What are the HIPAA Rules on the Sale of PHI?

Modified on Mon, 11 Dec, 2023 at 12:23 PM


DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  

Under the HIPAA Privacy Rule, a sale of PHI takes place when a covered entity directly or indirectly receives remuneration, from or on behalf of the recipient of the PHI, in exchange for the PHI.

Generally, a covered entity must obtain an authorization for any disclosure of PHI that is a sale of PHI. The authorization must state that the disclosure will result in remuneration to the covered entity.

Remuneration can consist of both financial remuneration (i.e., money, cash, checks) as well as non-financial remuneration.  
Patient PHI may not be sold without the patient first providing prior written authorization to a sale. In addition, generally, a covered entity may not refuse to treat a patient solely because the patient refused to provide an authorization permitting the covered entity to engage in sale of PHI. In other words, treatment cannot be made dependent on authorizing sale of PHI. 

 Are There Exceptions That Permit Sale of PHI Without Written Authorization?
 Under the Privacy Rule, the term “sale of protected health information” does not include          disclosure of protected health information (and therefore, written authorization is not required):

  • For public health purposes, as that phrase is defined in the HIPAA Privacy Rule;
  • For research purposes, if (and only if) the remuneration constitutes a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI;
  • For purposes of treatment and payment, as allowed under the Privacy Rule;
  • For the sale, transfer, merger, or consolidation of all or part of a covered entity and for due diligence connected to these activities;
  • To the patient when the patient requests the PHI (provided the fees amounts are compliant with the right of access); and
  • Required by law.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article