications subject to the special disclosure and opt-out conditions in § 164.514(e). Others stated that it was unclear whether various health care operations activities, such as general health-related educational and wellness promotional activities, were to be treated as marketing under the Privacy Rule.

    The Department also learned that consumers were generally dissatisfied with the conditions required by § 164.514(e). Many questioned the general effectiveness of the conditions and whether the conditions would properly protect consumers from unwanted disclosure of protected health information to commercial entities, and from the intrusion of unwanted solicitations. They expressed specific dissatisfaction with the provision at § 164.514(e)(3)(iii) for individuals to opt-out of future marketing communications. Many argued for the opportunity to opt-out of marketing communications before any marketing occurred. Others requested that the Department limit marketing communications to only those consumers who affirmatively chose to receive such communications.

    In response to these concerns, the Department proposed to modify the Privacy Rule to make the marketing provisions clearer and simpler. First, the Department proposed to simplify the Privacy Rule by eliminating the special provisions for marketing health-related products and services at § 164.514(e). Instead, any use or disclosure of protected health information for a communication defined as "marketing" in § 164.501 would require an authorization by the individual. Thus, covered entities would no longer be able to make any type of marketing communications that involved the use or disclosure of protected health information without authorization simply by meeting the disclosure and opt-out conditions in the Privacy Rule. The Department intended to effectuate greater consumer privacy protection by requiring authorization for all uses or disclosures of protected health information for marketing communications, as compared to the disclosure and opt-out conditions of § 164.514(e).

    Second, the Department proposed minor clarifications to the Privacy Rule's definition of "marketing" at § 164.501. Specifically, the Department proposed to define "marketing" as "to make a communication about a product or service to encourage recipients of the communication to purchase or use the product or service." The proposed modification retained the substance of the "marketing" definition, but changed the language slightly to avoid the implication that in order for a communication to be marketing, the purpose or intent of the covered entity in making such a communication would have to be determined. The simplified language permits the Department to make the determination based on the communication itself.

    Third, with respect to the exclusions from the definition of "marketing" in § 164.501, the Department proposed to simplify the language to avoid confusion and better conform to other sections of the regulation, particularly in the area of treatment communications. The proposal retained the exclusions for communications about a covered entity's own products and services and about the treatment of the individual. With respect to the exclusion for a communication made "in the course of managing the treatment of that individual," the Department proposed to modify the language to use the terms "case management" and "care coordination" for that individual. These terms are more consistent with the terms used in the definition of "Ahealth care operations," and were intended to clarify the Department's intent.

    One substantive change to the definition proposed by the Department was to eliminate the condition on the above exclusions from the definition of "marketing" that the covered entity could not receive remuneration from a third party for any written communication. This limitation was not well understood and treated similar communications differently. For example, a prescription refill reminder was marketing if it was in writing and paid for by a third party, while a refill reminder that was not subsidized, or was made orally, was not marketing. With the proposed elimination of the health-related marketing requirements in § 164.514(e) and the proposed requirement that any marketing communication require an individual's prior written authorization, retention of this condition would have adversely affected a health care provider's ability to make many common health-related communications. Therefore, the Department proposed to eliminate the remuneration prohibition to the exceptions to the definition so as not to interfere with necessary and important treatment and health-related communications between a health care provider and patient.

    To reinforce the policy requiring an authorization for most marketing communications, the Department proposed to add a new marketing provision at § 164.508(a)(3) explicitly requiring an authorization for a use or disclosure of protected health information for marketing purposes. Additionally, if the marketing was expected to result in direct or indirect remuneration to the covered entity from a third party, the Department proposed that the authorization state this fact. As noted above, because a use or disclosure of protected health information for marketing communications required an authorization, the disclosure and opt-out provisions in § 164.514(e) no longer would be necessary and the Department proposed to eliminate them. As in the December 2000 Privacy Rule at § 164.514(e)(2), the proposed modifications at § 164.508(a)(3) excluded from the marketing authorization requirements face-to-face communications made by a covered entity to an individual. The Department proposed to retain this exception so that the marketing provisions would not interfere with the relationship and dialogue between health care providers and individuals. Similarly, the Department proposed to retain the exception to the authorization requirement for a marketing communication that involved products or services of nominal value, but proposed to replace the language with the common business term "promotional gift of nominal value."

