HIPAA Marketing Rules Explained: What You Can and Can’t Do With Patient PHI

Definition of Marketing under HIPAA

What HIPAA Calls “Marketing”

Under HIPAA, marketing means a communication about a product or service that encourages a recipient to purchase or use it. When you use or disclose Protected Health Information (PHI) to make that pitch, you step squarely into HIPAA marketing territory.

Typical marketing examples include promoting a third‑party wellness app, pitching a new device not part of your treatment plan, or sending paid endorsements. If the purpose is persuading patients to buy or use something, treat it as marketing.

Common Scenarios You Should Classify

• Emails or texts advertising a product or service unrelated to the patient’s current care.
• Paid campaigns recommending a third‑party therapy, program, or provider.
• Lead‑nurture sequences using PHI to target individuals with purchasing prompts.
• Mailers sent by a vendor using your patient list to promote outside services.

Exceptions to Marketing Definition

Treatment and Care Coordination

Communications for treatment, case management, or care coordination are not marketing. You may recommend alternative treatments, providers, or care settings using PHI if the purpose is clinical guidance, not selling.

Health-Related Services You Provide

Describing health‑related products or services that you (the covered entity) provide, or that are included in a health plan’s benefits, is not marketing. For example, informing patients about your new clinic location or telehealth hours qualifies as covered entity operations, not advertising.

Face-to-Face Communications and Nominal Gifts

You may speak with a patient face‑to‑face about a product or service without it being marketing, even if promotional. You may also give a promotional gift of nominal value, such as a pen or notepad, without triggering marketing rules.

Refill Reminders and Current Therapy Notices

Refill reminders or communications about a patient’s current prescription or ongoing therapy are not marketing if any payment you receive is reasonably related to the cost of making the communication (for example, vendor fees, supplies, and postage). Profit‑making payments transform the message into marketing.

Requirements for Marketing Communications

Authorization Requirements at a Glance

If a communication is marketing and no exception applies, you must obtain a valid, written patient authorization before using or disclosing PHI. This is distinct from general Patient Consent; HIPAA requires a specific authorization for marketing that clearly describes the use or disclosure.

• Secure an authorization before sending the campaign.
• If you receive direct or indirect remuneration from a third party, the authorization must state that fact.
• Use only the PHI necessary to execute the campaign (apply “minimum necessary” where applicable).
• Do not rely on your Notice of Privacy Practices as a substitute for a marketing authorization.

Marketing Communication Restrictions

Respect Marketing Communication Restrictions that protect patient choice. Do not condition treatment, payment, enrollment, or eligibility for benefits on signing a marketing authorization. Keep authorizations separate from treatment documents and avoid pre‑checked boxes or bundling unrelated permissions.

For email or SMS, honor channel preferences. If a patient opts for unencrypted channels, first advise of risks and document the preference. Always provide a straightforward way to stop future marketing messages, even when HIPAA does not explicitly require an “opt‑out.”

Using De‑Identified Data

Data that meet HIPAA de‑identification standards are not PHI and may be used for marketing without authorization. Validate your method (Safe Harbor or expert determination), prevent re‑identification, and avoid combining de‑identified information with other datasets that could reveal identity.

Business Associate Agreements in Marketing

When a BAA Is Required

If a vendor creates, receives, maintains, or transmits PHI for your marketing program, you need a Business Associate Agreement (BAA). Common examples include email service providers configured with PHI, CRM platforms, print/mail houses, data processors, and analytics providers that handle PHI.

Core BAA Terms That Support Compliance

• Permitted uses and disclosures: precisely define how the vendor may handle PHI and prohibit use for the vendor’s own marketing.
• Safeguards: require administrative, physical, and technical Data Security Measures, including access controls and encryption.
• Breach reporting: establish prompt incident reporting and cooperation on risk assessment and notifications.
• Subcontractors: obligate downstream vendors to the same protections via written agreements.
• Individual rights: support access, amendment, and accounting processes when applicable.
• Return or destroy PHI: specify actions at contract end and allow termination for material breach.

