HIPAA Core Policy: Use & Disclosure of Health Information for Marketing   



This policy establishes guidelines for the use and disclosure of health information for purposes of marketing by UAB/UABHS Covered Entities in compliance with the Health Insurance Portability and Accountability Act and Alabama state law.

Effective Date: 8/22/2019


Review/Revised Date: 4/26/2022


Category: Ethics and Integrity


Policy Owner: Provost

Policy Contact: Chief Privacy Officer



1. PURPOSE: To ensure that UAB covered entities implement and maintain policies for the use and disclosure of health information for purposes of marketing in compliance with all Health Insurance Portability and Accountability Act (“HIPAA”) regulations and Alabama state law.

2. PHILOSOPHY: UAB values and promotes business practices respecting the confidentiality of health information.

3. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, An Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., and Valley Foundation. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

4. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164. The following definitions are relevant to this policy:
Authorization: A document that is required to be signed by the patient to use and disclose specified protected health information for specified purposes. It may be required in some circumstances in order to conduct marketing.
Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside the UAB covered entity holding the information.
Marketing: Except as provided below, a communication about a product or service to encourage recipients of the communication to purchase or use the product or service.

  • Marketing does NOT include the following communications made by UAB if UAB is not paid for these communications:
    • To provide refill reminders or otherwise communicate about drugs being prescribed for the patient (UAB may be reimbursed for the costs of the communication)
    • To describe products or services available from UAB’s participation in a health care provider network or health plan network, or for the purpose of describing if and the extent to which a product or service (or payment for such product or service) is provided by a covered entity or included in a plan of benefits
    • As part of the treatment of the individual and for the purpose of furthering the treatment of that individual
    • For case management or care coordination for that individual or information to direct or recommend alternative treatment, therapy, health care provider, or setting of care
    • For face-to-face communications and promotional gifts of nominal value
Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and excepted by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.
Remuneration: Direct or indirect payment from or on behalf of a third party whose product or service is being described; does not include non-financial (in-kind) benefits.

A. Use and Disclosure of PHI for Marketing
1. UAB will only use or disclose PHI for Marketing in accordance with the requirements set forth in this policy.
2. UAB will not accept any remuneration from third parties in return for disclosing PHI to them for purposes of Marketing.
3. Use or Disclosure of PHI for Activities Excluded from Marketing. UAB may use or disclose PHI for the activities described as exceptions to Marketing as described in the Marketing definition above without obtaining patient authorization.
4. Use or Disclosure of PHI for Marketing
a. UAB Covered Entities may not use or disclose PHI for Marketing, unless the UAB Covered Entity obtains a patient’s signature on the appropriate HIPAAcompliant Authorization.
1) The Authorization must specifically describe, among other things, the purpose of the disclosure, the information to be disclosed, and the third party recipients.
2) UAB Covered Entities cannot condition the availability of treatment on requiring an Authorization for third-party marketing.
3) If the marketing is expected to result in direct or indirect remuneration to UAB from a third-party, the Authorization must state that remuneration is expected.
b. Completed authorization forms must be kept for a minimum of six (6) years to ensure compliance with HIPAA regulations.
B. All health-, clinical-, and medical-related Marketing intended for existing patients and consumers should be approved by and conducted under the purview of UAB Medicine Enterprise Department of Marketing and Communications. This includes marketing that is conducted for specific target audience(s) developed using PHI, as well as those where PHI will be collected.
C. Each UAB Covered Entity shall develop procedures to implement the requirements of this policy.


7. SCOPE: This policy applies to all UAB Covered Entities and to UAB Medicine Enterprise Covered Entities identified in Section 3.

8. ATTACHMENTS: Note: HIPAA forms may be found on the UAB/UAB Medicine Enterprise HIPAA website at www.HIPAA.uab.edu