Protections, Limitations, Prohibitions and More: Important Modifications to Privacy Rule

Health Law Alert

February 14, 2013
Health Law Alert

This Health Law Alert is the fifth in a six-part series Hinshaw & Culbertson LLP is publishing detailing the significant changes to Health Insurance Portability and Accountability Act (HIPAA) privacy, security, enforcement and breach notification rules as part of the Omnibus Final Rule (Final Rule) issued by the U.S. Department of Health and Human Services.

This Health Law Alert discusses several modifications to the Privacy Rule impacting covered entities. These modifications were made in order to strengthen the privacy and security protections established under HIPAA for individuals’ protected health information (PHI). The Final Rule:


The Final Rule modifies the definition of “marketing” and requires covered entities to obtain patient authorization before sending “marketing” communications to them that are paid for by third parties. In this respect, the Final Rule defines “marketing” as communication about a health-related product or service if the covered entity receives financial remuneration in exchange for making the communication from a third party that would benefit financially. The definition of “marketing” does not include:


Under the old rules, a covered entity, without authorization, might use or disclose for purposes of raising funds for its own benefit only demographic information related to the individual, health insurance status, and the dates of the health care provided to the individual. Under the Final Rule, demographic information may include name, address, contact information, age, and gender. In addition, the Final Rule permits use and disclosure of generic department of service information, treating physician information and outcome results.

Under the Final Rule, the covered entity may not use or disclose PHI for fundraising purposes unless an opt-out statement required by the Final Rule is included in the covered entity’s Notice of Privacy Practices. With each fundraising communication made to an individual under the provisions, the covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communication. The method for the individual to elect not to receive the fundraising information may not cause the individual to incur an undue burden or more than a nominal cost. Furthermore, a covered entity may not condition treatment or payment on the individual’s choice with respect to the receipt of the fundraising communication, and the covered entity may not make fundraising communications where the individual has elected not to receive such communication.

Genetic Information

The Final Rule prohibits the use and disclosure of genetic information by health plans that are covered entities for underwriting purposes. A health plan — excluding an insurer of long-term care policies — may not use or disclose PHI that is genetic information for underwriting purposes. “Underwriting purposes” means:

Sale of Protected Health Information

The Final Rule prohibits the sale of PHI. “Sale” is defined as a disclosure of PHI by a covered entity or business associate where the covered entity or business associate receives remuneration from the recipient of the PHI. Sale of PHI may also include agreements to access or license PHI and lease agreements.

The Final Rule expressly prohibits covered entities or business associates receiving remuneration in exchange for disclosing PHI unless the covered entity obtains patient authorization or an exception applies. No authorization is required:

Proof of Immunization

A covered entity may provide to a school proof of immunization of a student or prospective student if the school is required by state or other laws to have such proof of immunization prior to admitting the student, and the covered entity obtains and documents the agreement for disclosure, either from a parent, guardian or other person acting in place of the parent, or the student, if the student is an adult or emancipated minor.

Disclosure to Family Member

If an individual is deceased, a covered entity may disclose PHI to a family member, or other person identified, who was involved in the individual’s care or payment for health care prior to the individual’s death, unless the individual makes known to the covered entity an express contrary preference.

These significant changes in the Privacy Rule must be incorporated into the privacy practices and policies of applicable covered entities. For further information, please contact Roy M. Bossen or your regular Hinshaw attorney.

Download PDF

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.