    As noted above, because some of the proposed simplifications were a substitute for § 164.514(e), the Department proposed to eliminate that section, and to make conforming changes to remove references to § 164.514(e) at § 164.502(a)(1)(vi) and in paragraph (6)(v) of the definition of "health care operations" in § 164.501.

     

    HHS Explanation From the August 2002 Modifications
    Definitions: Marketing

     

    The Department adopts the modifications to marketing substantially as proposed in the NPRM, but makes changes to the proposed definition of "marketing" and further clarifies one of the exclusions from the definition of "marketing" in response to comments on the proposal. The definition of "marketing" is modified to close what commenters characterized as a loophole, that is, the possibility that covered entities, for remuneration, could disclose protected health information to a third party that would then be able to market its own products and services directly to individuals. Also, in response to comments, the Department clarifies the language in the marketing exclusion for communications about a covered entity's own products and services.

    As it proposed to do, the Department eliminates the special provisions for marketing health-related products and services at § 164.514(e). Except as provided for at § 164.508(a)(3), a covered entity must have the individual's prior written authorization to use or disclose protected health information for marketing communications and will no longer be able to do so simply by meeting the disclosure and opt-out provisions, previously set forth in § 164.514(e). The Department agrees with commenters that the authorization provides individuals with more control over whether they receive marketing communications and better privacy protections for such uses and disclosures of their health information. In response to commenters who opposed this proposal, the Department does not believe that an opt-out requirement for marketing communications would provide a sufficient level of control for patients regarding their health information. Nor does the Department believe that a blanket authorization provides sufficient privacy protections for individuals. Section 164.508(c) sets forth the core elements of an authorization necessary to give individuals control of their protected health information. Those requirements give individuals sufficient information and notice regarding the type of use or disclosure of their protected health information that they are authorizing. Without such specificity, an authorization would not have meaning. Indeed, blanket marketing authorizations would be considered defective under § 164.508(b)(2).

    The Department adopts the general definition of "marketing" with one clarification. Thus, "marketing" means "to make a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." In removing the language referencing the purpose of the communication and substituting the term "that encourages" for the term "to encourage", the Department intends to simplify the determination of whether a communication is marketing. If, on its face, the communication encourages recipients of the communication to purchase or use the product or service, the communication is marketing. A few commenters argued for retaining the purpose of the communication as part of the definition of "marketing" based on their belief that the intent of the communication was a clearer and more definitive standard than the effect of the communication. The Department disagrees with these commenters. Tying the definition of "marketing" to the purpose of the communication creates a subjective standard that would be difficult to enforce because the intent of the communicator rarely would be documented in advance. The definition adopted by the Secretary allows the communication to speak for itself.

    The Department further adopts the three categories of communications that were proposed as exclusions from the definition of "marketing." Thus, the covered entity is not engaged in marketing when it communicates to individuals about: (1) the participating providers and health plans in a network, the services offered by a provider, or the benefits covered by a health plan; (2) the individual's treatment; or (3) case management or care coordination for that individual, or directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to that individual. For example, a doctor that writes a prescription or refers an individual to a specialist for follow-up tests is engaging in a treatment communication and is not marketing a product or service. The Department continues to exempt from the "marketing" definition the same types of communications that were not marketing under the Privacy Rule as published in December 2000, but has modified some of the language to better track the terminology used in the definition of "health care operations." The commenters generally supported this clarification of the language.

    The Department, however, does not agree with commenters that sought to expand the exceptions from marketing for all communications that fall within the definitions of "treatment," "payment," or "health care operations." The purpose of the exclusions from the definition of marketing is to facilitate those communications that enhance the individual's access to quality health care. Beyond these important communications, the public strongly objected to any commercial use of protected health information to attempt to sell products or services, even when the product or service is arguably health related. In light of these strong public objections, ease of administration is an insufficient justification to categorically exempt all communications about payment and health care operations from the definition of "marketing."

