Under HIPAA, You Must Obtain Individual Authorization Before Any Sale of PHI

Definition of Sale of PHI

Under HIPAA, a “sale of PHI” occurs when a covered entity or business associate discloses protected health information in exchange for direct or indirect remuneration from, or on behalf of, the recipient. Remuneration may be monetary (for example, per-record fees or licensing revenue) or non‑monetary items or services that carry value.

This concept focuses on whether value is exchanged for the PHI itself, not merely for labor to prepare and transmit it. Reasonable, cost‑based fees to copy, package, or securely transmit PHI are not considered payment “for” the data. As part of covered entity compliance, treat any compensated transfer of identifiable data as a potential sale and analyze it carefully before proceeding.

What counts as PHI here?

PHI includes any individually identifiable health information maintained or transmitted in any form. De‑identified data that meet HIPAA’s de‑identification standards are not PHI and therefore are outside the sale-of‑PHI rule.

Authorization Requirement for PHI Sale

Before any sale of PHI, you must obtain a valid, written individual authorization from each affected person unless a specific HIPAA exception applies. The authorization must expressly state that the disclosure will result in remuneration to your organization (a PHI remuneration disclosure). This rule applies to both covered entities and business associates.

Verbal permission, blanket opt‑outs, or generalized consent are insufficient. Without the required authorization, a compensated disclosure of PHI is an impermissible disclosure subject to enforcement. Maintain individual authorization documentation as part of your compliance record.

Relation to HIPAA marketing regulations

Do not conflate “sale of PHI” with “marketing.” HIPAA marketing regulations separately require authorization when communications about a product or service are made in exchange for financial remuneration from a third party. A transaction can trigger both frameworks; evaluate each independently.

Exceptions to Authorization Requirement

HIPAA recognizes limited circumstances where a disclosure is not treated as a sale of PHI—provided any amount received is only a reasonable, cost‑based fee to cover preparing and transmitting the information (no profit component):

• Public health activities (for example, reporting to public health authorities).
• Research, when remuneration is limited to cost‑based fees to prepare and transmit PHI or a limited data set.
• Treatment, payment, and certain health care operations, where any remuneration is strictly cost‑based and tied to preparation/transmission of PHI.
• Sale, transfer, merger, consolidation, or similar transactions involving a covered entity (including related due diligence).
• Disclosures to or by a business associate for activities performed on behalf of the covered entity, where payments reflect services rendered rather than the data itself.
• Providing an individual with access to their own PHI or an accounting of disclosures, including permissible copy fees.
• Disclosures required by law.

When you rely on an exception, document the legal basis and apply the minimum necessary standard when applicable (note: minimum necessary does not apply to disclosures for treatment).

Content Requirements for Authorization

To be valid, an authorization for a sale of PHI must include HIPAA’s core elements and required statements, plus a specific remuneration notice. Ensure each authorization contains:

Core elements

• A description of the PHI to be disclosed (type, date range, data source).
• The name or other specific identification of the person(s) authorized to disclose and the recipient(s) authorized to receive the PHI.
• The purpose of the disclosure.
• An expiration date or event.
• The individual’s signature and date (or a personal representative’s, with authority described).

Required statements

• A statement that the disclosure will result in remuneration to your organization (PHI remuneration disclosure).
• Notice of the individual’s right to revoke the authorization in writing and how to do so.
• A statement that information disclosed may be subject to redisclosure by the recipient and may no longer be protected by HIPAA.
• A statement indicating whether treatment, payment, enrollment, or eligibility for benefits may be conditioned on signing (see the prohibition and narrow exceptions below).

Electronic signature validity

You may obtain authorization electronically. To support electronic signature validity, capture identity, intent, and assent; retain time stamps, IP/device metadata, and a complete authorization image; and ensure integrity via tamper‑evident storage. Provide the individual a copy upon request.

