Uses and Disclosures of Protected Health Information for Marketing

Layout for printing
Policy Number:
UW-107
Old Policy Number:
3.6
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

This policy describes when Protected Health Information (PHI) may be used or disclosed without authorization for marketing purposes, when a signed authorization is required, and clarifies what types of uses and disclosures do not meet the definition of marketing.

Definitions:
Covered entity
A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Disclosure
The release of protected health information by an individual within the health care component (HCC) or affiliated covered entity (ACE) to a person or entity outside the HCC or ACE.
Financial remuneration
Direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for the treatment of an individual.
Marketing
Except as otherwise described in this policy, marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
Marketing does NOT include:
  • Communicating with a patient about refill reminders or a drug/ biologic currently prescribed, provided any payment received is reasonably related to the cost of the communication.
  • Communications related to (provided the UW HCC/UW ACE receives no financial remuneration):
    • A health-related product or service, or payment for such, that is provided by or included in the covered entity’s plan of benefits.
    • The individual’s treatment by a healthcare provider, including case management, care coordination, or recommending alternative treatments, providers, or care settings.
    • Activities that fall outside the HIPAA definition of treatment, involving: case management, care coordination, contacting individuals about treatment alternatives, and related functions.
  • Human subjects research recruitment
Protected health information (PHI)
Health information about an individual that contains at least one of the identifiers specified in the HIPAA regulations. PHI does not include student records held by educational institutions or employment records held by employers.
University of Wisconsin affiliated covered entity (UW ACE)
Those entities that have been designated by the university as part of its affiliated covered entity under HIPAA as outlined in UW-101 Designation of the University of Wisconsin Affiliated Covered Entity (UW ACE).
Use
The sharing, employment, application, utilization, examination, or analysis of protected health information by an individual within the UW HCC or the UW ACE.
UW-Madison Health Care Component (UW HCC)
Those units of the University of Wisconsin–Madison that have been designated by the university as part of its health care component under HIPAA as outlined in UW-100 Designation of the UW-Madison Health Care Component (UW HCC).
Scope:

Applies to all members of the UW HCC.

Policy:
  1. Written authorization is required to use and/or disclose Protected Health Information (PHI) for marketing activities unless provided an exception as outlined in this policy.
  2. If the marketing activity involves financial remuneration to the UW-Madison Health Care Component (UW HCC) or the University of Wisconsin affiliated covered entity (UW ACE) from a third party, then the written authorization must state that such remuneration is involved.
  3. Written authorization is not required to use PHI for marketing activities when the communication is in the form of:
    1. A face-to-face encounter with the individual whose PHI is involved; or
    2. A promotional gift of nominal value from the UW HCC or the UW ACE to the individual whose PHI is involved (such as calendars, pens, or items) that promote the UW–Madison HCC or the UW ACE.

Additional information may be found at www.compliance.wisc.edu/hipaa.

Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
07-25-2014
Revised Dates:

09-22-2014: Effective date of the revised policy: 09-22-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
10-19-2025

Retrieved:
02-01-2026 03:00:53