    However, in response to comments, the Department is clarifying the language that excludes from the definition of "marketing" those communications that describe network participants and the services or benefits of the covered entity. Several commenters, particularly insurers, were concerned that the reference to a "plan of benefits" was too limiting and would prevent them from sending information to their enrollees regarding enhancements or upgrades to their health insurance coverage. They inquired whether the following types of communications would be permissible: enhancements to existing products; changes in deductibles/copays and types of coverage (e.g., prescription drug); continuation products for students reaching the age of majority on parental policies; special programs such as guaranteed issue products and other conversion policies; and prescription drug card programs. Some health plans also inquired if they could communicate with beneficiaries about "one-stop shopping" with their companies to obtain long-term care, property, casualty, and life insurance products.

    The Department understands the need for covered health care providers and health plans to be able to communicate freely to their patients or enrollees about their own products, services, or benefits. The Department also understands that some of these communications are required by State or other law. To ensure that such communications may continue, the Department is broadening its policy, both of the December 2000 Privacy Rule as well as proposed in the March 2002 NPRM, to allow covered entities to use protected health information to convey information to beneficiaries and members about health insurance products offered by the covered entity that could enhance or substitute for existing health plan coverage. Specifically, the Department modifies the relevant exemption from the definition of "marketing" to include communications that describe "a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits." Thus, under this exemption, a health plan is not engaging in marketing when it advises its enrollees about other available health plan coverages that could enhance or substitute for existing health plan coverage. For example, if a child is about to age out of coverage under a family's policy, this provision will allow the plan to send the family information about continuation coverage for the child. This exception, however, does not extend to excepted benefits (described in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1)), such as accident-only policies), nor to other lines of insurance (e.g., it is marketing for a multi-line insurer to promote its life insurance policies using protected health information).

    Moreover, the expanded language makes clear that it is not marketing when a health plan communicates about health-related products and services available only to plan enrollees or members that add value to, but are not part of, a plan of benefits. The provision of value-added items or services (VAIS) is a common practice, particularly for managed care organizations. Communications about VAIS may qualify as a communication that is about a health plan's own products or services, even if VAIS are not considered plan benefits for the Adjusted Community Rate purposes. To qualify for this exclusion, however, the VAIS must meet two conditions. First, they must be health-related. Therefore, discounts offered by Medicare + Choice or other managed care organizations for eyeglasses may be considered part of the plan's benefits, whereas discounts to attend movie theaters will not. Second, such items and services must demonstrably "add value" to the plan's membership and not merely be a pass-through of a discount or item available to the public at large. Therefore, a Medicare + Choice or other managed care organization could, for example, offer its members a special discount opportunity for a health/fitness club without obtaining authorizations, but could not pass along to its members discounts to a health fitness club that the members would be able to obtain directly from the health/fitness clubs.

    In further response to comments, the Department has added new language to the definition of "marketing" to close what commenters perceived as a loophole that a covered entity could sell protected health information to another company for the marketing of that company's products or services. For example, many were concerned that a pharmaceutical company could pay a provider for a list of patients with a particular condition or taking a particular medication and then use that list to market its own drug products directly to those patients. The commenters believed the proposal would permit this to happen under the guise of the pharmaceutical company acting as a business associate of the covered entity for the purpose of recommending an alternative treatment or therapy to the individual. The Department agrees with commenters that the potential for manipulating the business associate relationship in this fashion should be expressly prohibited. Therefore, the Department is adding language that would make clear that business associate transactions of this nature are marketing. Marketing is defined expressly to include "an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service." These communications are marketing and can only occur if the covered entity obtains the individual's authorization pursuant to § 164.508. The Department believes that this provision will make express the fundamental prohibition against covered entities selling lists of patients or enrollees to third parties, or from disclosing protected health information to a third party for the marketing activities of the third party, without the written authorization of the individual. The Department further notes that manufacturers that receive identifiable health information and misuse it may be subject to action taken under other consumer protection statutes by other Federal agencies, such as the Federal Trade Commission.

