authorization from an individual before using or disclosing the individual’s
PHI for an activity that falls within the definition of marketing. And, if the
marketing activity involves financial remuneration, the Privacy Rule requires
the written authorization form to identify such remuneration. 86 However, the
Privacy Rule does not require a covered entity to obtain an authorization from
an individual before using or disclosing the individual’s PHI for marketing
that takes the form of a “face-to-face communication made by a covered
entity to an individual” or a “promotional gift of nominal value provided by
the covered entity.” 87
Practicing health care attorneys have written volumes about the confusing
nature of the Privacy Rule’s marketing provisions. 88 In these writings,
lawyers attempt to explain to business and health care professionals which
communications meet the definition of marketing, 89 which communications
are excepted from the definition of marketing, 90 and which communications
meet the definition of marketing but are otherwise excepted from the
authorization requirement. 91 During my decade of practice, I received
hundreds of requests from hospital administrators, health care providers, and
even general counsel asking for clarification regarding these questions. Many
times, my general counsel clients would ask me, “If I cannot understand these
provisions and I am in-house counsel, how can I expect my workforce
members to implement them?”
In response, I would draft a HIPAA-compliant marketing policy so my
client would, at the very least, be able to demonstrate paper compliance with
the policies and procedures requirement set forth in the Privacy Rule92 should
the client be audited by OCR. 93 But having a HIPAA-compliant policy on
86. Id. § 164.508(a)( 3)( ii).
87. Id. § 164.508(a)( 3)( i).
88. See, e.g., Jay Hodes, The HIPAA Privacy Rule—What is Often Confusing About Some
of the Requirements?, LINKEDIN PULSE (Aug. 19, 2015),
(“Another confusing area of the HIPAA Privacy Rule concerns marketing.”); Gerard Clum,
HIPAA and the “Marketing” Quandary, 21 DYNAMIC CHIROPRACTOR (Mar. 10, 2003),
http://www.dynamicchiropractic.com/mpacms/dc/article.php?id=9069 (“One of the more
confusing aspects of HIPAA involves the concept of ‘marketing,’ and your ability to use
protected health information (PHI) for marketing purposes.”); Peter D. Ricoy, Marketing
Under the HIPAA Megarule, 9 A. B. A. HEALTH E-SOURCE (2013),
health_law_esource_1305_ricoy.html (“By design, using an individual’s protected health
information (‘PHI’) for marketing purposes has never been easy under the HIPAA Privacy
89. See text accompanying supra note 88.
90. See text accompanying supra note 88.
91. See text accompanying supra note 88.
92. See text accompanying supra note 72.
93. See HIPAA Privacy, Security, and Breach Notification Audit Program, HHS.GOV,