May 2013 Volume 9 Number 9

Marketing under the HIPAA Megarule: The Rules Become Tighter

By Peter D. Ricoy, Schwabe, Williamson, & Wyatt, P.C., Portland, Oregon

AuthorBy design, using an individual’s protected health information (“PHI”) for marketing purposes has never been easy under the HIPAA Privacy Rule.1 That rule generally prohibits the use of PHI for marketing without an individual’s authorization.2 In 2009 Congress passed the HITECH Act, imposing additional limitations on certain marketing communications that were previously permitted without an authorization.3 Most recently, on January 25, 2013 the Department of Health and Human Services (“HHS”) published in the Federal Register the final HIPAA omnibus rule (the “Megarule”), which tightened further the situations under which a covered entity may use PHI for marketing without an authorization.4 Lawyers should be prepared to understand the new rule, and particularly the concept of “financial remuneration,” to be able to examine clients’ marketing arrangements in light of the changes.

Background of HIPAA’s Marketing Rule

When the HIPAA Privacy Rule was first proposed in November 1999, HHS made clear that the regulations were intended to make the exchange of PHI easy for healthcare purposes, but more difficult for other purposes such as marketing.5 In promulgating the original final rule about a year later, HHS cited several examples of privacy breaches to underscore the need for regulation.6 In one example, an Orlando woman received a letter from a drug company promoting a treatment for her high cholesterol a few weeks after visiting with her doctor.7 In another, a consumer products company was found to be marketing a list of 5 million names and addresses of elderly incontinent women.8 HHS cited a poll indicating that 85 percent of respondents believed that protecting the confidentiality of medical records was very or absolutely essential.9

To address these concerns, HHS created the Privacy Rule’s basic framework for limiting the use of PHI in marketing. That rule generally requires a covered entity to obtain an authorization from an individual for any use or disclosure of PHI for marketing.10 Subject to certain exceptions (described below), “marketing” generally means a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. The rule permits a covered entity to make a face-to-face communication to an individual for marketing without an authorization, and also permits a covered entity to provide a promotional gift of nominal value, such as a calendar or pen.11 Prior to passage of the HITECH Act, three types of communications were excluded from the definition of marketing: (i) communications describing a health-related product or service provided by or included in the covered entity’s plan of benefits; (ii) communications made for the treatment of the individual; and (iii) communications for case management, care coordination or to direct or recommend alternative treatments.

HITECH Act Required Changes

In 2009 Congress passed the HITECH Act, which imposes additional limitations on the three types of communications listed above.12 In particular, the HITECH Act prohibits those communications without an authorization if the covered entity receives direct or indirect payment in exchange for making the communications.13 The HITECH Act also explicitly permits subsidized communications to be made without an authorization to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, but only if the amount paid to the covered entity is reasonable in amount.14 Left unanswered by the HITECH Act, however, was Congress’ intent for how subsidized communications for the treatment of an individual should be handled. The HITECH Act also charged HHS with determining what constitutes reasonable payment for refill reminders.

Megarule Changes: The New Requirements for Marketing Communications

The Megarule codified the additional HITECH Act limitations explained above, and also addressed subsidized communications for treatment. In particular, the Megarule reversed the direction that HHS had originally taken in the 2010 proposed rule, and determined that subsidized treatment communications also generally require authorization.15 Thus, the Privacy Rule, as amended by the Megarule, excludes from the definition of marketing the following types of communications, but only if the covered entity does not receive financial remuneration in exchange for making the communication:

  • Communications for treatment of an individual by a healthcare provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual;
  • Communications to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a healthcare provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
  • Communications for case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.

The Megarule did not make any changes to the existing exceptions for face-to-face communications or for promotional gifts of nominal value. Those both continue to be permitted regardless of whether they are subsidized communications. The Megarule also codified the HITECH Act exception that permits covered entities to provide subsidized communications for refill reminders for a drug or biologic that is currently being prescribed for the individual, and determined that payments to covered entities for such reminders are reasonable only if they are reasonably related to the covered entity’s cost of making the communications, such as postage.16

Financial Remuneration Rules

Because the Megarule now imposes an authorization requirement in the situations described above where the covered entity receives “financial remuneration,” understanding what constitutes financial remuneration is critical to any analysis of a marketing arrangement. The Megarule defines “financial remuneration” as the “direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.”17 Three features of the definition are worth emphasizing.

