HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law that sets standards for health-information privacy and security and for the electronic exchange of health information. Physicians and pharmacies, as well as other health-care providers and facilities, all must follow the law to protect prescription information and medical treatments as private patient health information.

But HIPAA is one of the most confusing of all privacy laws and, when marketing issues are involved, one of the most controversial and complicated. HIPAA rules have been amended several times over the course of its development and each amendment has created new controversies. Hundreds of pages of commentary resulted in thousands of pages of comments and concerns from advocacy groups, as well as security, health care, and privacy professionals. These concerns were addressed in some respects when the final HIPAA Privacy Rule became effective in April 2003.

The HIPAA marketing rules were modified in the final Privacy Rule, making them slightly more comprehensible. (The entire Privacy Rule can be found here.)

But the holes in the marketing restrictions are big enough to drive an entire health-care marketing industry through. Under HIPAA's current rules, marketing is defined as making "a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." If the marketing uses protected health information (personally identifiable to the patient), it generally requires the patient's prior written authorization.

Because of the strict requirement of obtaining the patient's prior written authorization, exceptions to the definition of marketing are crucial to marketers. As a result, "marketing" expressly excludes several very broad categories of communications, considered to be "communications that enhance the individual's access to quality health care." The broadest exceptions relate to information about or recommendations of treatment, case management, coordination of care, and new or alternative therapies or services.

The three key exceptions to the definition of marketing include:

The case management or care coordination exception, which covers information provided to individual patients for furthering or managing the treatment of an individual, such as directing or recommending alternative treatments, therapies, health-care providers or care facilities;

The health-related or value-adding exception, which covers information about entities participating in, services provided, and benefits covered by a provider network or health plan, which also includes replacements to and enhancements of coverage under the plan but doesn't include communications of discounts or other items which are available to the general public; and

The communications that "promote health in a general manner" exception, which covers newsletters and other general-circulation information promoting health, as long as they don't endorse a specific product or service.

If communications qualify under one of the exceptions, these activities may be conducted either by an entity regulated by HIPAA--a pharmacy, doctor, etc.--or via a business associate, which requires a confidentiality agreement.