HIPAA and Marketing: When You Need Authorization and What “Marketing” Actually Means

Healthcare organizations communicate with patients constantly. Some of those communications are purely clinical, such as follow up instructions, lab reminders, or care coordination. Others are operational, such as billing notices, network updates, or benefit explanations. Then there is a third bucket that often gets mislabeled: marketing. Under HIPAA, marketing is not “anything promotional” in the everyday sense. It is a defined category of communications that triggers a tighter rule set because it can convert a patient relationship into a targeting channel built on protected health information (PHI). 

The practical consequence for small practices is that marketing compliance is mostly about boundary control. You need to know which messages are treated as marketing, which messages fall into the Privacy Rule’s exceptions, and which messages require an authorization that is built and managed correctly. A clinic can do a lot of outreach legally, but the safe path is rarely “just send the message.” The safe path is to classify the communication, confirm whether any third party is paying for it, and then design the workflow so PHI is not used or disclosed in ways HIPAA restricts. 

Informational note: This report is for informational purposes only and does not constitute legal advice.

The HIPAA marketing framework in plain terms

HIPAA uses a simple structural idea. If a communication encourages a person to purchase or use a product or service, and it uses or discloses PHI to make that communication, it is likely marketing unless an explicit exception applies. The reason this matters is that the Privacy Rule generally requires an individual’s written authorization before a use or disclosure of PHI can be made for marketing purposes, with limited exceptions. OCR explains this policy goal directly in its marketing guidance and distinguishes marketing communications from communications that are essential for care and coverage operations. 

What makes this tricky in real clinic life is that “treatment,” “health care operations,” and “marketing” overlap in ordinary language. A provider can recommend a service and that recommendation can sound like marketing even when it is simply treatment communication. OCR explicitly acknowledges that overlap and explains that the Privacy Rule defines these terms so they can be distinguished, and that communications falling within the exceptions to marketing are not subject to the marketing restrictions. 

The discipline is therefore not “avoid all promotion.” The discipline is “know which category your message belongs to, and prove it.” If you can classify the communication correctly, most of the rules become predictable.

What HIPAA means by “marketing”

The core definition is in the Privacy Rule’s definitions section. Marketing means making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, except as provided in the definition’s carveouts. 

OCR’s marketing guidance mirrors this and gives concrete examples of communications that require prior authorization. Those examples include a hospital informing former patients about a cardiac facility that is not part of the hospital and where the communication is not for treatment advice, and a health insurer promoting a home and casualty insurance product offered by the same company. Those examples are useful because they show what triggers the rule: the message is encouraging purchase or use, and it is not tightly connected to treatment, plan benefits, or care coordination. 

HIPAA also includes a second, separate concept that often surprises people. OCR explains that “marketing” also includes an arrangement where a covered entity discloses PHI to another entity, in exchange for direct or indirect remuneration, for the other entity (or its affiliate) to send communications about its own product or service that encourage recipients to purchase or use it. OCR notes that this part of the marketing definition has no exceptions, and it uses examples like selling a health plan member list to a device company or providing a patient list to a drug manufacturer for coupon mailings in exchange for remuneration. In practical terms, once you are disclosing patient lists to third parties so they can market their products, HIPAA treats that as marketing even if someone tries to label it as a “partnership.” 

This is why marketing compliance is often less about the content of the message and more about the data supply chain behind the message. If PHI is being used as the raw material for someone else’s marketing, you are in the most restricted area of the rule.

What is not marketing, and why the exceptions exist

HIPAA does not try to block ordinary health care communications. Instead, it defines marketing and then carves out specific categories that are important for patient care and health plan functioning. The marketing definition itself states that marketing does not include certain types of communications, and OCR’s guidance organizes those carveouts into three categories that show up in real clinic operations. 

Communications about your own health related products or services, or plan benefits

A communication is not marketing if it describes a health related product or service, or payment for it, that is provided by the covered entity or included in the covered entity’s plan of benefits. OCR gives examples such as a hospital using its patient list to announce a new specialty group or new equipment, and a health plan sending subscribers materials describing its Medicare supplemental plan. The point is that HIPAA allows a covered entity to communicate about its own health related offerings because that is often part of how patients navigate care. 

A subtlety matters here. This carveout is not a free license to use PHI for any promotional activity. It applies to communications describing health related products or services provided by the covered entity, or included in the plan’s benefits, which is narrower than “anything the clinic wants to promote.” When practices stretch this exception to cover broad reputation marketing, they are relying on an interpretation that may not hold up when scrutinized.

