Marketing Involving Protected Health Information (PHI)
The Columbia University Healthcare Component (CUHC) shall not use or disclose Protected Health Information (PHI) for marketing purposes without the patient’s authorization unless it meets an exception permitted by applicable law.
Reason(s) for the Policy
Subject to certain exceptions, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) prohibits the use or disclosure of Protected Health Information (PHI) for marketing purposes without patient authorization. This Policy describes the procedures to use or disclose PHI for marketing purposes.
Primary Guidance To Which This Policy Responds
HIPAA Rules 45 CFR 164.501, 164.508(a)(3)
HHS Privacy Guidance for Marketing
Who is Governed by This Policy
All CUHC workforce members.
Who Should Know This Policy
All CUHC workforce members.
Evaluate if a Communication is Marketing
Prior to using or disclosing PHI for communication about a product or service that encourages the recipient of the communication to purchase or use the product or service, including products or services of Columbia and of third parties, CUHC shall evaluate whether such communication is considered a Marketing communication as defined by HIPAA and applicable state law that may require patient authorization.
The following communications are not considered “Marketing” communications that require patient authorization under HIPAA:
- Communications to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed to the patient and any financial remuneration received is reasonably related to CUHC’s cost of making the communication;
- For the following treatment and health care operations purposes where CUHC does NOT receive any financial remuneration in exchange for making the communication:
- for treatment of a patient, including case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the patient;
- for case management or care coordination, contacting of patients with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
- to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits for, CUHC, including communications about the entities participating in a health care provider network; replacement of, or enhancements to, a health plan; and health-related products or services available only to health plan enrollees that add value to, but are not part of, a plan of benefits; or
- A face-to-face communication made by a CUHC workforce member to a patient; and
- A promotional gift of nominal value provided by CUHC.
Any Marketing communications that do not meet an exception identified above may be made only with the patient’s written authorization that meets the requirements of the authorization to disclose medical information policy, HIPAA, and any applicable state law. If CUHC will receive any financial remuneration in exchange for making the Marketing communication, the patient authorization must state that such remuneration is involved.
Any questions to determine if a communication is considered a Marketing communication that requires patient authorization under HIPAA or applicable state law shall be referred to the Privacy Office.
- Any Marketing communications involving the use or disclosure of PHI must either (1) be conducted pursuant to a patient authorization, or (2) meet an applicable exception and be permissible under HIPAA and applicable state law without individual authorization.
- For Marketing communications that do not meet an exception, patient authorization shall be obtained before any use or disclosure of the patient’s PHI in connection with such Marketing activities.
Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.
Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.
Financial Remuneration - Direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of a patient.
Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.
Marketing - To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. There are several exceptions to the definition of “marketing” which are described in this Policy.
Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.