    The Department does not, however, agree with commenters who argued for retention of the provisions that would condition the exclusions from the "marketing" definition on the absence of remuneration. Except for the arrangements that are now expressly defined as "marketing," the Department eliminates the conditions that communications are excluded from the definition of "marketing" only if they are made orally, or, if in writing, are made without any direct or indirect remuneration. The Department does not agree that the simple receipt of remuneration should transform a treatment communication into a commercial promotion of a product or service. For example, health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party pays or subsidizes the communication. The covered entity also is able to engage a legitimate business associate to assist it in making these permissible communications. It is only in situations where, in the guise of a business associate, an entity other than the covered entity is promoting its own products using protected health information it has received from, and for which it has paid, the covered entity, that the remuneration will place the activity within the definition of "marketing."

    In addition, the Department adopts the proposed marketing authorization provision at § 164.508(a)(3), with minor language changes to conform to the revised "marketing" definition. The Rule expressly requires an authorization for uses or disclosures of protected health information for marketing communications, except in two circumstances: (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value. A marketing authorization must include a statement about remuneration, if any. For ease of administration, the Department has changed the regulatory provision to require a statement on the authorization whenever the marketing "involves" direct or indirect remuneration to the covered entity from a third party, rather than requiring the covered entity to identify those situations where "the marketing is expected to result in" remuneration.

    Finally, the Department clarifies that nothing in the marketing provisions of the Privacy Rule are to be construed as amending, modifying, or changing any rule or requirement related to any other Federal or State statutes or regulations, including specifically anti-kickback, fraud and abuse, or self-referral statutes or regulations, or to authorize or permit any activity or transaction currently proscribed by such statutes and regulations. Examples of such laws include the anti-kickback statute (section 1128B(b) of the Social Security Act), safe harbor regulations (42 CFR Part 1001), Stark law (section 1877 of the Social Security Act) and regulations (42 CFR Parts 411 and 424), and HIPAA statute on self-referral (section 1128C of the Social Security Act). The definition of "marketing" is solely applicable to the Privacy Rule and the permissions granted by the Rule are only for a covered entity's use or disclosure of protected health information. In particular, although this regulation defines the term "marketing" to exclude communications to an individual to recommend, purchase, or use a product or service as part of the treatment of the individual or for case management or care coordination of that individual, such communication by a "white coat" health care professional may violate the anti-kickback statute. Similar examples for pharmacist communications with patients relating to the marketing of products on behalf of pharmaceutical companies were identified by the OIG as problematic in a 1994 Special Fraud Alert (December 19, 1994, 59 FR 65372). Other violations have involved home health nurses and physical therapists acting as marketers for durable medical equipment companies. Although a particular communication under the Privacy Rule may not require patient authorization because it is not marketing, or may require patient authorization because it is "marketing" as the Rule defines it, the arrangement may nevertheless violate other statutes and regulations administered by HHS, the Department of Justice, or other Federal or State agency.

     

    HHS Response to Comments Received - Published With the August 2002 Revisions
    Definitions - Marketing

     

    Overview of Public Comments.

    The Department received generally favorable comment on its proposal to simplify the marketing provisions by requiring authorizations for uses or disclosures of protected health information for marketing communications, instead of the special provisions for health-related products and services at § 164.514(e). Many also supported the requirement that authorizations notify the individual of marketing that results in direct or indirect remuneration to the covered entity from a third party. They argued that for patients to make informed decisions, they must be notified of potential financial conflicts of interest. However, some commenters opposed the authorization requirement for marketing, arguing instead for the disclosure and opt-out requirements at § 164.514(e) or for a one-time, blanket authorization from an individual for their marketing activities.

