HIPAA and Healthcare Marketing: What Every Practice Must Know

HIPAA - the Health Insurance Portability and Accountability Act - wasn't designed for marketers. It was designed to protect patient health information. But its requirements directly affect what healthcare practices can and cannot do in their marketing.

Get it wrong and you face fines up to $1.5 million per violation category per year, not to mention reputational damage and potential criminal penalties for willful violations. Get it right and you can market effectively within clear boundaries.

This isn't legal advice - consult healthcare attorneys for your specific situation. But every practice marketer needs foundational HIPAA literacy.

What HIPAA Actually Covers

HIPAA protects Protected Health Information (PHI) - individually identifiable health information held by covered entities.

What Qualifies as PHI

PHI includes any information that:

• Relates to past, present, or future health condition
• Relates to healthcare provision
• Relates to payment for healthcare
• Identifies the individual (or could reasonably identify them)

18 HIPAA Identifiers:

1. Names
2. Geographic data smaller than state
3. Dates (except year) related to individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers
17. Full-face photographs
18. Any other unique identifying characteristic

Who Must Comply

Covered entities:

• Healthcare providers who transmit health information electronically
• Health plans
• Healthcare clearinghouses

Business associates:

• Entities that handle PHI on behalf of covered entities
• Marketing agencies with PHI access
• Technology vendors processing patient data

If your marketing agency has access to patient data, they need a Business Associate Agreement (BAA).

The Marketing Exception

HIPAA has specific rules about using PHI for marketing.

HIPAA's Definition of Marketing

Under HIPAA, marketing is communication about products or services that encourages purchase or use.

Requires written authorization:

• Communications encouraging purchase of products/services
• Communications where covered entity receives payment for making them
• Most promotional communications using PHI

What's NOT Marketing Under HIPAA

Certain communications are excluded from the marketing definition:

Treatment communications:

• Discussing treatment options
• Care coordination
• Case management
• Referrals

Health-related products under treatment:

• Recommending products as part of care
• Prescription communications
• Medical device information

Face-to-face communications:

• In-person promotional discussions
• Conversations during appointments

Promotional gifts of nominal value:

• Small branded items
• Practice giveaways

Healthcare operations:

• Appointment reminders
• General health information
• Insurance information

The Critical Distinction

The same message can be marketing or not, depending on context.

Not marketing: "Your annual exam is due. Please call to schedule."

Marketing: "Your annual exam is due. While you're here, ask about our new cosmetic services."

Not marketing: "Based on your condition, these treatment options exist."

Marketing: Email blast to all patients promoting new service.

Authorization Requirements

When communication IS marketing under HIPAA, you need written authorization.

Valid Authorization Elements

A HIPAA-compliant marketing authorization must include:

1. Specific description of information to be used/disclosed
2. Name of entity authorized to make disclosure
3. Name of recipient of information
4. Purpose of disclosure
5. Expiration date or event
6. Signature and date
7. Right to revoke statement
8. Consequences of refusing (cannot condition treatment)

Authorization Best Practices

Separate from other consents:

• Don't bundle with treatment consent
• Clear, standalone document
• Plain language explanation

Specific scope:

• What information will be used
• How it will be used
• Where it will appear

Easy revocation:

• Clear process to withdraw consent
• Honor revocations promptly
• Document revocation handling

Common Marketing Activities and HIPAA

How HIPAA applies to typical marketing activities:

Email Marketing to Patients

Appointment reminders: Generally permitted as healthcare operations.

Health newsletters: Generally permitted if general health information.

Promotional emails: Requires authorization if using PHI to target.

Key question: Are you using their health information to send this, or just their contact information?

Sending general practice news to your patient list is different from targeting diabetic patients for diabetes-related promotions.

Patient Testimonials

Written testimonials: Require authorization for marketing use.

Video testimonials: Require authorization plus media release.

Before/after photos: Require specific authorization for each use.

Online reviews: Patient-initiated; you cannot solicit using PHI.

The patient sharing their own story is different from you using their story.

Social Media

Posting about patients: Never without authorization.

Responding to patient comments: Cannot confirm patient status.

Sharing patient photos: Requires explicit authorization.

General health content: Permitted without patient information.

Website Content

Case studies: Require authorization or complete de-identification.

Patient stories: Require authorization.

Before/after galleries: Require authorization for each patient.

Provider discussions of conditions: Permitted if no patient information.

Targeted Advertising

Using patient lists for targeting: Generally requires authorization.

