In the proposed rule, we would have required covered entities to obtain the individual's authorization in order to use or disclose protected health information to market health and non-health items and services.
We have made a number of changes in the final rule that relate to marketing. In the final rule, we retain the general rule that covered entities must obtain the individual's authorization before making uses or disclosures of protected health information for marketing. However, we add a new definition of "marketing" that clarifies that certain activities, such as communications made by a covered entity for the purpose of describing the products and services it provides, are not marketing. See § 164.501 and the associated preamble regarding the definition of marketing. In the final rule we also permit covered entities to use and disclose protected health information for certain marketing activities without individual authorization, subject to conditions enumerated at § 164.514(e).
First, § 164.514(e) permits a covered entity to use or disclose protected health information without individual authorization to make a marketing communication if the communication occurs in a face-to-face encounter with the individual. This provision would permit a covered entity to discuss any services and products, including those of a third-party, without restriction during a face-to-face communication. A covered entity also could give the individual sample products or other information in this setting.
Second, we permit a covered entity to use or disclose protected health information without individual authorization to make marketing communications involving products or services of only nominal value. This provision ensures that covered entities do not violate the rule when they distribute calendars, pens and other merchandise that generally promotes the covered entity.
Third, we permit a covered entity to use or disclose protected health information without individual authorization to make marketing communications about the health-related products or services of the covered entity or of a third party if the communication: (1) identifies the covered entity as the party making the communication; (2) to the extent that the covered entity receives direct or indirect remuneration from a third-party for making the communication, prominently states that fact; (3) except in the case of a general communication (such as a newsletter), contains instructions describing how the individual may opt-out of receiving future communications about health-related products and services; and (4) where protected health information is used to target the communication about a product or service to individuals based on their health status or health condition, explains why the individual has been targeted and how the product or service relates to the health of the individual. The final rule also requires a covered entity to make a determination, prior to using or disclosing protected health information to target a communication to individuals based on their health status or condition, that the product or service may be beneficial to the health of the type or class of individual targeted to receive the communication.
This third provision accommodates the needs of health care entities to be able to discuss their own health-related products and services, or those of third parties, as part of their everyday business and as part of promoting the health of their patients and enrollees. The provision is restricted to uses by covered entities or disclosures to their business associates pursuant to a contract that requires confidentiality, ensuring that protected health information is not distributed to third parties. To provide individuals with a better understanding of how their protected health information is being used for marketing, the provision requires that the communication identify that the covered entity is the source of the communication; a covered entity may not send out information about the product of a third party without disclosing to the individual where the communication originated. We also require covered entities to disclose any direct or indirect remuneration from third parties. This requirement permits individuals to better understand why they are receiving a communication, and to weigh the extent to which their information is being used to promote their health or to enrich the covered entity. Covered entities also are required to include in their communication (unless it is a general newsletter or similar device) how the individual may prevent further communications about health-related products and services. This provision enhances individuals' control over how their information is being used. Finally, where a covered entity targets communications to individuals on the basis of their health status or condition, we require that the entity make a determination that the product or service being communicated may be beneficial to the health of the type of individuals targeted, and that the communication to the targeted individuals explain why they have been targeted and how the product or service relates to their health. This final provision balances the advantages that accrue from health care entities informing their patients and enrollees of new or valuable health products with individuals' expectations that their protected health information will be used to promote their health.