HIPAA: Individual Authorization Is Required Before Any Sale of PHI

Definition of Sale of PHI

Under HIPAA, a “sale of PHI” means a disclosure of protected health information by a covered entity or a business associate in which the disclosing party receives remuneration—direct or indirect, monetary or other valuable consideration—from or on behalf of the recipient in exchange for the PHI.

The concept is broad. It covers providing access to, transferring, licensing, or leasing PHI, not just a traditional “sale.” Remuneration can be cash, in-kind benefits, credits, or other items of value.

What is and isn’t a sale

• Is a sale: A pharmacy discloses a list of patients who use a certain drug to a manufacturer in return for payment.
• Is a sale: A data broker pays a covered entity to obtain identifiable claims data for analytics.
• Not a sale: Disclosures of de-identified information (properly de-identified) because de-identified information is not PHI.
• Not a sale: Fees that merely cover reasonable, cost-based expenses to prepare and transmit PHI (e.g., secure media, postage).
• Not a sale: Payments from a covered entity to its business associate for services under a business associate agreement.

Key related terms you should recognize include Covered Entity, Business Associate, Direct Remuneration, Indirect Remuneration, and De-identified Information.

Authorization Requirement for Sale of PHI

Before any sale of PHI, you must obtain the individual’s written authorization. No disclosure that constitutes a sale of PHI may occur without it. A business associate also must not sell PHI unless the covered entity has secured a valid authorization that expressly permits the sale.

The authorization must clearly state that the disclosure will result in remuneration to the covered entity or business associate. This requirement is in addition to the standard authorization elements and ensures the individual understands the commercial nature of the exchange.

Operational steps

• Confirm that the contemplated disclosure involves remuneration beyond reasonable, cost-based fees.
• Present a written authorization that includes all required content and the specific remuneration statement.
• Validate identity, obtain signature and date, and provide a copy to the individual.
• Disclose only the PHI described in the authorization and retain the record for compliance.

Many marketing activities intersect with the sale-of-PHI rule. If you intend to disclose identifiable lists or profiles to a third party for marketing purposes in exchange for value, you will almost certainly need written authorization.

Exceptions to Authorization Requirement

HIPAA recognizes limited circumstances in which a disclosure that involves value exchange is not treated as a “sale of PHI,” and therefore does not require individual authorization. Even when an exception applies, all other HIPAA conditions (e.g., minimum necessary, safeguards) still apply.

Common exceptions

• Public health activities: Disclosures permitted for public health purposes where any remuneration is limited to a reasonable, cost-based fee for preparing and transmitting PHI.
• Research: Disclosures for research where any payment received is a reasonable, cost-based fee to cover preparation and transmission (not profit).
• Treatment, payment, and health care operations: Disclosures otherwise permitted for these purposes, with only reasonable, cost-based fees for preparing and sending PHI.
• Sale, transfer, merger, or consolidation: Disclosures necessary for such transactions and related due diligence.
• Business associate services: Disclosures to or by a business associate (or subcontractor) to perform services on behalf of a covered entity under a business associate agreement.
• Individual right of access: Providing PHI to the individual (or to a third party at the individual’s direction where permitted) for a reasonable, cost-based fee.
• Required by law: Disclosures you must make under applicable law.

Note that a limited data set is still PHI, so these exceptions—and the cost-based fee limitation—matter when you disclose a limited data set. By contrast, properly de-identified information falls outside the rule.

Content of Authorization

A valid written authorization for a sale of PHI must meet HIPAA’s general authorization requirements, plus include a specific remuneration statement.

Required elements

• Description of the PHI to be disclosed, specific and bounded.
• Who is authorized to disclose and who may receive the PHI.
• Purpose of the disclosure (or “at the request of the individual”).
• Expiration date or event.
• Signature and date of the individual (or personal representative) with authority verification.
• Statement of the right to revoke and how to do so, and that revocation does not affect disclosures already made in reliance.
• Notice of potential redisclosure by the recipient, if not subject to HIPAA.
• Specific statement: “This disclosure will result in remuneration to the covered entity/business associate.”

Authorizations must be written in plain language. Avoid bundling; the authorization for sale of PHI should be distinct so the individual can make an informed choice.

Prohibition on Conditioning Treatment

You may not condition treatment, payment, enrollment, or eligibility for benefits on an individual signing an authorization for the sale of PHI. Patients should receive care regardless of whether they agree to a commercial disclosure of their information.

HIPAA recognizes narrow exceptions to the general prohibition on conditioning authorizations (for example, certain research-related treatment or specific health plan functions permitted by law), but those are limited and typically do not apply to authorizations for sale of PHI. When in doubt, provide treatment without requiring such authorization.

Remuneration Definition

For the sale-of-PHI rule, “remuneration” includes both direct and indirect remuneration and can be monetary or non-monetary.

Direct vs. indirect remuneration

• Direct Remuneration: Cash payment or obvious financial compensation paid to the covered entity or business associate in exchange for PHI.
• Indirect Remuneration: Value provided through third parties or in-kind benefits, such as credits, discounted services, enhanced software access, or other items of value tied to receiving PHI.

Reasonable, cost-based fees that merely cover the labor, supplies, and postage (or secure electronic transmission costs) to prepare and send PHI are not considered remuneration for a sale.

Revocation of Authorization

An individual may revoke authorization at any time, provided the revocation is in writing. Once you receive and process the revocation, you must stop making disclosures under that authorization. Revocation does not affect actions already taken in reliance on the authorization before it was revoked.

Practical compliance tips

• Explain, in your authorization form, how and where to submit revocations.
• Document revocations and promptly notify any business associates to cease further disclosures tied to the authorization.
• Retain authorizations and revocations for the required HIPAA recordkeeping period.

Conclusion and Key Takeaways

In HIPAA, any disclosure of PHI made in exchange for value is tightly regulated. Unless a narrow exception applies, you must obtain a written authorization that explicitly states the disclosure will result in remuneration. You cannot condition treatment on obtaining it. Understand what counts as direct or indirect remuneration, use cost-based fees where permitted, and honor an individual’s right to revoke to keep your marketing activities and data-sharing practices compliant.

FAQs

What constitutes a sale of PHI under HIPAA?

A sale of PHI occurs when a covered entity or business associate discloses PHI and receives direct or indirect remuneration—money or other valuable consideration—from or on behalf of the recipient in exchange for that PHI. It includes providing access to, licensing, or transferring PHI. Cost-based fees to prepare and transmit PHI and disclosures of de-identified information are not sales.

When is individual authorization required before the sale of PHI?

Authorization is required before any sale of PHI by a covered entity or business associate unless a specific HIPAA exception applies. The authorization must be written, signed, describe the PHI and purpose, include an expiration, and expressly state that the disclosure will result in remuneration to the disclosing party.

What exceptions allow sale of PHI without individual authorization?

HIPAA permits certain disclosures without authorization when the exchange is limited to reasonable, cost-based fees, including for public health activities, research, treatment/payment/health care operations, business associate services, individual right of access, required-by-law disclosures, and in connection with a sale, transfer, merger, consolidation, or related due diligence of a covered entity.

Can an individual revoke authorization after it has been given?

Yes. An individual can revoke authorization at any time by submitting a written revocation. After you receive and process it, you must stop further disclosures under that authorization. Revocation does not undo disclosures already made in reliance on the authorization.