Is sharing my patient list with a marketing company OK under HIPAA?

February 11th, 2017

We received this questions via Ask Erik from the head of a Dental Practice (who wished to remain anonymous):

“I want to create a Refer-a-Friend program, for a dental practice, that will be managed by a third party marketing agency.  The third party needs only my patient names and address to do an on-going e-mail campaign, no PHI will be given to the third party — just name and e-mail address.

Because I am ‘Marketing” to my own list, and I am NOT marketing any third party products, and I am not receiving any third party payment for anything:

* Am I in any HIPAA danger? (No PHI is ever exchanged, and I am NOT marketing anyone else’s product.)

* Because my PHI is de-identified from the associated names and e-mail addresses, is it OK for me to hand over my patient mail list to my marketing agency (being very careful of course to include NO PHI)?

* Does HIPAA specifically prevent me from marketing my own products to my patient list? I know that marketing other people’s products to my list will require prior consent. But, marketing my own Refer-a-Friend program… how is that a violation?

NOTE: PHI is defined as: “(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

So, is a mail list of my patients’ names and e-mail addresses considered to be PHI (if it contains no associated PHI as defined above)? The definition above would say NO. The definition above states that it is ONLY the health information about a patient — NOT the patient’s name and e-mail addresses themselves.

Also, on the mail list for the Refer-a-Friend marketing program, there will be names other than patients, probably about 5% are not patients. Does this influence the phi/non-phi question?

This is a very important distinction. Having clarity on this question could free up a lot of us to proceed with e-mail marketing.

If a mailing list, for a dentist, that contains 95% patients and 5% non-patients, and NO health information (just names and addresses)… is it considered PHI?”

LuxSci’s Answer:


There are two different questions here … one about marketing under HIPAA and one questioning if the mailing list if PHI.  These are actually quite related.

As the questioner indicated, identifiable information about a person’s past medical history is PHI.  So this ends up being simple, though subtle.

If you tell the marketing company that “this is a list of our current and previous patients” (either directly or indirectly so that it can be easily inferred from the marketing content), then the marketing company will know that these are your patients and that could be considered PHI.  This is true even if in fact a small fraction of the people on the list are not really your former patients.  If you do not tell the marketing company that these are your patients and the marketing effort itself in now way implies this, then the information is not PHI.  However, in your case if you are selling your products to primarily your patients, it may not be easy to establish this separation.

If no PHI is involved (per the above), then the HIPAA marketing question is moot and you only need to deal with the normal marketing issues of ensuring the legitimacy of sending these people commercial marketing messages.  If they are all your former patients, then they have a previous business relationship with you and establishing legitimacy is pretty straight forward.

If PHI is involved, then you (a) need a HIPAA business associate agreement with the marketing company, and (b) you may need concert from your patients before marketing to them based on this PHI.

When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?

The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances:

  1. When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
  2. The communication involves a promotional gift of nominal value.

If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

I hope this helps.  As always, LuxSci recommends that you pass you decision and the specifics of your situation and plan before a HIPAA lawyer before making any final decisions.  As you can see, the devil can be in the details.