Avoid Violations: How HIPAA Defines Marketing Communications and Required Authorizations

Definition of Marketing under HIPAA

Under HIPAA, “marketing” is any communication about a product or service that encourages a recipient to purchase or use it. When a covered entity uses or discloses Protected Health Information (PHI) to make such a pitch, the communication is treated as HIPAA marketing.

The definition covers both direct promotions by a provider or health plan and outreach performed at the request of a third party. Channel does not matter—email, SMS, mailers, patient portals, and campaigns built from PHI-derived lists are all within scope.

Communications made for treatment or health care operations may fall outside the marketing definition, but that status changes if the covered entity receives financial remuneration from a third party. In practice, you should first classify the communication, then ask whether PHI is used and whether any payment is involved.

Exceptions to Marketing Definition

HIPAA carves out certain communications that are not “marketing,” provided they do not involve financial remuneration from a third party. These include describing the covered entity’s own health-related products or services or those included in a plan of benefits.

Treatment Communications

Messages made for an individual’s care—such as discussing treatment alternatives, recommending a specific test, or coordinating follow-up—are Treatment Communications. Because their purpose is clinical, they are not marketing unless a third party pays the covered entity to send them.

Case Management Coordination

Communications for Case Management Coordination and other health care operations—like care transitions, provider or network participation notices, or directing a patient to appropriate settings of care—are generally outside the marketing definition if no third-party payment is tied to the outreach.

Authorization Requirement for Marketing

Using or disclosing PHI for marketing usually requires the individual’s Written Authorization. This applies when the outreach promotes a product or service and when the covered entity receives direct or indirect financial remuneration from a third party for making the communication.

A valid Written Authorization must clearly describe what PHI will be used or disclosed, who is disclosing and receiving it, the purpose, and an expiration date or event. It must inform the individual of the right to revoke and that refusal will not affect treatment or coverage. For marketing, a Remuneration Disclosure is required if any payment from a third party is involved.

Authorizations should be specific and limited to the stated purpose. Retain copies, track revocations, and ensure downstream partners honor the individual’s choices.

Exceptions to Authorization Requirement

HIPAA allows certain marketing-related activities without Written Authorization. These are narrow and must be applied precisely.

• Face-to-face communications: In-person recommendations or discussions between the covered entity and the individual do not require authorization.
• Nominal Value Gifts: Promotional items of minimal value (for example, a pen or fridge magnet) may be given without authorization.
• Refill reminders and medication adherence: Communications about a currently prescribed drug or biologic, or related delivery system, are permitted without authorization if any payment received is reasonably related to the cost of making the communication.
• Describing your own services: Communications that describe a covered entity’s own health-related products or services or those included in a plan of benefits are allowed without authorization if no third-party remuneration is involved.

Sale of PHI Regulations

HIPAA generally prohibits the sale of PHI. A “sale” occurs when a covered entity or its business associate discloses PHI in exchange for direct or indirect remuneration from or on behalf of the recipient.

A disclosure that qualifies as a sale requires an express Written Authorization that states the disclosure will result in remuneration. Without that authorization, selling PHI is not permitted.

There are limited exceptions—for example, public health activities; research where remuneration reflects reasonable, cost-based fees; disclosures for treatment and payment; individual access and copy fees; business transfers such as the sale or merger of a practice; services performed by business associates; and disclosures required by law. Data that has been properly de-identified is not PHI and is outside the sale restrictions.

Compliance Strategies for Marketing Communications

Adopt a structured decision framework before any campaign. Ask: Is PHI used? Does the message encourage purchase or use? Is a third party paying for the outreach? The answers determine whether HIPAA marketing rules and Written Authorization apply.

• Map use cases: Categorize common messages as Treatment Communications, health care operations (including Case Management Coordination), or marketing.
• Build authorization workflows: Use plain-language forms that include required elements and Remuneration Disclosure. Store authorizations, log revocations, and time-limit scopes.
• Control vendors: Execute business associate agreements when vendors handle PHI. Prohibit re-use, onward sale, or retargeting. Validate that only the minimum data necessary for the campaign is shared.
• Channel governance: Avoid creating PHI-derived audiences for digital advertising unless you have valid authorizations. Prefer de-identified or aggregate data for prospecting.
• Nominal value and face-to-face rules: Document what qualifies as Nominal Value Gifts and train staff on in-person exception boundaries.
• Quality and security checks: Verify message accuracy, honor contact preferences, and implement safeguards to prevent unintended disclosures.

Consistent training, documentation, and auditing help demonstrate compliance and reduce enforcement risk.

Consequences of Non-Compliance

Violating HIPAA’s marketing or sale-of-PHI provisions can trigger federal enforcement, including civil monetary penalties, corrective action plans, and multi-year monitoring. Penalties scale with culpability and are adjusted for inflation.

Additional exposure includes state attorney general actions, breach notifications, contractual liability with partners, and reputational harm. Unapproved campaigns that use PHI, undisclosed remuneration, or improper “sale” arrangements are frequent risk drivers.

Summary

To avoid violations, classify each outreach, identify PHI use and any payment, obtain Written Authorization with clear Remuneration Disclosure when required, and apply the narrow exceptions exactly. Doing so enables compliant, patient-respectful marketing by covered entities.

FAQs

What constitutes marketing under HIPAA?

Any communication that encourages someone to purchase or use a product or service is marketing. When a covered entity uses or discloses PHI to make that pitch—or communicates at a third party’s request—it falls under HIPAA’s marketing provisions unless a specific exception applies.

When is patient authorization required for marketing communications?

Written Authorization is required whenever PHI is used or disclosed for marketing, and whenever a third party provides financial remuneration for the communication. The authorization must include a Remuneration Disclosure if payment is involved.

Are there exceptions to the marketing authorization requirement?

Yes. Common exceptions include face-to-face communications, Nominal Value Gifts, and refill reminders or medication adherence messages where any payment received is reasonably related to the cost of the communication. Describing your own services without third-party payment is also allowed.

How does HIPAA regulate the sale of protected health information?

HIPAA generally prohibits selling PHI. Disclosing PHI in exchange for remuneration requires a specific Written Authorization that states remuneration will occur. Limited exceptions apply (such as public health, certain research, and legal requirements), and properly de-identified data is not subject to the sale restrictions.