No. The Privacy Rule’s limitations on the use or disclosure of protected health information for marketing purposes do not exist in most States today. For example, the Rule requires patients’ authorization for the following types of uses or disclosures of protected health information for marketing:
Selling protected health information to third parties for their use and re-use. Thus, under the Rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines without an authorization.
Disclosing protected health information to outsiders for the outsiders’ independent marketing use. Under the Rule, doctors may not provide patient lists to pharmaceutical companies for those companies’ drug promotions without an authorization.
Without these Privacy Rule restrictions, these activities could occur with no authorization from the individual in most jurisdictions. In addition, if a State law provided additional limitations on disclosures of information for related activities, the Privacy Rule generally would not interfere with those laws.
Moreover, under the “business associate” provisions of the Privacy Rule, a covered entity may not give protected health information to a telemarketer, door-to-door salesperson, or other third party it has hired to make permitted communications (for example, about a covered entities’ own goods and services) unless that third party has agreed by contract to use the information only for communicating on behalf of the covered entity. Without the Privacy Rule, there may be no restrictions on how third parties re-use information they obtain from health plans and providers. See the fact sheet and frequently asked questions on this web site about the business associate standard for more information.