Patient’s Guide to HIPAA – Uses and Disclosures: Can My Health Records be Used for Marketing?





You are reading the Patient’s Guide to HIPAA, FAQ 64

HIPAA Guide Quick Links:



FAQ 64: Can My Health Records be Used for Marketing?

The short answer is no, but the correct and longer answer is more complicated. Let’s go through it step by step.

The HIPAA rule tells covered entities that they can only use or disclose health records for marketing with the authorization of the patient. One reason for being careful with authorization is to make sure that you don’t casually authorize disclosure of your records to a company that wants to use them for marketing. Remember that other activities can reveal your medical history. If you accept a drug manufacturer’s coupon for a prescription drug, the manufacturer will learn your name and other information that it didn’t have before. Drug manufacturers are not covered entities or subject to privacy laws. Signing up for a disease-specific newsletter will also reveal your name and medical information. Joining a disease support group also effectively shares health information about you or a family member. If you chat on a health care provider’s Facebook page openly about your condition, you have effectively revealed your name and your medical information. HIPAA doesn’t protect any information you post on a social network.

HIPAA has two exceptions that allow marketing uses and disclosures. The first permits face-to-face communications by a covered entity to a patient. The second allows promotional gifts of nominal value provided by the covered entity. Under the first exception, for example, a nurse can invite you to visit the hospital’s new weight loss clinic. Under the second, the hospital can give you a refrigerator magnet with the phone number of its well-baby clinic. If the covered entity undertakes any marketing activity because someone, such as an outside entity, pays it to do so, then the covered entity must tell you it is being paid.

The 2013 changes effectively recognize an additional exception.  The Rule allows prescription refill reminders, but it imposes a limit on how much a provider can be paid for sending a reminder. If you don’t like refill reminders, you may be able to opt-out of them. A pharmacy can send you a letter telling you to refill a prescription, but the Rule does not allow so-called switch letters. A switch letter tries to get you to use a different drug than the one you were originally prescribed.

The basic marketing rule is pretty good as far as it goes. Most doctors believe, and will tell you, that using – and especially disclosing – health records for marketing is unethical anyway.

So far, so good. The rule allows uses and disclosures for treatment purposes and for health care operations. When does a treatment recommendation constitute marketing?  The line can be hard to draw. Advice from HHS says that any communication for the patient’s treatment, case management, care coordination, or recommendation of alternative therapies is permitted to the extent reasonably necessary. Further, population-based activities for health education or disease prevention (“Don’t Smoke!”) can also be okay.

The problem in line drawing here is that legitimate health activities overlap at the edges with marketing activities that many people are likely to find objectionable. Activities that fall on those edges can be characterized differently. Some activities that fall under the broad (and permissible) category of health care operations will look like marketing to some. When the answer requires a lawyer to dissect words, the result will be controversial at best.

The HIPAA rule helps a bit in limiting marketing disclosures. For example, you can expect that no covered entity will sell or rent lists of patients to drug manufacturers for the purposes of sending junk mail. However, there may be other forms of marketing-like activities that a covered entity’s lawyer may say is allowed under HIPAA.

We are not done yet, but we need more context to continue. If you receive mail hawking allergy medicines or medical devices for diabetics, does that mean that your allergist or internist or insurer or pharmacist gave your name and diagnosis to the advertiser?  Anything is possible, but there are other, more likely, sources of the same information.

Marketing companies and list brokers sell or rent mailing lists of people by diagnosis. They offer lists of millions of people by dozens of different diseases and conditions. Where does the information come from?  The answer is from many places, but you are the most likely source. If you show interest in a medical product by making a purchase, calling an 800 number, registering at a website, using a coded coupon, subscribing to a magazine, filling out a quiz, or entering a sweepstakes, you may reveal your interest and your diagnosis. If you fill out a warranty card or a consumer survey, any information about your health condition (“Why did you buy the vaporizer?”) that you reveal is likely to end up in a personal or household profile and can used and sold forever for marketing purposes. Websites that show ads and the advertisers often collect information about you, what you see online, and what you click on. That can all reveal health information not protected by law. Those who read carefully already saw our warning about turning your health records over to a commercial, advertising-supported company offering personal health record (PHR) services. (See FAQ 9.)  That is another way that your records can leak into the marketing system. Any slip puts your personal information in the permanent possession of list brokers, marketers and profilers.



Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 64 of 65)

Jump to list of FAQs 1-65 | See all of Part 3