The Intake

Insights for those starting, managing, and growing independent healthcare practices

What medical practices need to know about HIPAA and healthcare marketing

Here’s the essential guide with concrete tips and examples for how your practice can carry out HIPAA-compliant marketing. 

Physician reads about HIPAA and healthcare marketing

At a Glance

  • HIPAA’s Privacy Rule requires healthcare providers to get patient consent before using or disclosing protected health information (PHI) for marketing. Some exceptions apply, such as face-to-face communication and giveaways of nominal value.
  • Healthcare providers must train staff on HIPAA rules, keep policies updated, post privacy notices, retain compliance records, and have a breach response plan.
  • To use 3rd parties for marketing activities involving PHI, providers must have Business Associate Agreements holding them to the same HIPAA standards for protecting patient privacy.

A marketing plan — how you’ll attract your ideal patients — is essential to growing a medical practice. But before you execute it, you should understand HIPAA, its rules around healthcare marketing, and how your practice can carry out HIPAA-compliant marketing. 

Understanding HIPAA and how it pertains to healthcare marketing

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 to protect patient information. Its Privacy Rule covers the use and disclosure of patient-identifiable information — referred to as protected health information (PHI) — by individuals and organizations called covered entities (CEs). 

CEs include healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers are considered CEs if they transmit health information electronically. For instance, a dermatologist who does not bill insurance is not considered a CE.

HIPAA’s Privacy Rule also applies to business associates to whom CEs give PHI in exchange for payment to market products or services. 

HIPAA mandates that CEs get prior written consent from all individuals whose PHI is to be used or disclosed. However, there are exceptions, such as in the course of treatment, payment, or when required by law or needed for healthcare operations.

Optimize Operations

What do doctors need to know about HIPAA?

Here are some key aspects of HIPAA that doctors should be aware of:

1. What constitutes PHI

PHI is any health information. It includes demographic data that relates to a patient's past or present physical or mental health or condition.

It also includes information that relates to the provision of healthcare to the patient. Payment for the provision of healthcare to the patient and that identifies the patient or could identify the patient is also included. 

Some examples of PHI include: 

  • the patient’s name, 
  • address, 
  • medical record number, and 
  • photograph.

2. What the Privacy Rule stipulates

Aside from requiring patient consent for PHI use or disclosure, HIPAA’s Privacy Rule gives patients the right to access their medical records. It also gives them the right to correct inaccuracies and know who has accessed their information. 

HIPAA’s Privacy Rule gives patients the right to access their medical records.

The Privacy Rule also mandates CEs and business associates of CEs to appoint a ‘Privacy Officer.’ This person will develop and implement HIPAA-compliant privacy policies and procedures.

3. What the Security Rule is

The HIPAA Security Rule sets out standards to protect individuals' electronic personal health information (ePHI) that is created, received, used, or maintained by a CE. It establishes the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. These safeguards include implementing necessary measures, such as encryption, to prevent unauthorized access, use, or disclosure of data.

Conducting risk assessments to ensure ongoing compliance is another safeguard. It's also essential that any business associates who handle ePHI also stick to these security standards.

4. Who business associates are

Under the HIPAA Privacy Rule, a "Business Associate" is an individual or entity that performs functions or activities involving the use or disclosure of protected health information (PHI). This person or entity does so either on behalf of or in the provision of services to a covered entity such as a medical practice. 

These activities can be anything from marketing and data analysis to billing services. As long as the activities involve handling or accessing PHI, then the entity or person executing them is considered a business associate.

Patient Perspectives Report

What does HIPAA say about marketing?

Healthcare marketing is the process of outreach and communication with prospective and existing patients. Healthcare marketing strategies can range from digital advertising, email marketing, and social media campaigns to traditional marketing through print, television, and billboards.

How does HIPAA define marketing? 

The HIPAA Privacy Rule says, “Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

There are some exceptions to this HIPAA definition of marketing. The exceptions provide a framework within which your practice can communicate effectively with patients.

The exceptions are communication that:

  • Involves ongoing treatment. For example, sending appointment or refill reminders does not count as marketing.
  • Describes health-related products or services included in a benefit plan of the covered entity
  • Is necessary for case management or care coordination. For example, informing a patient that they’ve been referred to a specialist for a follow-up would not constitute marketing under HIPAA. 
  • Is necessary for the CE’s operating purposes, as long as it is in the patient's interest

How does HIPAA affect healthcare marketing?

An important element to remember about HIPAA’s Privacy Rule is that practices must always receive consent from patients if they want to disclose the patient’s PHI outside of the organization. It doesn’t matter if it’s for marketing or non-marketing purposes.

HIPAA’s Privacy Rule considers most marketing activities, including analytics, as disclosures of PHI.

HIPAA’s Privacy Rule considers most marketing activities, including analytics or HIPAA-compliant patient reviews, as disclosures of PHI. Consequently, prior written authorization from patients is generally required. 

Written authorization can take many forms. With email marketing, for example, you must get express email consent from patients whenever you collect their email addresses for marketing purposes. They must also be able to easily opt out of receiving marketing emails anytime.

However, patient prior authorization is not needed if the marketing is in the form of face-to-face communication and promotional gifts of nominal value.