    Commenters were sharply divided on whether the Department had properly defined what is and what is not marketing. Most of those opposed to the Department's proposed definitions objected to the elimination of health-related communications for which the covered entity received remuneration from the definition of "marketing." They argued that these communications would have been subject to the consumer protections in § 164.514(e) but, under the proposal, could be made without any protections at all. The mere presence of remuneration raised conflict of interest concerns for these commenters, who feared patients would be misled into thinking the covered entity was acting solely in the patients' best interest when recommending an alternative medication or treatment. Of particular concern to these commenters was the possibility of a third party, such as a pharmaceutical company, obtaining a health care provider's patient list to market its own products or services directly to the patients under the guise of recommending an "alternative treatment" on behalf of the provider. Commenters argued that, even if the parties attempted to cloak the transaction in the trappings of a business associate relationship, when the remuneration flowed from the third party to the covered entity, the transaction was tantamount to selling the patient lists and ought to be considered marketing.

    On the other hand, many commenters urged the Department to broaden the categories of communications that are not marketing. Several expressed concern that, under the proposal, they would be unable to send newsletters and other general circulation materials with information about health-promoting activities (e.g., screenings for certain diseases) to their patients or members without an authorization. Health plans were concerned that they would be unable to send information regarding enhancements to health insurance coverage to their members and beneficiaries. They argued, among other things, that they should be excluded from the definition of "marketing" because these communications would be based on limited, non-clinical protected health information, and because policyholders benefit and use such information to fully evaluate the mix of coverage most appropriate to their needs. They stated that providing such information is especially important given that individual and market-wide needs, as well as benefit offerings, change over time and by statute. For example, commenters informed the Department that some States now require long-term care insurers to offer new products to existing policyholders as they are brought to market and to allow policyholders to purchase the new benefits through a formal upgrade process. These health plans were concerned that an authorization requirement for routine communications about options and enhancements would take significant time and expense. Some insurers also urged that they be allowed to market other lines of insurance to their health plan enrollees.

    A number of commenters urged the Department to exclude any activity that met the definitions of "treatment", "payment", or "health care operations" from the definition of "marketing" so that they could freely inform customers about prescription discount card and price subsidy programs. Still others wanted the Department to broaden the treatment exception to include all health-related communications between providers and patients.

    Response to Other Public Comments.

    Comment: Some commenters recommended that the definition of "marketing" be broadened to read as follows: "any communication about a product or service to encourage recipients of the communication to purchase or use the product or service or that will make the recipient aware of the product or service available for purchase or use by the recipient." According to these commenters, the additional language would capture marketing campaign activities to establish "brand recognition."

    Response: The Department believes that marketing campaigns to establish brand name recognition of products is already encompassed within the general definition of "marketing" and that it is not necessary to add language to accomplish this purpose.

    Comment: Some commenters opposed the proposed deletion of references to the covered entity as the source of the communications, in the definition of those communications that were excluded from the "marketing" definition. They objected to these non-marketing communications being made by unrelated third parties based on protected health information disclosed to these third parties by the covered entity, without the individual's knowledge or authorization.

    Response: These commenters appear to have misinterpreted the proposal as allowing third parties to obtain protected health information from covered entities for marketing or other purposes for which the Rule requires an individual's authorization. The deletion of the specific reference to the covered entity does not permit disclosures to a third party beyond the disclosures already permitted by the Rule. The change is intended to be purely editorial: since the Rule applies only to covered entities, the only entities whose communications can be governed by the Rule are covered entities, and thus the reference to covered entities there was redundant. Covered entities may not disclose protected health information to third parties for marketing purposes without authorization from the individual, even if the third party is acting as the business associate of the disclosing covered entity. Covered entities may, however, use protected health information to communicate with individuals about the covered entity's own health-related products or services, the individual's treatment, or case management or care coordination for the individual. The covered entity does not need an authorization for these types of communications and may make the communication itself or use a business associate to do so.

    Comment: Some commenters advocated for reversion to the provision in § 164.514(e) that the marketing communication identify the covered entity responsible for the communication, and argued that the covered entity should be required to identify itself as the source of the protected health information.

    Response: As modified, the Privacy Rule requires the individual's written authorization for the covered entity to use or disclose protected health information for marketing purposes, with limited exceptions. The Department believes that the authorization process itself will put the individual sufficiently on notice that the covered entity is the source of the protected health information. To the extent that the commenter suggests that these disclosures are necessary for communications that are not "marketing" as defined by the Rule, the Department disagrees because such a requirement would place an undue burden on necessary health-related communications.

