HIPAA Requires Individual Authorization Before Using PHI for Marketing

HIPAA Authorization Requirement

Under the HIPAA Privacy Rule, you must obtain a patient’s Written Authorization before using or disclosing Protected Health Information (PHI) for any Marketing Communication. The authorization must be specific to the intended use and signed by the individual in advance.

Core elements of a valid Written Authorization

• A description of the PHI to be used or disclosed and the marketing purpose.
• The name of the disclosing party and the recipient (including third parties involved).
• An expiration date or event tied to the marketing activity.
• Signature and date, plus a clear statement of the right to revoke in writing and how to do so.
• A notice that information disclosed may be redisclosed by the recipient and may no longer be protected by HIPAA.

Maintain each authorization and any revocation for at least six years. The “minimum necessary” standard does not apply to uses or disclosures made pursuant to a valid authorization; however, you may disclose only what the authorization permits.

Definition of Marketing

HIPAA defines “marketing” as a communication about a product or service that encourages the recipient to purchase or use it. If a message promotes a third-party offering or seeks to drive demand, it is a marketing communication and generally requires prior authorization.

Examples

• Paid email blasts to patients promoting a new medical device from a manufacturer.
• Mailers encouraging enrollment in a non-affiliated wellness program.
• Sharing patient lists with a sponsor to advertise products or services.

What is not marketing (baseline rule)

• Communications describing your own health-related products or services or plan benefits.
• Treatment communications, such as care recommendations from a provider to a patient.
• Case management or care coordination messages, or recommendations about alternative providers or settings of care.

Important: if any of the above “not marketing” communications are subsidized with financial payments from a third party, they generally become marketing and require authorization (see Remuneration Disclosure).

Exceptions to Authorization Requirement

HIPAA permits certain communications without an authorization, even if they might otherwise look promotional. Use these carefully and document your rationale.

• Face-to-face communications from a covered entity to an individual.
• Promotional gifts of nominal value given directly to the individual.
• Treatment, case management, or care coordination communications that are not financed by a third party.
• Descriptions of health-related products or services that you provide or that are included in a plan of benefits, if not subsidized by an outside payer.
• Refill reminders or communications about a currently prescribed drug or biologic, where any payment received is limited to the reasonable, cost-based amount needed to make the communication.

If financial support from a third party is involved beyond cost-based amounts for allowable reminders, you must obtain Written Authorization before using PHI for that outreach.

Remuneration Disclosure

When a third party provides direct or indirect financial remuneration for a marketing effort that uses PHI, a valid authorization is required. The authorization must include a clear Remuneration Disclosure stating that you are paid to make the communication.

What counts as financial remuneration

• Monetary payments from or on behalf of a third party whose product or service is being promoted.
• Per-message or per-recipient fees paid to the covered entity or Business Associate for sending the outreach.

Authorization content for paid marketing

• Purpose and scope of the marketing communication.
• Identity of the covered entity and any recipient(s) of PHI.
• Explicit statement that the covered entity receives financial remuneration for the communication.
• Expiration, signature/date, revocation rights, and redisclosure notice.

Limited, cost-based payments for permissible refill reminders or currently prescribed drug communications do not trigger a marketing authorization, but you should still keep documentation supporting the cost basis.

Business Associate Agreements

Business Associates may create or deliver marketing on your behalf only as permitted by HIPAA and your Business Associate Agreement (BAA). If an activity requires patient authorization, neither you nor the Business Associate may proceed without obtaining and honoring that authorization.

BAA provisions to support compliance

• Limitations on use/disclosure of PHI strictly to contracted services.
• Obligation to verify and track applicable authorizations and revocations.
• Prohibition on paid marketing or PHI sales absent required Written Authorization.
• Flow-down of these restrictions to subcontractors handling PHI.

Ensure your BAA delineates responsibilities for content approval, Remuneration Disclosure, record retention, and timely cessation of outreach upon revocation.

Opt-Out Rights

When marketing relies on an authorization, individuals may revoke that authorization at any time in writing, and you must stop using their PHI for that purpose (except to the extent already relied upon). Treat revocations promptly across all relevant channels.

For communications permitted without authorization (for example, face-to-face messages or nominal gifts), HIPAA does not mandate a Patient Opt-Out. Nevertheless, offering a simple opt-out is a best practice and may be required by other laws or organizational policy.

Practical opt-out methods

• One-click unsubscribe links in emails and a toll-free number for mail/phone outreach.
• “Reply STOP” for text messages and clear in-office preferences for face-to-face interactions.
• Centralized suppression lists shared with Business Associates to prevent future sends.

Sale of PHI

HIPAA generally prohibits the sale of PHI without a specific PHI Sale Authorization. A “sale” occurs when you or your Business Associate receive direct or indirect remuneration from or on behalf of the recipient in exchange for PHI.

Common exceptions (no PHI Sale Authorization required)

• Public health activities or disclosures required by law.
• Research, treatment, payment, or health care operations where only reasonable, cost-based fees are charged.
• Remuneration to a Business Associate for services performed under a BAA (not for the PHI itself).
• Disclosures to the individual or for purposes authorized by the individual.

Marketing arrangements that involve being paid for patient lists, segmentation, or other PHI exchanges can trigger the sale prohibition. Analyze compensation structures carefully and secure a PHI Sale Authorization when required.

Conclusion

To market compliantly under HIPAA, start with the rule: no use of PHI for marketing without a valid, signed authorization. Apply narrow exceptions, add Remuneration Disclosures when paid, bind vendors through strong BAAs, honor revocations and opt-outs quickly, and avoid PHI sales absent explicit authorization.

FAQs

What constitutes marketing under HIPAA?

A communication is marketing if it promotes a product or service and encourages the recipient to purchase or use it. Messages about your own services, treatment, or care coordination are not marketing unless they are financed by a third party beyond limited cost-based allowances.

When is individual authorization required for PHI use in marketing?

You need a patient’s Written Authorization before using or disclosing PHI for any marketing communication, including when a third party pays you to make the outreach. The only exceptions are narrow (for example, face-to-face messages, nominal gifts, and certain cost-based refill reminders).

Are there exceptions to the authorization requirement?

Yes. Face-to-face communications, nominal promotional gifts, treatment or care coordination messages, and descriptions of your own services can be made without authorization if they are not subsidized by a third party. Refill reminders about a currently prescribed drug are also allowed when payments are limited to reasonable costs.

What disclosures must be included in the authorization for marketing purposes?

A valid marketing authorization must describe the PHI and purpose, identify the parties involved, set an expiration, and include the individual’s signature and date. It must explain revocation rights and potential redisclosure, and—if any third-party payment is involved—include a clear Remuneration Disclosure stating that you are paid to make the communication.