HIPAA Privacy Rule Marketing Checklist: Is Your Communication Permissible or Not?

You want to reach patients effectively without crossing regulatory lines. This checklist explains how the HIPAA Privacy Rule treats a marketing communication, when you need Individual Written Authorization, which exceptions apply, and what disclosures are required—so your Covered Entity can engage patients while protecting their Protected Health Information.

Definition of Marketing

Under HIPAA, “marketing” is a communication about a product or service that encourages a person to purchase or use it. If your message uses or discloses Protected Health Information (PHI) to promote any product or service, assume HIPAA’s marketing rules apply unless an explicit exception fits.

Quick test

• Does the message encourage purchase or use of a product or service?
• Is PHI used to target, personalize, or deliver the message?
• Is any third party paying you (Direct or Indirect Remuneration) to make the communication?

If “yes” to the first two—and especially if remuneration is involved—it is a HIPAA marketing communication.

Common examples

• Sending diabetes patients an email promoting a third‑party glucose monitor.
• Texting post‑surgery patients with a coupon for a home health vendor.
• Mailing plan members about a nonplan wellness product funded by a manufacturer.

Authorization Requirements for Marketing

Before using PHI for marketing, obtain an Individual Written Authorization from the patient, unless an exception applies. Without it, using or disclosing PHI for marketing is impermissible.

When authorization is required

• You use PHI to market a third party’s product or service.
• Any Direct or Indirect Remuneration from a third party is involved, except limited refill reminders (see below).
• You disclose PHI to a vendor so the vendor can market to the individual.

What a valid authorization must include

• Specific description of PHI to be used/disclosed and the purpose.
• Who may disclose and who may receive the PHI.
• Expiration date or event.
• Patient’s signature and date (or personal representative with authority description).
• Statements in plain language about the right to revoke, the ability/inability to condition treatment or payment on the authorization, and the potential for re‑disclosure by the recipient.
• For marketing, a clear statement that the Covered Entity receives financial remuneration, if applicable.

Operational tips

• Use standalone forms for marketing to avoid confusion with treatment consents.
• Track revocations promptly and suppress future sends.
• Retain authorizations per your record‑retention policy.

Exceptions to Marketing Definition

Some communications that may look promotional are not “marketing” under HIPAA and do not require authorization.

Treatment and care coordination

• Recommending or directing a patient to alternative treatments, providers, or care settings.
• Case management or care coordination activities.

Describing your own offerings

• Describing a health‑related product or service that you provide, including your network, plan benefits, coverage changes, or upgrades.
• Communications about payment or coverage for healthcare.

Refill reminders and adherence

• Refill reminders or communications about a drug or biologic currently prescribed are not marketing if any remuneration is reasonably related to the cost of making the communication (e.g., mail, call center, data processing).

When HIPAA marketing rules don’t apply

• General wellness messages that do not promote a specific product or service.
• Advertising that does not use PHI (e.g., your website, billboards, mass media not targeted with PHI).

Face-to-Face Communication Rules

You may make face‑to‑face communications to an individual without authorization, even if the message encourages the purchase or use of a product or service.

• “Face‑to‑face” means in‑person, real‑time interaction with the individual.
• Phone, email, text, and mail are not face‑to‑face.
• Do not disclose PHI to a third party unless another HIPAA permission applies (or you have authorization).

Remember that a compliant HIPAA pathway does not guarantee permissibility under other laws; assess Compliance with Anti-Kickback Laws before accepting any payments tied to referrals or product promotion.

Promotional Gifts Guidelines

Promotional gifts of nominal value provided by the Covered Entity directly to the individual do not require authorization.

• Nominal value only; avoid cash, cash equivalents (e.g., gift cards), or high‑value items.
• Examples: pens, calendars, water bottles, adhesive bandage holders, small tote bags.
• Do not exchange gifts for PHI or condition eligibility on acceptance.
• If a third party funds gifts and you use PHI to target recipients, treat that as marketing and follow authorization rules.

Remuneration Disclosure Requirements

If you receive Direct or Indirect Remuneration from a third party to make a marketing communication that uses PHI, you must obtain an authorization that discloses you are being paid.

What to disclose

• A clear statement that you receive financial remuneration from a third party for the communication.
• Identify the paying entity when feasible; dollar amounts are not required, but transparency builds trust.
• State any material terms that a reasonable patient would want to know (e.g., the manufacturer funds the outreach).

Special case: refill reminders

• Permitted without authorization if any payment you receive is limited to your reasonable, cost‑based expenses for sending the reminder.
• Expand beyond the current drug/biologic or exceed cost‑based payments, and you trigger the marketing authorization requirement.

Always evaluate arrangements for Compliance with Anti-Kickback Laws in addition to HIPAA, particularly when manufacturers, suppliers, or referral sources provide funding.

Prohibited Marketing Activities

• Using or disclosing PHI for marketing without an Individual Written Authorization when required.
• Accepting remuneration from a third party to send targeted messages using PHI without the required authorization.
• Selling PHI (or receiving payment in exchange for PHI) without a specific authorization for the sale of PHI.
• Conditioning treatment, payment, enrollment, or eligibility on signing a marketing authorization.
• Sharing PHI with a vendor to conduct outreach without a Business Associate arrangement or patient authorization.
• Ignoring revocations or failing to honor opt‑out preferences captured during related communications.
• Proceeding with paid promotions that could violate Compliance with Anti-Kickback Laws or beneficiary inducement rules, even if HIPAA would otherwise allow the outreach.

Bottom line: if PHI is involved and the message promotes a product or service—especially where money changes hands—get a compliant authorization or restructure the outreach to fit a clear HIPAA exception. Use plain‑language disclosures, limit data strictly to purpose, and build processes to honor revocations and preferences.

FAQs

When is patient authorization required for marketing under HIPAA?

You need authorization whenever you use PHI to promote a product or service and no exception applies. Authorization is also required if a third party provides Direct or Indirect Remuneration for your outreach (other than cost‑based refill reminders) or when you disclose PHI to a vendor so the vendor can market to the individual.

What types of communications are exempt from HIPAA marketing rules?

Exempt categories include face‑to‑face communications, promotional gifts of nominal value from the Covered Entity, treatment and care‑coordination recommendations, descriptions of your own health‑related products or services (including plan benefits and coverage), payment or coverage communications, and refill reminders for currently prescribed drugs or biologics where any remuneration is limited to the cost of making the communication.

How must remuneration be disclosed in marketing authorizations?

The authorization must clearly state that the Covered Entity receives financial remuneration from a third party for the marketing communication. Name the paying entity when feasible and use plain language. You do not have to disclose dollar amounts, but the disclosure must be conspicuous and unambiguous.

What are the rules regarding fundraising communications under HIPAA?

Fundraising is not “marketing,” but it is regulated. You may use limited PHI (e.g., demographic data, dates and department of service, treating physician, and outcome) to solicit donations for your organization, not for third parties. Each fundraising message must offer a clear, easy Fundraising Opt-Out, and you cannot condition treatment or payment on a patient’s choice. Opt‑out preferences must be honored for all future fundraising communications.