Facebook Custom Audiences from patient data: Problematic under HIPAA.

Retargeting website visitors: Consider what pages reveal about health.

General demographic targeting: Permitted (not using PHI).

De-Identification Option

You can use health information without authorization if properly de-identified.

Safe Harbor Method

Remove all 18 identifiers AND have no actual knowledge the remaining information could identify anyone.

Practical challenges:

• Face photos cannot be de-identified
• Rare conditions may be identifying
• Combinations of information may identify
• Small geographic areas increase risk

Expert Determination

A qualified expert certifies re-identification risk is very small.

More flexible but requires expert involvement.

De-Identification Limitations

Even de-identified information has limits:

• Can't re-identify later
• Must maintain de-identification
• Context may re-identify

For most marketing purposes, authorization is simpler than de-identification.

Business Associate Requirements

If outside parties handle your marketing with PHI access:

When BAAs Are Required

Required:

• Marketing agency with patient database access
• Email platform sending to patient lists
• CRM vendor storing patient information
• Analytics with patient-level data

Not required:

• Agencies without PHI access
• General advertising platforms
• Vendors with no patient information

BAA Elements

Business Associate Agreements must include:

• Permitted uses of PHI
• Safeguards requirements
• Breach notification obligations
• Subcontractor requirements
• Return/destruction of PHI on termination

Vendor Selection

Choose marketing vendors who:

• Understand healthcare requirements
• Offer BAA agreements
• Have appropriate security measures
• Train staff on HIPAA
• Can demonstrate compliance

Enforcement and Penalties

HIPAA violations carry significant consequences.

Penalty Tiers

Tier 1: Unknowing violation

• $100-$50,000 per violation
• Up to $1.5 million per year

Tier 2: Reasonable cause

• $1,000-$50,000 per violation
• Up to $1.5 million per year

Tier 3: Willful neglect, corrected

• $10,000-$50,000 per violation
• Up to $1.5 million per year

Tier 4: Willful neglect, not corrected

• $50,000+ per violation
• Up to $1.5 million per year

Criminal Penalties

Willful violations can result in:

• Fines up to $250,000
• Imprisonment up to 10 years
• Personal liability for individuals

Recent Enforcement Trends

OCR (Office for Civil Rights) has increased enforcement of:

• Right of access violations
• Business associate compliance
• Risk analysis failures
• Breach notification

Marketing violations are investigated when reported.

Practical Compliance Steps

Build HIPAA compliance into marketing operations.

Audit Current Practices

Review all marketing activities:

• What patient information is used?
• What authorizations exist?
• What vendor access exists?
• What could be problematic?

Establish Clear Policies

Document policies for:

• Patient data use in marketing
• Authorization collection and storage
• Social media guidelines
• Testimonial and photo consent
• Vendor management

Train Marketing Staff

Everyone touching marketing needs:

• Basic HIPAA understanding
• Knowledge of what's permitted
• Clear escalation paths
• Regular refresher training

Create Compliant Processes

Build compliance into workflow:

• Authorization forms before testimonials
• Review process for patient-related content
• Vendor BAA tracking
• Documentation systems

Regular Review

HIPAA compliance isn't one-time:

• Annual policy review
• Audit of current practices
• Update for regulation changes
• Incident response testing

The Bottom Line

HIPAA creates boundaries for healthcare marketing - boundaries that protect patients and, when followed, protect practices. Understanding what requires authorization, what's permitted, and how to handle patient information is foundational for any healthcare marketer.

The key principle: patient health information isn't a marketing asset to be exploited. It's protected information that can be used for marketing only with explicit patient permission.

When in doubt, get authorization. When still in doubt, consult healthcare legal counsel. The cost of compliance is far less than the cost of violation.

Authoritative References

• U.S. Department of Health & Human Services - HIPAA for Professionals: hhs.gov/hipaa/for-professionals - Official guidance on HIPAA Privacy Rule, Security Rule, and marketing provisions including the definition of marketing and authorization requirements.

• HHS Office for Civil Rights - Marketing Under HIPAA: hhs.gov/hipaa/for-professionals/privacy/guidance/marketing - Specific OCR guidance on what constitutes marketing under HIPAA and when authorization is required.

• 45 CFR § 164.501 and § 164.508 - HIPAA Privacy Rule Text: ecfr.gov - The actual regulatory text defining marketing and authorization requirements under HIPAA.

---

This article provides general information about HIPAA and marketing. It is not legal advice. Consult qualified healthcare attorneys for guidance specific to your situation.