Treatment communications

Marketing does not include communications made for treatment of the individual. The definition explicitly includes treatment communications, and OCR gives examples such as prescription refill reminders and referrals to specialists. The essential concept is that HIPAA does not want marketing restrictions to interfere with clinical recommendations and follow up that are part of care. 

This is the exception that most people intuitively understand, but it is also the one most likely to be undermined by payment from a third party. The marketing definition excludes certain treatment communications except where the covered entity receives financial remuneration in exchange for making the communication. That phrase is not decoration. It is the hinge that turns “treatment communication” into “marketing” when the communication is effectively sponsored. 

Case management, care coordination, and recommending alternatives

Marketing does not include communications made for case management or care coordination, or to direct or recommend alternative treatments, therapies, providers, or settings of care. OCR gives examples such as sharing a patient’s medical record with programs to determine which suits the patient’s needs, or a social worker sharing information with nursing homes while recommending transfer placement. This carveout recognizes that patient navigation often requires communications that look “promotional” in a generic sense but are actually care coordination work. 

As with treatment communications, the definition conditions this exception on the absence of financial remuneration in exchange for making the communication, with the refill reminder structure handled separately. If a third party is paying you to steer patients toward a specific service, HIPAA assumes you are not doing pure coordination anymore and asks for patient permission through authorization. 

Financial remuneration: the detail that changes the analysis

HIPAA’s marketing rules become much tighter when money is involved. The marketing definition includes a specific definition of “financial remuneration” that is narrower than “any benefit.” Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. The definition also states that direct or indirect payment does not include any payment for treatment of an individual. 

That means you should treat third party sponsored outreach as a separate compliance category. If an outside entity wants you to send communications about its product or service, and you will be paid for doing so, you should assume you are in marketing territory unless you can clearly fit within a regulatory exception. In most clinic scenarios, the exceptions that remain available in the presence of sponsorship are limited, with face to face marketing and promotional gifts of nominal value being the classic examples. 

The refill reminder area is the one place HIPAA provides a structured, cost-related allowance. If you are not in that zone, the simplest risk reducing rule is to treat paid messaging about third party products as marketing that requires authorization.

Refill reminders and medication adherence programs: a narrow, technical exception

HIPAA treats refill reminders differently because they often serve patient adherence and safety and because they have been a common channel for drug and device outreach. The marketing definition excludes refill reminders or other communications about a drug or biologic currently being prescribed for the individual, but only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication. 

OCR’s refill reminder guidance adds operational detail that matters when practices or pharmacies use vendors to run adherence programs. OCR explains that communications about drugs or biologics currently prescribed fall within the refill reminder exception when remuneration is reasonably related to the cost of making the communication, and it discusses how this can apply to certain aspects of drug delivery systems. OCR also discusses how business associates can be used to assist in making these communications, and it describes limits on payments to a business associate from a manufacturer when the business associate is acting on behalf of the covered entity to assist with the communication. 

For most small practices, the lesson is not to become experts in sponsored adherence economics. The lesson is to recognize that refill reminders are a narrow exception with defined conditions, and that broader sponsored outreach usually requires authorization. If you have a vendor proposing a patient messaging program paid for by an external sponsor, you should treat it as a compliance review item, not as a routine marketing decision. 

When authorization is required, and the two exceptions even marketing can use

HIPAA’s authorization rule for marketing is explicit. A covered entity must obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of a face to face communication made by the covered entity to an individual, or a promotional gift of nominal value provided by the covered entity. 

HIPAA also requires an additional transparency statement when money is involved. If the marketing involves financial remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. This is a practical “no surprises” rule: if the clinic is being paid to market, the patient’s authorization must disclose that fact. 

Clinics should interpret the face to face and nominal gift exceptions narrowly. They allow certain in-person discussions and low value promotions without written authorization, but they do not authorize mass messaging campaigns, list-based targeting, or disclosure of patient lists to third parties. OCR’s marketing guidance illustrates the limited nature of these exceptions with examples like providing a free package of baby products to new mothers as they leave a maternity ward and an in-person insurance sales interaction. 

What a valid marketing authorization needs to contain, and what you cannot do with it

Getting authorization is not simply “have the patient sign a form.” HIPAA defines what must be in a valid authorization, and marketing authorizations are often invalid because they are vague, combined improperly with other documents, or presented as a condition of care.

The authorization must include core elements such as a description of the information to be used or disclosed, identification of who is authorized to disclose and who may receive it, a description of each purpose of the use or disclosure, an expiration date or event, and the individual’s signature and date. If a personal representative signs, the representative’s authority must be described. 

