When is a covered entity permitted to use or disclose PHI for marketing purposes?

A covered entity is permitted to use or disclose protected health information (PHI) for marketing purposes only when it has obtained the patient's written authorization. This requirement stems from the regulations established under the Health Insurance Portability and Accountability Act (HIPAA), which seeks to protect patients' privacy while allowing them some control over how their health information is used and shared.

Obtaining written authorization ensures that the patient is fully informed about how their PHI will be used in marketing contexts and allows them the opportunity to consent to or opt out of the use of their information. This process also supports transparency and helps maintain trust between patients and healthcare providers.

In contrast, other options would not align with HIPAA's stipulation for marketing activities. For instance, using PHI whenever deemed necessary ignores the fundamental requirement for patient consent. Conducting a yearly review of patient status or making treatment-related notifications does not fall under marketing practices, which specifically encompass activities like advertising or promoting products and services. Therefore, the need for written authorization is a critical component of compliance in the realm of PHI usage for marketing purposes.