Individual authorization documentation

Retain each signed authorization—and any revocation—for at least six years from the date of creation or the date it last was in effect, whichever is later. Store authorizations securely and ensure they are retrievable for audits and investigations.

Prohibition on Conditioning Treatment

As a rule, you may not condition treatment, payment, enrollment in a health plan, or eligibility for benefits on an individual signing an authorization for a sale of PHI. Coercive practices invalidate consent and undermine compliance.

Narrow exceptions

• Research‑related treatment: You may condition participation in a study’s treatment arm on signing an authorization specific to that research.
• Health plan functions: A plan may seek an authorization before enrollment if it is necessary to determine eligibility or enrollment.
• Services solely to create PHI for a third party: If care is provided only to generate PHI for a third party (for example, a life‑insurance exam), obtaining an authorization as a condition of that service is permissible.

When invoking an exception, disclose the condition clearly within the authorization and limit the requirement to the relevant activity.

Business Associate Agreements and PHI Sale

Business associate obligations mirror the prohibition: a business associate may not sell PHI without a valid authorization or applicable exception. Your business associate agreements (BAAs) should operationalize this rule to support covered entity compliance.

What to include in BAAs

• An explicit ban on selling PHI and on receiving remuneration in exchange for PHI, except as permitted by HIPAA and the agreement.
• Requirements to obtain your prior written approval before any disclosure that could be construed as a sale of PHI.
• Flow‑down of the same restrictions to subcontractors.
• Documentation, accounting, and audit‑log duties for disclosures involving remuneration.
• Security controls for electronic PHI, breach notification obligations, and return or destruction of PHI at termination.

Train workforce members and vendors on these business associate obligations, and periodically test controls to ensure no compensated data flows occur without proper authorizations.

Safeguards for Electronic PHI

Even with proper authorizations or exceptions, you must implement robust electronic PHI security measures. Align administrative, physical, and technical safeguards with your risk analysis and ongoing risk management program.

Practical controls

• Access controls: role‑based access, unique IDs, multi‑factor authentication, and timely deprovisioning.
• Transmission and storage security: strong encryption in transit and at rest, secure file transfer, and key management.
• Audit readiness: immutable logs of access and disclosures, including remuneration context when relevant.
• Data minimization: disclose only the minimum necessary (except for treatment) and prefer de‑identified data or limited data sets with appropriate agreements when possible.
• Vendor due diligence: evaluate receiving parties’ safeguards, impose contractual limits on use and redisclosure, and verify disposal practices.
• Incident response: test breach detection and notification procedures that cover transmissions made under authorizations or exceptions.

Conclusion

The bottom line: if value changes hands for identifiable health information, assume HIPAA’s sale‑of‑PHI rule applies. Obtain a compliant authorization with a clear remuneration statement, or fit squarely within a narrow exception. Cement expectations in BAAs, and back everything with strong electronic security and meticulous documentation.

FAQs

What constitutes a sale of PHI under HIPAA?

A sale of PHI is a disclosure where your organization (or business associate) receives direct or indirect remuneration in exchange for the PHI itself. Money, in‑kind benefits, or discounted services can qualify. Cost‑based fees that merely cover preparing and transmitting PHI are not considered payment for the data.

When is individual authorization required for PHI disclosure?

Authorization is required before any sale of PHI unless a HIPAA exception applies. The authorization must specifically state that the disclosure will result in remuneration to your organization. Separate HIPAA marketing regulations may also require authorization when communications are funded by a third party.

What exceptions allow PHI disclosure without authorization?

Exceptions include public health activities; research with only reasonable, cost‑based fees; treatment, payment, and certain operations (with cost‑based fees only); corporate transactions like a merger; disclosures to or by a business associate for services; disclosures to the individual (including copy fees); and disclosures required by law.

How must authorization for PHI sale be documented?

Capture a signed authorization—paper or valid electronic signature—that includes HIPAA’s core elements and a remuneration statement. Retain the authorization and any revocation for at least six years, store it securely with audit trails, and provide a copy to the individual upon request.