    Comment: Many commenters opposed the proposed elimination of the provision that would have transformed a communication exempted from marketing into a marketing communication if it was in writing and paid for by a third party. They argued that marketing should include any activity in which a covered entity receives compensation, directly or indirectly, through such things as discounts from another provider, manufacturer, or service provider in exchange for providing information about the manufacturer or service provider's products to consumers, and that consumers should be advised whenever such remuneration is involved and allowed to opt-out of future communications.

    Response: The Department considered whether remuneration should determine whether a given activity is marketing, but ultimately concluded that remuneration should not define whether a given activity is marketing or falls under an exception to marketing. In fact, the Department believes that the provision in the December 2000 Rule that transformed a treatment communication into a marketing communication if it was in writing and paid for by a third party blurred the line between treatment and marketing in ways that would have made the Privacy Rule difficult to implement. The Department believes that certain health care communications, such as refill reminders or informing patients about existing or new health care products or services, are appropriate, whether or not the covered entity receives remuneration from third parties to pay for them. The fact that remuneration is received for a marketing communication does not mean the communication is biased or inaccurate. For the same reasons, the Department does not believe that the communications that are exempt from the definition of "marketing" require any special conditions, based solely on direct or indirect remuneration received by the covered entity. Requiring disclosure and opt-out conditions on these communications, as § 164.514(e) had formerly imposed on health-related marketing communications, would add a layer of complexity to the Privacy Rule that the Department intended to eliminate. Individuals, of course, are free to negotiate with covered entities for limitations on such uses and disclosures, to which the entity may, but is not required to, agree.

    The Department does agree with commenters that, in limited circumstances, abuses can occur. The Privacy Rule, both as published in December 2000 and as proposed to be modified in March 2002, has always prohibited covered entities from selling protected health information to a third party for the marketing activities of the third party, without authorization. Nonetheless, in response to continued public concern, the Department has added a new provision to the definition of "marketing" to prevent situations in which a covered entity could take advantage of the business associate relationship to sell protected health information to another entity for that entity's commercial marketing purposes. The Department intends this prohibition to address the potential financial conflict of interest that would lead a covered entity to disclose protected health information to another entity under the guise of a treatment exemption.

    Comment: Commenters argued that written authorizations (opt-ins) should be required for the use of clinical information in marketing. They stated that many consumers do not want covered entities to use information about specific clinical conditions that an individual has, such as AIDS or diabetes, to target them for marketing of services for such conditions.

    Response: The Department does not intend to interfere with the ability of health care providers or health plans to deliver quality health care to individuals. The "marketing" definition excludes communications for the individual's treatment and for case management, care coordination or the recommendation of alternative therapies. Clinical information is critical for these communications and, hence, cannot be used to distinguish between communications that are or are not marketing. The covered entity needs the individual's authorization to use or disclose protected health information for marketing communications, regardless of whether clinical information is to be used.

    Comment: The proposed modification eliminated the § 164.514 requirements that permitted the use of protected health information to market health-related products and services without an authorization. In response to that proposed modification, many commenters asked whether covered entities would be allowed to make communications about "health education" or "health promoting" materials or services without an authorization under the modified Rule. Examples included communications about health improvement or disease prevention, new developments in the diagnosis or treatment of disease, health fairs, health/wellness-oriented classes or support groups.

    Response: The Department clarifies that a communication that merely promotes health in a general manner and does not promote a specific product or service from a particular provider does not meet the general definition of "marketing." Such communications may include population-based activities to improve health or reduce health care costs as set forth in the definition of "health care operations" at § 164.501. Therefore, communications, such as mailings reminding women to get an annual mammogram, and mailings providing information about how to lower cholesterol, about new developments in health care (e.g., new diagnostic tools), about health or "wellness" classes, about support groups, and about health fairs are permitted, and are not considered marketing.