The authorization must also include required statements that place the individual on notice of the right to revoke in writing, the ability or inability to condition treatment or other benefits on signing, and the potential for redisclosure by the recipient. HIPAA also requires the authorization to be written in plain language, and it requires the covered entity to give the individual a copy of the signed authorization. 

There is also a structural prohibition that matters in marketing contexts: a covered entity generally may not condition treatment, payment, enrollment, or eligibility for benefits on the provision of an authorization, with limited exceptions that are not marketing-oriented. This is why “sign this marketing authorization or we will not treat you” is a bad idea both legally and operationally. Patients are allowed to say no, and the clinic must be able to keep operating without coercion. 

Finally, individuals can revoke an authorization in writing at any time, with limited reliance-based exceptions. That means your marketing workflow has to support revocation as a real operational event, not as a legal footnote. If a patient revokes, you need a mechanism to stop future marketing uses and disclosures under that authorization. 

Using vendors to send outreach: marketing does not remove business associate obligations

Modern marketing is usually executed through vendors, such as email platforms, texting platforms, print mailing houses, or analytics tools. HIPAA does not prohibit using vendors, but it does change what you must do with PHI when a vendor is involved. OCR’s marketing guidance states that for any of the three exceptions to the marketing definition, the activity must otherwise be permissible under the Privacy Rule, and a covered entity may use a business associate to make the communication. OCR also emphasizes that, as with any disclosure to a business associate, the covered entity must obtain the business associate’s agreement to use the PHI only for the communication activities of the covered entity. 

That line is the operational center of gravity for small practices. If you are using a vendor to message patients and the vendor will handle PHI, you need an appropriate contract structure that limits use to what you are doing. If you cannot obtain that agreement, your choices narrow quickly: redesign the workflow so the vendor never receives PHI, or choose a different vendor.

This is also why “we will just upload a list of emails” can be dangerous. Patient email addresses, phone numbers, and appointment related context can be PHI depending on how they are associated with care. If you transmit that data to a vendor for outreach, you have made a PHI disclosure and must be able to justify it under HIPAA’s permitted uses and disclosures or an authorization.

Common clinic scenarios and how the marketing rules apply

Promoting new services you offer

A clinic announcing a new service line, a new specialist joining the practice, or new equipment can often fit within the “own health related products or services” exception when the message describes health related services provided by the clinic. OCR’s guidance uses hospital examples that illustrate this concept, including announcements of a new specialty group or new equipment via general mailing or publication. 

Where practices get into trouble is when they combine this type of message with third party sponsorship, cross promotion with an outside business, or disclosure of patient lists to another entity so that entity can market its own product. Those fact patterns start to drift away from the exception and toward marketing that needs authorization.

Recommending a specific outside provider or program

Care coordination and recommending alternative treatments or settings of care can fall outside marketing under the marketing definition’s coordination exception, and OCR gives care coordination examples involving sharing information to identify appropriate programs or facilities. 

The problem is not the recommendation itself. The problem is the incentives around the recommendation. If an outside program pays the clinic to send patients promotional communications, or pays for the clinic’s outreach, the clinic is no longer simply coordinating care. HIPAA treats paid communications about third party products or services as marketing and expects authorization unless a narrow exception applies. 

A workable practice posture is to separate clinical referral workflows from promotional outreach workflows. Referral workflow documentation should be clinical and based on patient need. Promotional outreach should be treated as marketing compliance work with authorization if PHI is used or disclosed to support it.

Sharing patient success stories, testimonials, and photos

The marketing definition focuses on communications encouraging purchase or use of a service, but in practice, testimonials and patient stories are almost always marketing content. If the clinic uses an identifiable patient story to promote services, it is using the patient’s health information context in a promotional way. In almost all such cases, the safe course is to obtain a HIPAA authorization that is specific, plain language, and revocable, and that clearly identifies what information will be used, where it will appear, and for what purpose. 

Clinics should also be careful about “de-identifying” stories casually. A story can still identify a person if details make the individual reasonably identifiable, even without a name. If a clinic wants to use outcomes narratives for marketing, a de-identification method consistent with HIPAA’s de-identification standard can be a safer approach, but it must be done rigorously, not by removing a name and hoping. 

Outsourcing patient outreach to a third party who wants to market its own product

This is the sharpest edge. OCR’s marketing guidance explicitly describes marketing as including arrangements where the covered entity discloses PHI to another entity in exchange for direct or indirect remuneration so that the other entity can market its own product or service, and OCR states there are no exceptions to that part of the definition. In other words, selling or trading patient lists for someone else’s marketing is in the category that HIPAA treats most restrictively. 

