Comment: Many commenters requested clarification of the boundaries between treatment, payment, health care operations, and marketing. Some of these commenters requested clarification of the apparent inconsistency between language in proposed § 164.506(a)(1)(i) (a covered entity is permitted to use or disclose protected health information without authorization "to carry out" treatment, payment, or health care operations) and proposed § 164.508(a)(2)(A) (a covered entity must obtain an authorization for all uses and disclosures that are not "compatible with or directly related to" treatment, payment, and health care operations). They suggested retaining the language in proposed § 164.508(a)(2)(A), which would permit a broader range of uses and disclosures without authorization, in order to engage in health promotion activities that might otherwise be considered marketing.
Response: In the final rule, we make several changes to the definitions of treatment, payment, and health care operations that are intended to clarify the uses and disclosures of protected health information that may be made for each purpose. See § 164.501 and the corresponding preamble discussion regarding the definitions of these terms. We also have added a definition of the term "marketing" to help establish the boundary between marketing and treatment, payment, and health care operations. See § 164.501. We also clarify the conditions under which authorization is or is not required for uses and disclosures of protected health information for marketing purposes. See § 164.514(e). Due to these changes, we believe it is appropriate to retain the wording from proposed § 164.506(a)(1)(i).
Comment: We received a wide variety of suggestions with respect to authorization for uses and disclosures of protected health information for marketing purposes. Some commenters supported requiring authorization for all such uses and disclosures. Other commenters suggested permitting all such uses and disclosures without authorization.
Some commenters suggested we distinguish between marketing to benefit the covered entity and marketing to benefit a third party. For example, a few commenters suggested we should prohibit covered entities from seeking authorization for any use or disclosure for marketing purposes that benefit a third party. These commenters argued that the third parties should be required to obtain the individual's authorization directly from the individual, not through a covered entity, due to the potential for conflicts of interest.
While a few commenters suggested that we require covered entities to obtain authorization to use or disclose protected health information for the purpose of marketing its own products and services, the majority argued these types of marketing activities are vital to covered entities and their customers and should therefore be permitted to occur without authorization. For example, commenters suggested covered entities should be able to use and disclose protected health information without authorization in order to provide appointment reminders, newsletters, information about new initiatives, and program bulletins.
Finally, many commenters argued we should not require authorization for the use or disclosure of protected health information to market any health-related goods and services, even if those goods and services are offered by a third party. Some of these commenters suggested that individuals should have an opportunity to opt out of these types of marketing activities rather than requiring authorization.
Response: We have modified the final rule in ways that address a number of the issues raised in the comments. First, the final rule defines the term marketing, and excepts certain communications from the definition. See § 164.501. These exceptions include communications made by covered entities for the purpose of describing network providers or other available products, services, or benefits and communications made by covered entities for certain treatment-related purposes. These exceptions only apply to oral communications or to written communications for which the covered entity receives no third-party remuneration. The exceptions to the definition of marketing fall within the definitions of treatment and/or health care operations, and therefore uses, or disclosures to a business associate, of protected health information for these purposes are permissible under the rule without authorization.
The final rule also permits covered entities to use protected health information to market health-related products and services, whether they are the products and services of the covered entity or of a third party, subject to a number of limitations. See § 164.514(e). We permit these uses to allow entities in the health sector to inform their patients and enrollees about products that may benefit them. The final rule contains significant restrictions, including requirements that the covered entity disclose itself as the source of a marketing communication, that it disclose any direct or indirect remuneration from third parties for making the disclosure, and that, except in the cases of general communications such as a newsletter, the communication disclose how the individual can opt-out of receiving additional marketing communications. Additional requirements are imposed if the communication is targeted based on the health status or condition of the proposed recipients.
We believe that these modifications address many of the issues raised by commenters and provide a substantial amount of flexibility as to when a covered entity may communicate about a health-related product or service to a patient or enrollee. These communications may include appointment reminders, newsletters, and information about new health products. These changes, however, do not permit a covered entity to disclose protected health information to third parties for marketing (other than to a business associate to make a marketing communication on behalf of the covered entity) without authorization under § 164.508.
Comment: A few commenters suggested we prohibit health care clearinghouses from seeking authorization for the use or disclosure of protected health information for marketing purposes.
Response: We do not prohibit clearinghouses from seeking authorizations for these purposes. We believe, however, that health care clearinghouses will almost always create or obtain protected health information in a business associate capacity. Business associates may only engage in activities involving the use or disclosure of protected health information, including seeking or acting on an authorization, to the extent their contracts allow them to do so. When a clearinghouse creates or receives protected health information other than as a business associate of a covered entity, it is permitted and required to obtain authorizations to the same extent as any other covered entity.
Comment: A few commenters suggested we require covered entities to publicly disclose, on the covered entity's website or upon request, all of their marketing arrangements.
Response: While we agree that such a requirement would provide individuals with additional information about how their information would be used, we do not feel that such a significant intrusion into the business practices of the covered entity is warranted.
Comment: Some commenters argued that if an activity falls within the scope of payment, it should not be considered marketing. Commenters strongly supported an approach which would bar an activity from being construed as "marketing" even if performing that activity would result in financial gain to the covered entity. In a similar vein, we were urged to adopt the position that if an activity was considered payment, treatment or health care operations, it could not be further evaluated to determine whether it should be excluded as marketing.
Response: We considered the approach offered by commenters but decided against it. Some activities, such as the marketing of a covered entity's own health-related products or services, are now included in the definition of health care operations, provided certain requirements are met. Other types of activities, such as the sale of a patient list to a marketing firm, would not be permitted under this rule without authorization from the individual. We do not believe that we can envision every possible disclosure of health information that would violate the privacy of an individual, so any list would be incomplete. Therefore, whether or not a particular activity is considered marketing, payment, treatment or health care operations will be a fact-based determination based on the activity's congruence with the particular definition.
Comment: Some industry groups stated that if an activity involves selling products, it is not disease management. They suggested we adopt a definition of disease management that differentiates use of information for the best interests of patient from uses undertaken for "ulterior purposes" such as advertising, marketing, or promoting separate products.
Response: We agree in general that the sale of unrelated products to individuals is not a population-based activity that supports treatment and payment. However, in certain circumstances marketing activities are permitted as a health care operation; see the definition of "health care operations" in§ 164.501 and the related marketing requirements of § 164.514.
Comment: Some commenters complained that the absence of a definition for disease management created uncertainty, in view of the proposed rule's requirement to get authorization for marketing. They expressed concern that the effect would be to require patient consent for many activities that are desirable, not practicably done if authorization is required, and otherwise classifiable as treatment, payment, or health care operations. Examples provided include reminders for appointments, reminders to get preventive services like mammograms, and information about home management of chronic illnesses. They also stated that the proposed rule would prevent many disease management and preventive health activities.
Response: We agree that the distinction in the NPRM between disease management and marketing was unclear. Rather than provide a definition of disease management, this final rule defines marketing. We note that overlap between disease management and marketing exists today in practice and they cannot be distinguished easily with a definitional label. However, for purposes of this rule, the revised language makes clear for what activities an authorization is required. We note that under this rule many of the activities mentioned by commenters will not require authorizations under most circumstances. See the discussion of disease management under the definition of "treatment" in § 164.501.