Examples of when patient prior authorization is not needed

For instance, suppose your practice holds a health fair. During the event, your staff approaches attendees — some of whom are patients — face-to-face to discuss new health services or medical procedures your practice offers.

As a token of appreciation for listening, they give attendees a branded pen or notepad. The marketing is conducted face-to-face, and the promotional items (pens or notepads) are of nominal value. As a result, your practice does not need patients' prior authorization for either of these actions.

Another scenario where this exception could apply is during an office visit. A patient visits your practice for a routine check-up, and during the appointment, you talk to the patient about a new wellness program that their healthcare plan is offering. 

As the patient leaves, your front office staff hands them a brochure about the program along with a branded stress ball. Your recommendation about the wellness program is made face-to-face during the appointment, and the stress ball is a promotional item of nominal value, so the patient’s prior authorization is not needed.

Download the workbook

HIPAA compliance in marketing activities is essential

Maintaining HIPAA compliance in all marketing activities is non-negotiable. Non-compliance can result in substantial fines, penalties, reputational damage, and potentially reduced patient outcomes. 

Non-compliance can result in substantial fines, penalties, reputational damage, and potentially reduced patient outcomes.

According to a recent study on medical record privacy perception, patients with concerns about their electronic health records being compromised are 3 times more likely to withhold information from their physicians.

6 standards for HIPAA-compliant healthcare marketing

Here are 6 standards and habits that your practice should adhere to for HIPAA-compliant marketing:

1. Train your staff 

You should ensure that all employees — from front office staff to nurses — are regularly trained on HIPAA rules and your specific practice policies. For staff involved in marketing and communications in any form, training related to the Privacy Rule and PHI should be thorough. 

2. Keep up with the rules

The United States Department of Health and Human Services (HHS) regularly updates HIPAA rules. As such, keeping abreast of HIPAA rules and cultivating a culture of compliance within your medical practice can help mitigate the risk of violation. 

You should also periodically review and update policies and procedures at your practice to ensure ongoing compliance. 

3. Distribute and display notice of privacy practices

Your practice should provide patients with a clear and detailed notice about how their information is used and protected. This notice should be available and provided to patients during their first practice visit. 

Your practice should provide patients with a clear and detailed notice about how their information is used and protected.

The HIPAA Privacy Rule specifies that CEs with a physical office should post their entire notice in a clear and prominent location. It does not, however, stipulate any specific format for the posted notice. It just stipulates that it should include the same information that is given directly to the patient.

4. Document and keep records

Your practice should retain documentation of all your HIPAA-related policies, procedures, risk assessments, and training sessions (including patients’ disclosure authorizations). HIPAA requires these records to be kept for at least 6 years. 

For policies specifically, though, records must be kept for a minimum of 6 years since they were last in effect. So, if a policy is implemented for 2 years before being revised or scrapped, a record of the original policy must be kept for at least 9 years after it was created.

5. Set up a breach procedure

In the event of a breach of unsecured PHI, HIPAA requires practices to notify the affected patients, the HHS, and, in some cases, the media. While the goal is prevention, PHI breaches are common and are, in fact, on the rise. 

As of July 2023, healthcare organizations had reported 330 breaches of sensitive health information to HHS’ Office for Civil Rights. These breaches affected 41.4 million individuals. 

In the event of a breach of unsecured PHI, HIPAA requires practices to notify the affected patients, the HHS, and, in some cases, the media.

In 2022, the total annual number of individuals affected was 52 million. Consequently, your practice needs to prepare in advance for the possibility of breaches. It's essential to have a clear process for identifying and responding to them.

6. Manage business associate relationships diligently

Many practices use 3rd-party companies to manage marketing and communications activities with patients. Under HIPAA, these 3rd parties are considered business associates. 

To ensure that patient data is appropriately safeguarded, you should recognize and manage relationships with business associates by entering into a Business Associate Agreement (BAA) with any entity or individual that handles PHI on your behalf. This agreement typically outlines the permissible uses and disclosures of PHI and mandates the business associate to implement necessary safeguards and report any breaches of PHI to the covered entity.

Foster trust with compliant HIPAA marketing

Balancing HIPAA compliance and marketing can be challenging. Still, with a solid understanding of the rules and their nuances, your medical practice can devise and implement strategies that not only attract and retain patients but also foster trust and compliance. 

Download the report
Access the free report
Tebra recently surveyed 1,200+ people nationwide to get an inside look at how patients find and pick their doctors.
Discover How Patients Find and Choose Their Doctors

You Might Also Be Interested In

Optimize your independent practice for growth. Get actionable strategies to create a superior patient experience, retain patients, and support your staff while growing your medical practice sustainably and profitably.

Subscribe to The Intake:
A weekly check-up for your independent practice

Tolu Ajiboye

Tolu Ajiboye is a writer and marketing consultant with over 7 years of experience helping biopharma and healthcare companies with marketing communications strategy and execution. She’s worked with multiple Fortune 500 companies, and has had her work appear in publications like NBC News and The Guardian UK. She also has a law degree.

Reviewed by

Baran Erdik, healthcare consultant and compliance expert

Baran Erdik, MHPA, has expertise in healthcare editing, administration, and policy. He currently works in healthcare compliance and consulting.

Get expert tips, guides, and valuable insights for your healthcare practice