First, under HIPAA’s Privacy Rule, merely having a “financial relationship” between the third party and the covered entity is not sufficient by itself to implicate the rule. Instead, under HIPAA’s Privacy Rule the purpose of the financial remuneration must specifically be to pay the covered entity to make a communication that encourages individuals to purchase or use the third party’s product or service.18 In the commentary to the Megarule, HHS explained that “indirect” payment means that the financial remuneration to the covered entity flows through a third party.19 An alternative interpretation of “indirect” might have also considered indirect compensation to be present in cases where compensation was paid directly to the covered entity, but where the payment was made for some other purpose. HHS stated in commentary to the Megarule, however, that “[i]f the financial remuneration received by the covered entity is for any purpose other than for making the communication, then this marketing provision does not apply.”20 As an example, HHS explained that a covered entity would not need to obtain authorizations prior to sending communications encouraging individuals to participate in the covered entity’s disease management program, even if a third party provided financial remuneration to the covered entity to implement the program, as long as the communications were directing individuals to the covered entity’s program, and not the third party’s product or service.21

Second, HHS confirmed that financial remuneration does not include non-financial benefits, such as in-kind benefits provided in exchange for making a communication.22 As an example, HHS stated that if materials describing a member-exclusive value-added health product or service were provided to a covered entity, but no payment was made to the covered entity, the covered entity would be able to provide the material to the covered entity’s members without requiring an authorization.23

Third, the marketing rule is implicated only if a payment is made from or on behalf of a third party whose product or service is being described.24 For example, no authorization would be required to fund a covered entity’s mailings to patients encouraging the use of new mammography screening equipment if the funding was provided by an organization other than the equipment manufacturer, such as a breast cancer foundation.25


Regulators have purposefully imposed requirements on covered entities that make it difficult to use an individual’s PHI for marketing purposes without first signing an authorization. Those requirements were tightened when Congress passed the HITECH Act, and again most recently with the publication of the Megarule. Lawyers with clients that use PHI for marketing should carefully reexamine those relationships, and particularly the concept of financial remuneration, to ensure that practices previously permitted without an authorization are permissible under the new rules.


“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 (Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996). The “Privacy Rule” refers to the federal regulations issued under HIPAA that address the Standards for Privacy of Individually Identifiable Health Information, and are found at 45 C.F.R. § 164.500 et seq.


See 45 C.F.R. § 164.508(a)(3).


“HITECH Act” refers to the Health Information Technology for Economic and Clinical Health Act, which was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, Pub. Law 111-5.


Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5566 (January 25, 2013).


See 64 Fed. Reg. 59918, 59940 (November 3, 1999).


See 65 Fed. Reg. 82462, 82457 (December 28, 2000).






See 45 C.F.R. § 164.508(a)(3).

12See Sec 13406 of the American Recovery and Reinvestment Act of 2009, Pub. Law 111-5.
15Under the rule initially proposed by HHS on July 14, 2010, subsidized treatment communications would have been permitted without an authorization, but would have required the notice of privacy practices to include a statement informing individuals about the subsidized treatment communications. Those communications also would have been conditioned on giving individuals an opportunity to opt out of receiving those subsidized treatment communications. In response to the proposed rule, HHS received many comments seeking to clarify the distinction between communications for treatment versus communications for operations. HHS determined that it would be difficult to precisely define that distinction. Therefore, in the final rule HHS decided that the better policy is to simply treat all subsidized communications the same by requiring an authorization regardless of whether the communications are for treatment or operations. See 78 Fed. Reg. 5566, 5595 (January 25, 2013).
16See 45 C.F.R. § 164.501 (definition of “Marketing”) and 78 Fed. Reg. 5566, 5597 (January 25, 2013).
18See 78 Fed. Reg. 5566, 5596 (January 25, 2013).
19See 78 Fed. Reg. 5566, 5595 (January 25, 2013).
20See 78 Fed. Reg. 5566, 5596 (January 25, 2013).

See 78 Fed. Reg. 5566, 5597 (January 25, 2013).


See 45 C.F.R. § 164.501 (definition of Marketing) and 78 Fed. Reg. 5566, 5593 (January 25, 2013).



The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.