Marketing Case Studies Under HIPAA: What’s Allowed, What Requires Authorization

HIPAA Definition of Marketing

Core definition you can apply

Under the HIPAA Privacy Rule, “marketing” is any communication that encourages a person to purchase or use a product or service. If you promote a third party’s offering, or you promote your own services primarily to drive demand, that communication is marketing.

By contrast, communications that explain care already being received, coordinate care, or describe a health-related product or service you provide or that is included in a plan of benefits are generally not marketing. Your task is to decide whether the primary purpose is patient care or demand generation.

Practical examples

• Marketing: an email campaign urging former patients to try a partner’s new device.
• Not marketing: a message advising a patient to schedule post-operative physical therapy you provide as part of their treatment plan.

Because case studies can both educate and promote, you should evaluate intent, content, and whether Protected Health Information (PHI) is used. That framing drives Marketing Communications Compliance decisions for case-study content.

Authorization Requirements for PHI Use

When written authorization is required

If a marketing communication uses or discloses PHI, you must first obtain the patient’s written Authorization for Use and Disclosure. This includes case studies, testimonials, before-and-after photos, videos, audio clips, or narrative details that could identify a patient directly or indirectly.

What a valid authorization includes

• A description of the specific PHI to be used or disclosed (e.g., images, diagnosis, dates).
• The name(s) of the person/organization authorized to use or disclose and to receive the PHI.
• The purpose (e.g., publication of a marketing case study on your website and social channels).
• An expiration date or event.
• The patient’s signature and date, plus, when applicable, a personal representative’s authority.
• Notice of the right to revoke in writing and how to do so.
• A statement that information redisclosed by recipients may no longer be protected by HIPAA.
• If payment is involved, a clear statement satisfying Remuneration Disclosure Requirements.

Document Patient Consent Documentation in the medical record or a designated repository and track revocations, expirations, and where the case study appears. If you rely on an authorization, the “minimum necessary” rule does not apply, but you should still avoid unnecessary detail to reduce risk.

Exceptions to Authorization

Common exceptions you can rely on carefully

• Face-to-Face Exceptions: in-person communications from you to the individual do not require authorization, even if promotional.
• Promotional gifts of nominal value: items such as pens or calendars handed directly to a patient do not require authorization.
• Refill reminders and communications about a currently prescribed drug or biologic, if any financial support received is reasonably related to the cost of making the communication.
• Communications that describe a health-related product or service you provide or that is a benefit of the patient’s plan (e.g., your new clinic location, covered care management programs).

These exceptions are narrow. If a third party funds the outreach and you are promoting that party’s product or service, you likely need authorization unless the communication qualifies as a refill reminder with only cost-based support.

De-Identification of Protected Health Information

Two compliant pathways

• Safe Harbor: remove the 18 identifiers (such as name, full-face photos, contact data, precise dates, and device serial numbers) and avoid any actual knowledge that remaining data could identify the patient.
• Expert Determination: obtain a qualified expert’s documented assessment that the risk of re-identification is very small, with methods and results retained for your files.

Applying de-identification to case studies

When you de-identify PHI under HIPAA’s De-Identification Standards, the information is no longer PHI and may be used in marketing without authorization. For narrative case studies, remove or generalize unique facts (rare diseases, exact ages over 89, specific dates, locations, or images with distinctive features like tattoos).

Maintain a defensible process: use a checklist, have a privacy reviewer sign off, and keep before/after versions showing exactly what was removed. If true de-identification is not feasible, obtain authorization before publishing.

Differentiating Marketing and Treatment Communications

How to make the call

Treatment communications guide an individual’s care: recommending therapies, referring to specialists, or coordinating services. Marketing communications aim to persuade individuals to use a product or service, especially those of a third party or those not tied to the person’s current care.

• Treatment: a secure message recommending a specific imaging study for the patient’s current diagnosis.
• Marketing: a newsletter promoting a discounted screening to the general public.

If a third party provides financial support to send the message, recheck the classification. With remuneration, a communication that otherwise looks like operations or treatment can become “marketing” and require authorization.

Requirements for Remuneration Disclosure

What counts and what to disclose

Financial remuneration includes direct or indirect payment from a third party whose product or service is being described. If you will receive such payment for a marketing communication that uses PHI, the patient’s authorization must clearly state that you are being paid and by whom, or describe the nature of the remuneration.

• Be specific: name the sponsor or describe the relationship (e.g., “Our practice receives financial support from ABC Pharma to share this information”).
• Limit the amount of PHI used to the purpose disclosed, and retain the authorization with your campaign records.
• Remember the carve-out: reasonable, cost-based payments for refill reminders do not convert the communication into marketing requiring remuneration disclosure beyond what is necessary to describe the purpose.

Guidelines for Patient Testimonials and Case Studies

Design choices that keep you compliant

• Prefer de-identified stories: aggregate outcomes, general timeframes, and composite scenarios to prevent re-identification.
• If identification is possible, obtain a HIPAA-compliant authorization before using names, images, voices, or distinctive facts.
• For photos and video, consider cropping, blurring, or staging with models; do not rely on partial masking if tattoos or surroundings can still identify the person.
• For minors and incapacitated patients, obtain authorization from a personal representative as required.
• Avoid including diagnoses, dates of service, provider names, or device IDs unless explicitly authorized.

Operational safeguards

• Standardize Patient Consent Documentation with plain-language forms and separate checkboxes for website, print, social media, and press.
• Record retention: store signed authorizations and any Expert Determination reports; track expiration and revocation.
• Vendor management: ensure marketing agencies, photographers, and editors handle data securely; use written agreements as appropriate.
• Quality review: privacy approval before publication and again after layout to catch inadvertent identifiers.

Conclusion

Case studies can educate and inspire, but HIPAA sets clear boundaries. Use de-identified information whenever possible; when PHI is involved, secure a valid authorization and disclose remuneration where applicable. Apply the narrow exceptions carefully, and document every decision to maintain Marketing Communications Compliance.

FAQs.

What constitutes marketing under HIPAA?

Any communication that encourages a person to purchase or use a product or service is marketing. Communications focused on an individual’s care—such as treatment recommendations or care coordination—or that describe your own services or plan benefits are generally not marketing, unless financial remuneration from a third party is involved.

When is patient authorization required for sharing case studies?

You need written authorization whenever a case study uses PHI that could identify a patient, including names, images, voices, exact dates, locations, or unique clinical details. If the information is truly de-identified, no authorization is required.

How can PHI be properly de-identified?

Use one of two methods: remove HIPAA’s 18 identifiers under the Safe Harbor approach and avoid any actual knowledge of re-identification risk, or obtain an Expert Determination documenting that the risk of identification is very small. Keep the documentation with your records.

Are face-to-face marketing communications exempt from authorization?

Yes. Face-to-face communications from you to the individual, and promotional gifts of nominal value, do not require authorization. Other marketing that uses PHI generally requires authorization, especially when supported by third-party remuneration.