If a vendor proposes “we will pay you, and you give us your patient list so we can send offers,” that is the kind of model HIPAA expects to be permissioned by the patient through authorization. A practice that wants to stay out of enforcement trouble should treat this as a disqualifying vendor proposal unless it is rebuilt around de-identified data or explicit patient authorization with full transparency. 

Marketing versus fundraising: similar mechanics, different rules

Clinics sometimes confuse fundraising with marketing because both involve outreach. HIPAA treats fundraising under a different section with its own conditions, and it is not simply “marketing with a nicer label.” The Privacy Rule permits a covered entity to use or disclose certain limited categories of PHI for fundraising for its own benefit without an authorization meeting the requirements of 164.508, subject to conditions. The permitted categories include demographic information and contact information, dates of health care, department of service information, treating physician, outcome information, and health insurance status. 

Fundraising also comes with strict opt-out mechanics and notice requirements. The rule requires that the entity’s notice of privacy practices include the required statement if the entity will use or disclose PHI for fundraising, and each fundraising communication must provide a clear and conspicuous opportunity to opt out of receiving further fundraising communications. The opt-out method cannot impose an undue burden or more than nominal cost, treatment or payment cannot be conditioned on the individual’s choice, and once a person opts out, the entity may not send further fundraising communications unless the individual opts back in. 

The operational lesson is that marketing and fundraising often look similar in email form, but the compliance logic is different. Fundraising allows limited PHI categories without authorization if you give proper notice and maintain opt-out controls. Marketing generally requires authorization when PHI is used or disclosed for the marketing purpose, unless a specific marketing exception applies. 

A practical compliance process for small practices

A small practice does not need a marketing law department to get this right, but it does need a repeatable gate. The simplest working gate is to require that every planned patient-facing promotional campaign be answered with three factual questions.

First, does the communication encourage purchase or use of a product or service, or is it primarily a clinical or plan administration message? This is the threshold that drives whether you are even in marketing territory. 

Second, does the message fit clearly within one of the marketing definition’s exceptions, such as treatment, care coordination, or communications about your own health related services or plan benefits? If it does, confirm it is otherwise permissible under the Privacy Rule and document the basis for the classification. OCR explicitly ties the exceptions to the rule and emphasizes they must be otherwise permissible. 

Third, is there any direct or indirect payment from or on behalf of a third party whose product or service is being described, or any arrangement that involves disclosing PHI to another entity for remuneration so that entity can market its own product? If the answer is yes, assume authorization is required unless you are inside a narrowly defined exception like refill reminders under the cost-related condition. 

Once this gate exists, the rest is execution. If authorization is required, use an authorization template that satisfies 164.508’s core elements and required statements, and build a revocation and retention workflow that actually works. If a vendor is involved, make sure the vendor’s access to PHI is constrained to what the clinic is doing, as OCR describes for business associate use in permitted communications. 

Closing perspective

HIPAA does not ban outreach. It regulates the use of PHI as the fuel for commercial persuasion, particularly when third party money or third party products are involved. Small practices do best when they treat marketing compliance as a design problem: classify communications, minimize PHI exposure, require authorization when the rule demands it, and keep the vendor chain contractually bounded to clinic purposes. That approach is not only safer legally, it is simpler to run in a real clinic environment because it turns vague anxiety into a process that staff can follow. 

Sources

1. HHS Office for Civil Rights, “Marketing” (HIPAA marketing guidance, definition, examples, exceptions, business associate use, face-to-face and nominal gift exceptions). 

2. 45 C.F.R. 164.501, “Definitions” (marketing definition, exceptions, and financial remuneration definition). 

3. 45 C.F.R. 164.508, “Uses and disclosures for which an authorization is required” (authorization required for marketing; face-to-face and promotional gift exceptions; remuneration disclosure; authorization elements, revocation, conditioning limits, plain language, copy to individual). 

4. HHS Office for Civil Rights, “How can I distinguish between activities for treatment or health care operations versus marketing activities?” (OCR FAQ 279, treatment and health care operations overlap and reliance on marketing definition and exceptions). 

5. HHS Office for Civil Rights, “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual” (refill reminder exception details and remuneration boundaries). 

6. 45 C.F.R. 164.514(f), “Fundraising communications” (permitted PHI categories for fundraising; NPP statement; opt-out mechanics; no conditioning; no contact after opt-out; opt-back-in option). 

7. HHS Office for Civil Rights, “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the HIPAA Privacy Rule” (de-identification standard).