Today’s blog post comes from compliance expert Tom Ambury of PT Compliance Group and WebPT writer Erica Cohen.

Before you get too far into your plans to beef up your clinic’s sales and marketing efforts, remember that you’re a healthcare provider first, which means you’ve got some HIPAA hoops to jump through (ahem, rules to follow) that the small business owner down the street probably doesn’t have to worry about. Before we get into that, though, let’s establish a bit of background.


In 1996, Congress established the Health Information Portability and Accountability Act (HIPAA) in part to ensure patients’ health information remained private and protected. As such, under HIPAA’s Privacy Rule, Covered Entities and their Business Associates can only handle a patient’s protected health information (PHI) if doing so furthers the patient’s care.

Then, along came the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which, according to legal firm Duane Morris, “strengthen[ed] these protections by implementing new requirements on the use and disclosure of PHI for marketing and sale purposes.” As of September 23, 2013—the deadline for complying with these updates—patients must provide authorization before a Covered Entity or Business Associate may use or disclose patients’ protected health information for marketing or sales.

Now, chances are you’ve already been complying with these requirements; but just in case you need a bit of a refresher, let’s take another look. After all, penalties for noncompliance can be severe.

What Constitutes Marketing?

According to the Department of Health and Human Services (HHS), the Privacy Rule defines marketing as “communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” However, here, the HHS acknowledges that there may very well be overlap “between a marketing communication and a communication for a treatment or health care purpose.” Thus, the Privacy Rule includes exceptions for communications that relate to a patient’s current care, including treatment alternatives and other benefits.

Duane Morris writes that the “2013 Amendments significantly modify the existing HIPAA rules to require that if there is financial remuneration related to the communication…then even treatment- or operations-related communications constitute marketing.” In other words, if you, the provider, are receiving any financial benefit from the third party whose product or service you’re promoting, it’s automatically considered marketing; and as such, you must disclose the remuneration and obtain patient authorization. That is, unless the communication:

  • takes place in person (“face-to-face”).
  • occurs in the form of a “promotional gift of nominal value.” (HHS uses the example of a hospital providing a “free package of formula and other baby products to new mothers as they leave the maternity ward.”)
  • relates to refill reminders for a drug or biologic that the patient is already using (as long as the remuneration is “reasonably related to the costs of the communication”).
So What’s a PT To Do?

Obtain patient authorization before marketing something for which you receive financial remuneration—and be sure to disclose said remuneration in your authorization form. According to Deborah Crandall, JD, in this PT in Motion article, these new authorizations make it unnecessary to include “notice-requirement language informing individuals that the provider may send treatment communications to the individual concerning treatment alternatives or other health-related products or services in cases when the provider receives financial remuneration from a third party.” Additionally, Crandall says that because you’re obtaining individual authorization, you no longer need to provide notice to patients regarding their opt-out rights.

What About Sales?

The good news is that rules regarding the sale of PHI are much simpler. In short, Duane Morris writes that Covered Entities and Business Associates may not share PHI for financial or “in-kind” remuneration unless the patient provides prior authorization. Now, true to standard HIPAA form, there are several exceptions to this rule. For example, it is not a “sale” if the disclosure is:

  • for the purpose of public health
  • for HIPAA-covered research, as long as “the payment is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI”
  • related to treatment and payment
  • required by law

For more on the finer points of sales and marketing under HIPAA, check out Duane Morris’s post in full here, or go right to the Final Rule source.

Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts, but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or healthcare attorney for compliance and legal advice as this article is meant for general educational purposes only. For more information on what to look for in a compliance expert, check out this post.