HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox, Esq.

How Fundraising and Marketing Fit Into HIPAA Privacy

QUESTION: Does the Privacy standard permit the use and disclosure of protected health information ("PHI") for the purposes of fundraising and marketing?

ANSWER: Yes. In certain circumstances PHI may be used for marketing or fundraising without an authorization.

Covered entities must have written authorization to use or disclose PHI for purposes that are unrelated to the treatment, payment, or the health care operations of the covered entity. Originally, this requirement was applicable to all uses and disclosures of PHI for marketing and fundraising purposes.

Under the final Privacy rule, however, certain marketing and fundraising activities have been included in the definition of "health care operations;" thereby allowing covered entities to use and disclose PHI without patient authorization in support of several limited fundraising and marketing activities. The definition of health care operations under the proposed rule included only those operations sufficiently related to treatment and payment to warrant the use and disclosure of PHI without authorization. However, in the final rule, the definition was revised to include those general administrative and business functions necessary for covered entities to remain a viable business. Therefore, business management activities and general administrative functions, such as specific fundraising and marketing activities, are included as part of the definition of a covered entity's "health care operations."

Covered entities, their business associates, or institutionally related foundations (foundations that qualify as nonprofit charitable foundations under section 501(c)(3) of the Internal Revenue Code and that have in their charter statement of charitable purposes an explicit linkage to the covered entity), may use or disclose an individual's demographic information and/or the dates that the individual received treatment without obtaining written authorization. These uses and disclosures are
permissible as long as:

  1. the covered entity's notice of privacy practices state that individuals may be contacted for the purpose of raising funds,
  2. any and all fundraising materials include instructions on how to opt-out of future communications, and (iii) the covered entity makes reasonable efforts to ensure that individuals' opt-out requests are honored.

The use or disclosure of PHI for marketing purposes is permissible without an authorization in three instances:

  1. First, covered entities are permitted to use or disclose PHI without authorization to make marketing communications in face-to-face encounters. These communications may include discussion of any services or products, including the services or products of a third-party.
  2. Second, PHI may be used or disclosed without authorization to make marketing communications involving products or services of nominal value. This would allow for the distribution of calendars, pens and other merchandise that is generally considered to be of a promotional nature.
  3. Finally, no authorization is required for marketing communications about health related products or services of the covered entity or a third party, if the communication:
    • identifies the covered entity as the party making the communication,
    • discloses any direct or indirect remuneration received by the covered entity for making the communication,
    • contains instructions on how to opt-out of similar future communications, and
    • explains why the individual has been targeted for the communication in those instances where PHI was used to target the communication to particular individuals based upon their health status or condition.

This third type of marketing communication is restricted to uses by covered entities or disclosures to their business associates pursuant to a business associate agreement.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.