As of September 23, 2013, HIPAA covered entities and their business associates are required to comply with the final omnibus rule (the Omnibus Rule), which modified the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule includes a significant tightening of the rules regarding the use of protected health information (PHI) for marketing purposes, especially with respect to communications paid for by third parties.
Who is affected?
These modified marketing rules directly affect HIPAA covered entities, their vendors and sponsors of subsidized communication programs for health care products and services.
Types of programs that may be covered by these modified marketing rules include, without limitation, pharmacy and health plan communication programs paid for by third parties. For example, pharmaceutical companies frequently sponsor patient communication programs to promote adherence to physician-prescribed treatments. Companies (including health plans) often sponsor programs that communicate information to individuals about new or alternative treatments that might be appropriate for patients.
What has changed?
The Omnibus Rule departs from prior versions of the rule in that it requires individual authorization for marketing communications where the covered entity receives financial remuneration for making such communications from a third party whose product or service is being marketed, subject to only a few exceptions.
HIPAA defines marketing to include making a communication that encourages the purchase or use of a product or service, and includes communications made for certain treatment and health care operations purposes where the covered entity receives “financial remuneration” from a third party for making the communication. “Financial remuneration” means direct or indirect payment from or on behalf of a third party whose product or service is being described.
If the communication will result in financial remuneration, the individual’s authorization must expressly state that remuneration is involved.
Limited Exceptions to the Requirement of Individual Authorization
Under the Omnibus Rule, the use or disclosure of PHI for marketing purposes does not require prior patient consent in the following circumstances:
- Face-to-Face Communications: Face-to-face communications made by a covered entity to an individual do not require prior patient authorization, even if financial remuneration is involved. This exception applies to verbal communications, as well as to written communications, such as pamphlets, handed to the patient in a face-to-face exchange. Communications made by phone, fax, email or text message do not fall within this exception; therefore, prior patient consent would be required for such communications if the communications do not fall within one or more of the additional exceptions discussed below.
- Refill Reminders: Communications to provide refill reminders or communications about drugs or biologics currently prescribed to the individual do not require patient consent, if the financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication. The U.S. Department of Health and Human Services considers communications regarding generic equivalents of drugs currently prescribed to an individual and adherence communications that encourages an individual to take a currently prescribed medication to fall within this exception. This exception only applies if the financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication. Financial remuneration means “direct or indirect payment from or on behalf of a third party whose product or service is being described,” but does not include payment for the treatment of an individual. In response to confusion about what financial remuneration is “reasonably related” to the cost of making the communication, HHS issued guidance on September 19, 2013, to clarify that reasonable costs include direct and indirect costs related to the cost of labor, materials and supplies to make the communication, as well as capital and overhead costs. Reasonable costs also include paying a business associate up to the fair market value of the business associate’s services in connection with making the communication. If the financial remuneration exceeds the costs reasonably related to making the communication, prior patient consent is required and the authorization must disclose that financial remuneration is involved. If the refill reminder is made in a face-to-face communication (as discussed above), patient authorization is not required, even if the financial remuneration is not reasonably related to the cost of making the communication.
- Other communications that do not require prior patient consent include: (i) Promotional gifts of a nominal value provided by the covered entity; (ii) Communications that promote health in general and do not promote a product or service, such as communications that promote a healthy diet or routine diagnostic tests; and (iii) Communications about government and government sponsored programs, such as Medicare or Medicaid.
Covered entities should re-evaluate their marketing arrangements to make sure they are compliant with the Omnibus Rule. If patient consent would be required and the communication will result in financial remuneration to the covered entity, covered entities should re-evaluate their consent forms to make sure they make the proper disclosures.
State Law Considerations
It is important to note that although the Omnibus Rule creates a much stricter set of requirements for third-party subsidized communication programs, some state laws may impose more stringent obligations, which are not pre-empted by HIPAA. Specifically, California’s Confidentiality of Medical Information Act imposes a greater standard for health care provider and health plan communications paid for by third parties. Covered entities and sponsors of subsidized communication programs should also consider state law requirements when evaluating compliance related to marketing communications involving PHI.
 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan 25, 2013) (to be codified at 45 C.F.R. Parts 160 and 164).
 45 C.F.R. § 164.501.
 See 45 C.F.R. §164.508(a)(3)(ii).
 See 45 C.F.R. §164.508(a)(3)(i)(A); 78 Fed. Reg. 5566, 5597.
 See 78 Fed. Reg. 5596.
 See 45 C.F.R. § 164.501.
 See 78 Fed. Reg. 5596.
 45 C.F.R. §164.501.
 See 78 Fed. Reg. 5597.
 See 78 Fed. Reg. 5597.
 See 45 C.F.R. §164.501; 78 Fed. Reg. 5597.