Uses and Disclosures of Protected Health Information for Marketing

Layout for printing

Policy Number:

UW-107

Old Policy Number:

3.6

Responsible Office:

Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:

Business associate

A person or entity not affiliated with UW–Madison that performs or assists in performing for, or on behalf of, any unit in the UW–Madison health care component (UW HCC), business support functions/services that involve the use of protected health information (PHI).

Covered entity

A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Disclosure

The release, transfer, provision of access to, or divulging in any manner of protected health information by an individual within the HCC or affiliated covered entity (ACE) with a person or entity outside the HCC or ACE.

Financial remuneration

Direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for the treatment of an individual.

Health care operations

Any of a number of business and administrative activities, including:

• Conducting quality assessment and improvement activities.
• Reviewing the competence or qualifications of health care professionals.
• Conducting training programs.
• Accreditation.
• Credentialing
• Conducting or arranging for medical review, legal services, and auditing functions.
• Business planning and development.
• Business management and general administrative activities.

Health care operations do not include research and many fundraising and marketing activities. See in addition to this policy, privacy policy UW-108 Uses and Disclosures of Protected Health Information for Fundraising for more information.

HITECH

The Heath Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to promote the adoption and meaningful use of health information technology.

Marketing

Except as otherwise described in this policy, marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

Protected health information (PHI)

Health information or health care payment information, including demographic information, which identifies the patient or can be used to identify the patient. Protected health information does not include student records held by educational institutions or employment records held by employers.

University of Wisconsin affiliated covered entity (UW ACE)

The UW–Madison health care component (except University Health Services and the State Laboratory of Hygiene), the University of Wisconsin Medical Foundation, and the University of Wisconsin Hospital and Clinics. See UW-101 Designation of UW Affiliated Covered Entity.

Use

The sharing, employment, application, utilization, examination, or analysis of protected health information by an individual within the UW HCC or the UW ACE.

UW-Madison health care component (UW HCC)

Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW-Madison Health Care Component for a listing of these units.

Scope:

Applies to all members of the UW HCC.

Policy:

Policy Summary

The HIPAA Privacy Rule and HITECH regulations permit limited uses and disclosures of protected health information for marketing activities conducted by a covered entity without patient authorization. UW–Madison follows HIPAA and HITECH regulations regarding when patients must provide written authorization for the use and disclosure of their protected health information for marketing activities and when no authorization is required for such activities.

Policy Detail

1. Individuals within the UW HCC or UW ACE must evaluate prospective marketing communications to determine if authorization is required under HIPAA or HITECH before protected health information may be used or disclosed for marketing purposes. Written authorization is required for marketing activities unless an exception applies as described in this document.
2. If a marketing activity involves financial remuneration to the UW HCC or UW ACE from a third party, then the authorization must specifically state that such remuneration is involved.
3. Written authorization is required when the UW HCC or UW ACE uses or discloses protected health information for marketing except that no authorization is required when:
   1. The communication occurs in a face-to-face encounter with the individual;
   2. The communication involves a promotional gift of nominal value such as calendars, pens, or items that promote UW–Madison or the UW ACE.
4. Uses or Disclosures of PHI That Do Not Constitute Marketing.
   1. The UW HCC or UW ACE may use protected health information to communicate with a patient about refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual so long as any financial remuneration received by the UW HCC or UW ACE is reasonably related to the covered entity’s cost of making the communication.
   2. The UW HCC or UW ACE may use protected health information to communicate with a patient about the following matters so long as the UW HCC or UW ACE does not receive any financial remuneration in exchange for making the communication:
      1. For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
      2. To describe a health-related product or service, or payment for the product or service that is provided by, or included in the covered entity’s plan of benefits.
      3. For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Supporting Tools

Additional information may be found at www.compliance.wisc.edu/hipaa.

Related UW-Madison Policies:

UW-108 Uses and Disclosures of Protected Health Information for Fundraising

Related UW–Madison Documents, Web Pages, or Other Resources:

Office of Compliance Policies and Forms

External References:

45 C.F.R. § 164.501

45 C.F.R. § 164.508(a)(3) 

Policy Administration

Approval Authority:

Vice Chancellor for Legal Affairs

Policy Manager:

HIPAA Privacy Officer

Contact:

HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077

Effective Date:

07-25-2014

Revised Dates:

09-22-2014: Effective date of the revised policy: 09-22-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:

12-21-2024 05:37:10