Due Diligence and Monitoring

Evaluate vendor security, audit results, and compliance track record before sharing PHI. Reassess periodically, verify least‑privilege access, and document oversight to demonstrate Covered Entity Compliance.

Prohibited Marketing Activities

• Using PHI for any marketing purpose without a valid authorization, unless a specific exception applies.
• Accepting payments to send product or service promotions that leverage PHI without disclosing remuneration in the authorization.
• Selling PHI for marketing or allowing a vendor to do so without explicit authorization.
• Uploading PHI (including hashed identifiers) to ad platforms, look‑alike audiences, or retargeting tools.
• Targeting individuals based on diagnosis, medication, or visit history for third‑party promotions without authorization.
• Commingling operational messages with marketing content to bypass Authorization Requirements.

Authorization Details for Marketing

Required Elements

A compliant marketing authorization must be in plain language and include:

• Description of the PHI to be used or disclosed and the marketing purpose.
• Who may disclose and who may receive the PHI (covered entity and any Business Associates).
• Expiration date or event.
• Patient’s signature and date, plus a copy for the patient.
• Statement of the right to revoke in writing and how to exercise it.
• Consequences of refusing to sign (for marketing, you may not condition treatment, payment, enrollment, or eligibility).
• If you receive third‑party remuneration, a clear statement that payment is involved.

Handling and Recordkeeping

Retain signed authorizations for at least six years from the date of creation or last effective date, whichever is later. Ensure staff can retrieve authorizations quickly, verify scope before each campaign, and stop using PHI once the authorization expires or is revoked.

Revocation and Preference Management

Honor revocations promptly and document fulfillment. Keep granular preference logs (channel, topic, brand) so you respect Patient Consent choices across future outreach.

Security Safeguards for PHI in Marketing

Administrative Safeguards

Perform a risk analysis for each marketing workflow involving PHI. Define role‑based access, train staff on Marketing Communication Restrictions, and implement vendor management, sanctions, and contingency planning.

Technical Safeguards

Encrypt PHI in transit and at rest, enforce multifactor authentication, monitor logs, and segment systems to limit lateral movement. Use secure APIs, strong keys, and data loss prevention to reduce leakage risks.

Physical Safeguards

Secure workstations, restrict facility access, and control media handling. Shred or securely wipe printed lists, labels, and removable drives used for campaigns.

Tracking and Advertising Technologies

Avoid placing third‑party pixels, beacons, or SDKs on portals or pages where PHI may be collected or inferred. If a tool can access PHI, treat it as a Business Associate, put a BAA in place, and configure strict data minimization.

Incident Response and Breach Notification

Establish intake channels for suspected incidents, document investigations, and execute breach notifications when required. Test your plan, and ensure vendors can support forensic review and timely reporting.

Conclusion

To market compliantly with PHI, classify your message, check for exceptions, and secure a proper authorization when needed. Pair strong BAAs with rigorous Data Security Measures, and honor patient preferences. This disciplined approach delivers results while maintaining Covered Entity Compliance.

FAQs.

What qualifies as marketing under HIPAA?

Any communication that encourages a person to buy or use a product or service is marketing when PHI is used or disclosed. Examples include promoting a third‑party device, paid endorsements, or using patient lists for outside offers. Clinical recommendations for treatment or care coordination, and descriptions of your own services or plan benefits, are not marketing.

When is patient authorization required for marketing?

You need a written authorization whenever the communication is marketing and no exception applies. If a third party pays you to send the message, the authorization must state that remuneration is involved. Face‑to‑face communications, nominal promotional gifts, and cost‑based refill reminders about current therapy do not require authorization.

What activities are prohibited under HIPAA marketing rules?

Prohibited activities include using PHI for marketing without authorization, selling PHI for promotions, taking payments to send PHI‑driven pitches without disclosure, uploading PHI to advertising platforms, and disguising marketing as operations to bypass Authorization Requirements.

How must Business Associate Agreements support marketing compliance?

BAAs must define permitted uses/disclosures, require safeguards and breach reporting, bind subcontractors, support individual rights where applicable, and mandate PHI return or destruction. They should explicitly bar vendors from using PHI for their own marketing and enable termination for material noncompliance.