    Comment: Some commenters asked whether they could communicate with beneficiaries about government programs or government-sponsored programs such as information about SCHIP; eligibility for Medicare/Medigap (e.g., eligibility for limited, six-month open enrollment period for Medicare supplemental benefits).

    Response: The Department clarifies that communications about government and government-sponsored programs do not fall within the definition of "marketing." There is no commercial component to communications about benefits available through public programs. Therefore, a covered entity is permitted to use and disclose protected health information to communicate about eligibility for Medicare supplemental benefits, or SCHIP. As in our response above, these communications may reflect population-based activities to improve health or reduce health care costs as set forth in the definition of "health care operations" at § 164.501.

    Comment: The proposed modification eliminated the § 164.514 requirements that allowed protected health information to be used and disclosed without authorization or the opportunity to opt-out, for communications contained in newsletters or similar general communication devices widely distributed to patients, enrollees, or other broad groups of individuals. Many commenters requested clarification as to whether various types of general circulation materials would be permitted under the proposed modification. Commenters argued that newsletters or similar general communication devices widely distributed to patients, enrollees, or other broad groups of individuals should be permitted without authorizations because they are "common" and "serve appropriate information distribution purposes" and, based on their general circulation, are less intrusive than other forms of communication.

    Response: Covered entities may make communications in newsletter format without authorization so long as the content of such communications is not "marketing," as defined by the Rule. The Department is not creating any special exemption for newsletters.

    Comment: One commenter suggested that, even when authorizations are granted to disclose protected health information for a particular marketing purpose to a non-covered entity, there should also be an agreement by the third party not to re-disclose the protected health information. This same commenter also recommended that the Privacy Rule place restrictions on non-secure modes of making communications pursuant to an authorization. This commenter argued that protected health information should not be disclosed on the outside of mailings or through voice mail, unattended FAX, or other modes of communication that are not secure.

    Response: Under the final Rule, a covered entity must obtain an individual's authorization to use or disclose protected health information for a marketing communication, with some exceptions. If an individual wanted an authorization to limit the use of the information by the covered entity, the individual could negotiate with the covered entity to make that clear in the authorization. Similarly, individuals can request confidential forms of communication, even with respect to authorized disclosures. See § 164.522(b).

    Comment: Commenters requested that HHS provide clear guidance on what types of activities constitute a use or disclosure for marketing, and, therefore, require an authorization.

    Response: The Department has modified the "marketing" definition to clarify the types of uses or disclosures of protected health information that are marketing, and, therefore, require prior authorization and those that are not marketing. The Department intends to update its guidance on this topic and address specific examples raised by commenters at that time.

    Comment: A number of commenters wanted the Department to amend the face-to-face authorization exception. Some urged that it be broadened to include telephone, mail and other common carriers, fax machines, or the Internet so that the exception would cover communications between providers and patients that are not in person. For example, it was pointed out that some providers, such as home delivery pharmacies, may have a direct treatment relationship, but communicate with patients through other channels. Some raised specific concerns about communicating with "shut-ins" and "persons living in rural areas." Other commenters asked the Department to make the exception more narrow to cover only those marketing communications made by a health care provider, as opposed to by a business associate, or to cover only those marketing communications of a provider that arise from a treatment or other essential health care communication.

    Response: The Department believes that expanding the face-to-face authorization exception to include telephone, mail, and other common carriers, fax machines or the Internet would create an exception essentially for all types of marketing communications. All providers potentially use a variety of means to communicate with their patients. The authorization exclusion, however, is narrowly crafted to permit only face-to-face encounters between the covered entity and the individual.

    The Department believes that further narrowing the exception to place conditions on such communications, other than that it be face-to-face, would neither be practical nor better serve the privacy interests of the individual. The Department does not intend to police communications between doctors and patients that take place in the doctor's office. Further limiting the exception would add a layer of complexity to the Rule, encumbering physicians and potentially causing them to second-guess themselves when making treatment or other essential health care communications. In this context, the individual can readily stop any unwanted communications, including any communications that may otherwise meet the definition of "marketing."