HIPAA and Marketing Partnerships: How to Build Compliant Collaborations

HIPAA Definition of Marketing

What HIPAA considers “marketing”

Under HIPAA, “marketing” is any communication about a product or service that encourages a person to purchase or use it. If a partner helps you promote offerings that are not part of a patient’s care, that activity is generally marketing and triggers specific privacy rules.

What is not marketing

HIPAA excludes certain communications from the marketing definition when they are tied to care. These include messages for treatment, case management, or care coordination; descriptions of health-related products or services offered by your organization (a Covered Entity) or included in a plan of benefits; and recommendations about alternative treatments, providers, or care settings.

When payment changes the analysis

If a third party pays you to send a communication about its product or service, that communication is treated as marketing and requires prior authorization, even if it references health-related services. Limited carve-outs exist (for example, certain drug refill reminders at reasonable cost), but payments often tip a message into “marketing.”

Authorization Requirements for Marketing Communications

When you need authorization

You must obtain an Individual Authorization before using or disclosing Protected Health Information (PHI) for marketing, unless a HIPAA exception applies. This applies to emails, texts, direct mail, and digital campaigns that rely on identifiable patient data or inferences tied to an individual.

What a valid authorization includes

• A clear description of the information to be used or disclosed and the purpose.
• The name of the disclosing and receiving parties (e.g., your marketing partner).
• An expiration date or event, and the individual’s right to revoke.
• A statement that treatment, payment, enrollment, or eligibility is not conditioned on signing (when applicable).
• Remuneration Disclosure if you receive direct or indirect payment from a third party for the marketing communication.

Store signed authorizations, track revocations, and honor scope limits. If scope changes (for example, new channels or partners), obtain new authorizations.

Role of Business Associate Agreements in Marketing

When a partner becomes a Business Associate

A marketing partner is a Business Associate if it creates, receives, maintains, or transmits PHI on your behalf. Examples include agencies handling patient lists, platforms sending targeted messages using PHI, and analytics vendors processing identifiable engagement data.

What a BAA does—and does not—do

A Business Associate Agreement (BAA) permits the partner to handle PHI for the limited purposes you specify and requires safeguards, breach notification, subcontractor flow-downs, and limits on further use. A BAA does not replace the need for an Individual Authorization when PHI is used for marketing. You may need both: a BAA to govern processing and an authorization to permit the marketing use.

Practical safeguards

• Define allowed datasets and apply the minimum necessary principle.
• Prohibit partner re-use of PHI for its own marketing or for other clients.
• Require encryption in transit and at rest, access controls, and audit logging.
• Pre-approve any subcontractors and ensure they sign equivalent agreements.

Use of Protected Health Information in Marketing

Knowing what counts as PHI

PHI includes any individually identifiable health information maintained or transmitted by a Covered Entity or its Business Associate, such as names, contact details, medical record numbers, IP addresses when linked to care, appointment data, diagnoses, or claim details.

De-identified Data and alternatives

HIPAA allows the use of De-identified Data for marketing if it meets the Safe Harbor standard (removal of specified identifiers) or an expert determines that re-identification risk is very small. Treat pseudonymized or “hashed” data cautiously—if it can be tied back to a person or combined with other data to identify someone, it functions as PHI.

Channel-specific considerations

• Email and SMS: use PHI only with authorization and secure sending practices; provide easy opt-outs.
• Pixels, cookies, and mobile SDKs: if they capture PHI (for example, user behavior on appointment or portal pages linked to care), use a BAA or avoid PHI entirely; otherwise rely on truly de-identified or aggregated data.
• Audience matching and lookalikes: do not upload PHI without authorization; prefer de-identified or aggregated cohorts.

Exceptions to Marketing Rules

Common HIPAA Marketing Exceptions

• Face-to-face communications: in-person conversations with individuals do not require authorization.
• Promotional gifts of nominal value: items such as pens or notepads offered in person are permitted.
• Treatment and care coordination messages: communications that support a patient’s current care are not marketing.
• Communications about your own health-related products or services or plan benefits: permitted when not paid for by a third party.
• Refill reminders or communications about a drug or biologic currently being prescribed: permitted if any payment received is limited to the reasonable cost of making the communication.

If a third party pays you to promote its product or service, the exception typically does not apply and you will need authorization.

Compliance with Related Federal and State Laws

Federal frameworks that also apply

• FTC Act: avoid unfair or deceptive claims in advertising and endorsements.
• CAN-SPAM: include accurate sender details, a physical address, and an easy email opt-out.
• TCPA: obtain appropriate consent for autodialed or prerecorded calls and marketing texts.
• 42 CFR Part 2: obtain specific consent before using or disclosing substance use disorder records, which are more strictly protected than general PHI.
• Fraud and abuse laws: ensure financial arrangements in partnerships do not create prohibited inducements.

State privacy and consumer health laws

Several states impose additional obligations for health-related data, even outside traditional HIPAA contexts. Map your collection across web, mobile, and offline touchpoints; honor state-specific consent, sensitive data, and opt-out requirements; and maintain a consistent preference management process.

Training and Policy Implementation for HIPAA Compliance

Operationalizing compliant partnerships

• Data mapping: document all PHI flows to and from each marketing partner.
• Governance: require a BAA where PHI is processed; maintain vendor risk assessments and security questionnaires.
• Authorization management: standardize forms with clear Remuneration Disclosure; log issuance, expiration, and revocation.
• Technical controls: use encryption, access controls, secure APIs, and data loss prevention for marketing workflows.
• Content and QA: review campaigns for alignment with HIPAA Marketing Exceptions and minimum necessary use.
• Monitoring and audits: sample messages, review tracking configurations, and test opt-out and revocation handling.
• Incident response: define escalation paths and breach notification procedures with partners.

Conclusion

Build marketing partnerships on a clear legal foundation: determine whether a message is marketing, obtain Individual Authorization when required, execute a precise Business Associate Agreement for any PHI handling, and favor De-identified Data whenever possible. By aligning campaign design with HIPAA’s exceptions and related laws, you can collaborate confidently while protecting patient trust.

FAQs.

What constitutes marketing under HIPAA?

Marketing is a communication that promotes a product or service for purchase or use. Messages tied directly to treatment, care coordination, or descriptions of your own health-related offerings are generally not marketing unless third-party payment is involved.

When is individual authorization required for marketing?

You need Individual Authorization before using or disclosing PHI for marketing unless a HIPAA exception applies. If you receive payment from a third party to send the message, authorization is almost always required and must include Remuneration Disclosure.

How do Business Associate Agreements affect marketing partnerships?

A Business Associate Agreement allows a partner to handle PHI on your behalf under strict limits and safeguards. It does not itself permit marketing uses; if the activity is marketing that involves PHI, you still need the individual’s authorization in addition to the BAA.

Can PHI be used in marketing materials without consent?

Generally no. Using PHI in marketing requires prior authorization unless a HIPAA Marketing Exception applies (for example, certain face-to-face communications or low-cost refill reminders). When feasible, use De-identified Data to avoid PHI altogether.