HIPAA Marketing Communications Explained: Requirements, Exceptions, and Authorization Rules

Definition of Marketing Communications

Under HIPAA, marketing communications are messages about a product or service that encourage a recipient to purchase or use it. When those messages use or disclose Protected Health Information (PHI), they trigger specific privacy requirements.

The rules apply to any Covered Entity (healthcare providers, health plans, and healthcare clearinghouses) and to any Business Associate handling PHI on their behalf. Channels include mail, email, SMS, phone, apps, and in-person outreach when PHI informs who you contact or what you say.

What counts as “marketing” with PHI

• Promoting third-party products or services to patients or members.
• Paid endorsements or sponsored messages targeted using PHI.
• Paid outreach encouraging the use of a particular drug, device, or service.

Communications strictly for treatment or certain operations may fall outside “marketing,” but only if they meet narrow criteria described below.

Authorization Requirements for Marketing

As a baseline, you must obtain an Individual Authorization before using or disclosing PHI for marketing. If a third party provides financial remuneration for the outreach, authorization is required in nearly all cases.

What an authorization must include

• Specific description of the PHI to be used or disclosed.
• Who will disclose the PHI and who will receive it.
• Purpose of the disclosure and the communication.
• Expiration date or event.
• Signature and date of the individual (or personal representative).
• Notice of the right to revoke in writing and how to do so.
• Statement that information disclosed may be redisclosed by the recipient and may no longer be protected by HIPAA.
• Remuneration Disclosure if the covered entity is paid by a third party for the marketing.

Process tips for compliance

• Gather only the minimum PHI necessary for the outreach.
• Use clear, plain language; avoid bundling authorizations with other forms.
• Track and honor revocations promptly to stop future marketing uses of PHI.

Exceptions to Marketing Authorization

HIPAA recognizes limited Marketing Communication Exceptions where PHI-based outreach does not require prior authorization.

Common exceptions

• Face-to-face communications between a covered entity and the individual.
• Promotional gifts of nominal value given in person (e.g., pens, notepads).
• Communications for treatment, case management, or care coordination, or to recommend alternative treatments, providers, or care settings.
• Communications describing a health-related product or service offered by the covered entity (or included in a plan of benefits), such as new clinic locations, covered care options, or network changes.
• Prescription refill reminders and medication adherence communications about a currently prescribed drug or biologic, including related delivery devices, when any payment received is reasonably related to the cost of making the communication.

Important: If a third party pays for the outreach, most communications become “marketing” and require authorization, except for narrowly defined refill reminders where payment is limited to communication costs.

Remuneration Disclosure Obligations

Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being promoted. In-kind benefits do not count as financial remuneration.

When and how to disclose

• If you receive financial remuneration for the communication, the authorization must clearly state that you are paid and may identify the paying party.
• For refill reminders and similar adherence notices, any payment must be reasonably related to the cost of the communication (e.g., labor, supplies, postage). Keep documentation showing how you calculated costs.
• Maintain records of all authorizations and Remuneration Disclosures to demonstrate compliance.

Restrictions on Sale of PHI

HIPAA’s PHI Sale Prohibition bars the sale of PHI—i.e., disclosures of PHI in exchange for remuneration—without an Individual Authorization that expressly states a sale will occur. “Sale” includes licensing or providing access to PHI for value.

Limited exceptions

• Public health, research (cost-based fees only), treatment and payment activities, and required-by-law disclosures.
• Disclosures in connection with an acquisition, merger, or similar corporate transaction.
• Payments to Business Associates for services performed on behalf of the covered entity (not for the BA’s own purposes).

When authorization is used to permit a sale, the form must explicitly state that remuneration is involved and describe the purpose and recipient.

Business Associate Agreements

A Business Associate Agreement (BAA) is required before a vendor handles PHI for marketing operations (e.g., email platforms, mail houses, data processors). The BAA must limit the vendor’s use and disclosure of PHI to the covered entity’s instructions.

Key BAA provisions for marketing workflows

• Express prohibition on using PHI for the vendor’s own marketing or any sale of PHI.
• Requirement to obtain Individual Authorization before any marketing use or disclosure not otherwise permitted.
• Safeguards for PHI, breach reporting, and flow-down of obligations to subcontractors.
• Return or destruction of PHI at the end of the engagement where feasible.

Even with a BAA, a vendor cannot convert PHI into marketing assets for its own campaigns or accept remuneration to promote third-party products without proper authorization.

Opt-Out Rights for Individuals

For marketing that requires authorization, the individual controls participation and can revoke authorization in writing at any time, stopping future uses or disclosures of PHI for that campaign.

HIPAA requires a simple, clear opt-out for fundraising communications. While many treatment or operations messages do not require authorization, offering an easy opt-out is a best practice and may be required by channel-specific laws. Always honor opt-out choices across the applicable channel promptly.

In practice, pair every outreach program with a revocation and opt-out process, audit logs, and suppression lists. This reduces privacy risk and supports consistent compliance across email, SMS, and mail.

In summary, build HIPAA marketing programs around three pillars: obtain Individual Authorization when required (especially if remuneration is involved), rely on narrow exceptions only when they truly fit, and harden vendor and opt-out controls to protect PHI at every step.

FAQs

What constitutes marketing under HIPAA’s privacy rule?

It is any communication about a product or service that encourages purchase or use when PHI informs the outreach. Paid promotions of third-party offerings, sponsored disease-management ads, or targeted drug promotions using patient data are examples. Treatment, care coordination, and certain operational notices may fall outside “marketing” only if they meet narrow exceptions.

When is written authorization required for marketing communications?

Authorization is required whenever PHI is used or disclosed for marketing, and nearly always when a third party pays for the communication. The authorization must include core elements (description, recipients, purpose, expiration, revocation, redisclosure notice, signature) and a Remuneration Disclosure if payment is involved.

What exceptions allow marketing communications without authorization?

Exceptions include face-to-face communications, nominal promotional gifts, treatment and care coordination messages, descriptions of the covered entity’s own health-related products or services (or plan benefits), and prescription refill reminders where any payment is limited to the cost of making the communication. If these conditions are not met—or if broader remuneration is involved—authorization is required.

How must remuneration be disclosed in marketing authorizations?

The authorization must clearly state that the covered entity receives financial remuneration for the communication and may identify the paying party. For refill reminders and similar adherence messages, any payment must be reasonably tied to communication costs, and you should keep documentation to support that calculation.