Under the HIPAA Privacy Rule, sale of PHI is generally prohibited.
What Constitutes a Sale of PHI?
Generally, under the HIPAA Privacy Rule, covered entities and business associates may not engage in a sale of an individual’s protected health information (PHI) without the individual’s prior written authorization to do so.
A sale of PHI takes place when a covered entity or business associate:
- Directly or indirectly receives remuneration,
- From or on behalf of the recipient of the PHI,
- In exchange for the PHI.
Remuneration can consist of both financial remuneration (i.e., money, cash, checks) as well as non-financial remuneration.
Patient PHI may not be sold without the patient first providing prior written authorization to a sale.
In addition, generally, a covered entity may not refuse to treat a patient solely because the patient refused to provide an authorization permitting the covered entity to engage in sale of PHI. In other words, treatment cannot be made dependent on authorizing sale of PHI.
Are There Exceptions That Permit Sale of PHI Without Written Authorization?
Under the Privacy Rule, the term “sale of protected health information” does not include disclosure of protected health information (and therefore, written authorization is not required):
- For public health purposes, as that phrase is defined in the HIPAA Privacy Rule;
- For research purposes, if (and only if) the remuneration constitutes a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI;
- For purposes of treatment and payment, as allowed under the Privacy Rule;
- For the sale, transfer, merger, or consolidation of all or part of a covered entity and for due diligence connected to these activities;
- To the patient when the patient requests the PHI (provided the fees amounts are compliant with the right of access); and
- Required by law.
