DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Under the HIPAA Privacy Rule, a sale of PHI takes place when a covered entity directly or indirectly receives remuneration, from or on behalf of the recipient of the PHI, in exchange for the PHI. Remuneration can consist of both financial remuneration (e.g., money, cash, checks) as well as non-financial remuneration.
Generally, a covered entity must obtain an authorization for any disclosure of PHI that is a sale of PHI. Generally, the authorization must state that the disclosure will result in remuneration to the covered entity.
Generally, a covered entity may not refuse to treat a patient solely because the patient refuses to provide an authorization permitting the covered entity to engage in sale of PHI. In other words, treatment cannot be made dependent on authorizing the sale of PHI.
Are There Exceptions That Permit Sale of PHI Without Written Authorization?
Under the Privacy Rule, the term “sale of protected health information” does not include disclosure of protected health information (and therefore, written authorization is not required):
- For public health purposes, as that phrase is defined in the HIPAA Privacy Rule;
- For research purposes, if (and only if) the remuneration constitutes a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI;
- For treatment and payment purposes;
- For the sale, transfer, merger, or consolidation of all or part of a covered entity and for due diligence connected to these activities;
- To the patient when the patient requests the PHI;
- Required by law; and
- For any other purpose permitted by and in accordance with the HIPAA Privacy Rule, where the only remuneration received bby the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article