Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH



A CE must obtain an individual’s authorization prior to using or disclosing PHI about the individual for marketing purposes unless the use or disclosure satisfies an exception.40  Marketing is defined as a “. . . communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”41  Although this term is broad, the Privacy Rule carves out several exceptions to the authorization requirement that depend on the communication’s purpose and form.42  For example, authorization is not required for marketing communications that are made in a face-to-face conversation or in the form of a promotional gift of nominal value.43


In response to concerns that the health care operations exception allowed too many commercial uses and disclosures of PHI without individual authorization, the HITECH Act amended the Privacy Rule to require authorization for certain health care operations communications if the covered entity receives financial remuneration44 for making the communication.45  For example, consistent with the amendment, the HHS Proposed Rule would require a covered entity to obtain individual authorization for the following subsidized health care operations communications: 1) a covered entity’s communications describing health-related products or services (or payment of such products or services) offered in a benefits plan, including communications about entities participating in certain provider or plan networks; entities replacing or enhancing a health plan; and services or products that add value to and are not currently part of an enrollee’s health plan;46 and 2) communications for case management or care coordination, and contacting individuals about alternative treatments, to the extent these activities do not fall within the Privacy Rule’s definition of treatment.47  In addition, the NPRM imposes restrictions (beyond those listed in HITECH) for treatment-related communications made in exchange for financial remuneration, including: 1) a statement in the Notice of Privacy Practices (NPP) informing the individual that the provider may send subsidized treatment communications and 2) disclosure in the treatment communication that the communication was made in exchange for payment, along with a clear and conspicuous opportunity for the individual to elect not to receive any future subsidized communications.48  However, providers are still allowed to make subsidized written treatment communications without authorization for purposes of care coordination or management.49



  • 40. 45 C.F.R. §§ 164.501, 164.514(f), 164.508(a)(4)(i); see also Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,884, 40,918, 40,921-23, 40,890-91 (to be codified at 45 C.F.R. pt. 164).
  • 41. 45 C.F.R. § 164.501.
  • 42. Id.; 45 C.F.R. § 164.508(a)(3).
  • 43. 45 C.F.R. § 164.508(a)(3).
  • 44. HHS proposes to replace the phrase “direct or indirect payment” with “financial remuneration,” which is defined as “direct or indirect payment from or on behalf of a third party whose product or service is being described.” Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,918 (to be codified at 45 C.F.R. § 164.501).
  • 45. ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13406(a)(4), 123 Stat. 269-70 (2009) (codified at 42 U.S.C. 17936(a)(4)).
  • 46. Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,918 (to be codified at 45 C.F.R. § 164.501).
  • 47. Id.
  • 48. Id. at 40,923 (to be codified at 45 C.F.R. § 164.514(f)(2)).
  • 49. Id. at 40,918 (to be codified at 45 C.F.R. § 164.501).