HIPAA Privacy Rule Marketing Definition: What Counts as a Communication

Definition of Marketing under HIPAA

The HIPAA Privacy Rule marketing definition centers on intent. A communication is “marketing” when it encourages a person to purchase or use a product or service. The rule applies regardless of format—email, text, mailer, phone call, patient portal, or in-person script—if it leverages Protected Health Information (PHI).

HIPAA binds Covered Entities (health plans, most providers, and clearinghouses) and their business associates. When these organizations use or disclose PHI to promote a product or service, the activity is marketing unless a specific exception applies. The rule evaluates both the content and purpose of the message.

Financial relationships matter. If a third party pays a Covered Entity to make a promotional communication, that compensation (financial remuneration) typically converts the outreach into marketing, triggering strict requirements described below.

What counts as a communication

• Any targeted message that uses PHI (for example, condition, medication, or recent visit) to promote a commercial product or service.
• Outreach encouraging patients to use a third-party device, app, or service not part of the Covered Entity’s own offerings.
• Paid messaging on behalf of a manufacturer, pharmacy, or plan that leverages patient lists derived from PHI.

Exceptions to Marketing Definition

Some messages are not “marketing” under the Privacy Rule, even when they promote action. These exceptions focus on care and operations that directly support the patient.

Treatment communications

Recommendations made for an individual’s treatment—such as discussing alternative therapies, referring to another provider, or suggesting a diagnostic test—are not marketing. The goal is clinical care, not commercial promotion.

Case Management Communications and Care Coordination

Communications for case management or care coordination are excluded from the marketing definition. Examples include helping you find post‑acute resources, arranging disease‑management programs, or coordinating community support tied to your care plan.

Describing your own services and plan-related notices

Messages that describe a Covered Entity’s own health-related products or services, or explain provider network participation, benefit changes, or value‑added services available only to plan enrollees, are generally not marketing.

Refill reminders and medication communications

Refill reminders—or communications about a drug or biologic you are currently prescribed—are not marketing if any payment received is limited to the Covered Entity’s reasonable, cost-based expenses for making the communication (for example, mailing, data processing, or staff time).

Authorization Requirements

When a communication qualifies as marketing, the Covered Entity must obtain an Individual Authorization before using or disclosing PHI, unless an exemption applies. This is especially true when a third party provides financial remuneration for the outreach.

When authorization is required

• Promoting third‑party products or services using PHI.
• Paid (“subsidized”) treatment or operations communications that encourage purchasing or using a specific product or service.
• Any disclosure of PHI to another organization so that it can market to you.

Elements of a valid Individual Authorization

• Clear description of the marketing purpose and the PHI involved.
• Identity of the Covered Entity (and any recipient) authorized to use/disclose the PHI.
• Expiration date or event, your signature, and the date signed.
• Right to revoke authorization and how to exercise that right.
• If financial remuneration is involved, a statement that such payment is received for the communication.

Recordkeeping and revocation

Maintain completed authorizations and related policies as part of HIPAA documentation. If you revoke authorization in writing, the Covered Entity must stop future marketing uses or disclosures of PHI, while retaining records of prior actions taken in reliance on the authorization.

Exemptions from Authorization

Two narrow carve‑outs allow certain marketing without Individual Authorization. These do not permit broad use of PHI; they are limited, context‑specific exceptions.

Face-to-Face Communication

Direct, person‑to‑person conversations between a provider and patient may include marketing content without authorization. The exchange must be truly in person; phone, email, texts, portals, and mailers do not qualify as face‑to‑face communication.

Promotional Gifts Nominal Value

Covered Entities may give low‑cost promotional items of nominal value—such as pens, notepads, or refrigerator magnets—without authorization. The items must not be cash or cash‑equivalents and should be modest enough that they do not unduly influence care decisions.

Operational tips

• Use minimal PHI and avoid third‑party funding when relying on these exemptions.
• Do not combine these carve‑outs with mass outreach channels; most mass communications require prior authorization.

Prohibited Marketing Practices under HIPAA

• Using or disclosing PHI for marketing without a valid, written Individual Authorization, unless a narrow exemption applies.
• Accepting financial remuneration from a third party to send promotional messages that use PHI, without first obtaining authorization.
• Selling or licensing PHI for another entity’s marketing purposes without explicit authorization; “sale” of PHI is generally barred.
• Sharing PHI with vendors so they can market their products or services to you, absent authorization and appropriate agreements.
• Bundling marketing authorization with treatment, payment, or enrollment conditions, or failing to honor revocations.
• Using PHI for broad advertising or look‑alike audience creation on digital platforms without individual authorization.

Conclusion

The HIPAA Privacy Rule marketing definition turns on purpose, PHI use, and funding. Care‑focused messages—treatment, case management, and care coordination—are generally not marketing. Most promotional outreach that uses PHI, especially when paid by a third party, requires prior Individual Authorization, with only narrow exceptions for face‑to‑face communication and promotional gifts of nominal value. Build processes that default to authorization when in doubt.

FAQs

What constitutes marketing under HIPAA’s Privacy Rule?

It is any communication that encourages you to purchase or use a product or service and uses or discloses your Protected Health Information. This includes paid promotions about third‑party offerings and targeted outreach derived from PHI, unless a specific exception (treatment, case management, care coordination, or describing the Covered Entity’s own services) applies.

When is authorization required for marketing communications?

Authorization is required when PHI supports promotional messaging—especially if a third party pays the Covered Entity to make the communication. The authorization must be specific, signed, and disclose any financial remuneration. Limited exceptions exist, such as face‑to‑face conversations and nominal‑value gifts.

What communications are exempt from marketing rules?

Treatment recommendations, case management communications, care coordination, and messages describing the Covered Entity’s own health‑related services are generally not marketing. Refill reminders about a medication you currently take are also permitted if any payment covers only reasonable, cost‑based expenses.

Can protected health information be sold for marketing?

No. Selling PHI for marketing is generally prohibited. A Covered Entity cannot disclose PHI to another party in exchange for payment so that the recipient can market to you, unless you first sign a valid authorization that clearly permits that transaction.