HIPAA defines marketing as any communication about a product or service that encourages someone to purchase or use it, and it generally requires written patient authorization before a covered entity can use protected health information (PHI) for that purpose. The rules are more nuanced than a blanket ban, though. Several common healthcare communications are explicitly exempt, and the line between “marketing” and “treatment” isn’t always obvious.
How HIPAA Defines Marketing
Under the Privacy Rule (45 CFR 164.501), marketing means making a communication that encourages recipients to purchase or use a product or service. That broad definition captures the obvious cases: selling a patient mailing list to a pharmaceutical company, sending promotional emails about a weight-loss supplement, or letting a third party target patients based on their diagnoses.
The key rule is straightforward: a covered entity or business associate must obtain a valid, written authorization from each individual before using their PHI for marketing. And if the entity will receive any financial benefit from a third party in exchange for sending that communication, the authorization must explicitly disclose that fact. You can’t bury it in fine print or omit it entirely.
Communications That Don’t Count as Marketing
HIPAA carves out three categories of communications that look like marketing but legally aren’t, as long as the covered entity receives no payment from a third party for making them:
- Treatment-related communications. A doctor can recommend alternative treatments, suggest a specialist, or coordinate care without authorization. This includes case management and care coordination for an individual patient.
- Describing your own products and services. A health plan can tell enrollees about network changes, plan enhancements, or health-related products available exclusively to members. A hospital can promote its own new clinic or screening program.
- Care coordination that falls outside “treatment.” Contacting patients with information about treatment alternatives or related support functions is permitted even when it doesn’t meet the technical definition of treatment under HIPAA.
The critical qualifier: all three exceptions vanish the moment a third party pays the covered entity to make the communication. If a pharmaceutical company compensates your doctor’s office to send you a letter about a new drug, that’s marketing, and it requires your authorization, regardless of whether the drug is relevant to your care.
Two Exceptions That Skip Authorization Entirely
Even when a communication does qualify as marketing, two situations don’t require patient authorization. First, face-to-face conversations between a covered entity and an individual are always permitted. Your dentist can hand you a brochure for a teeth-whitening service during your appointment without getting a signed form first. Second, promotional gifts of “nominal value” are allowed. HIPAA doesn’t define a specific dollar amount for what counts as nominal, but think pens, magnets, or branded notepads rather than anything of real monetary worth.
The Financial Remuneration Rule
HIPAA treats the sale of PHI with particular suspicion. A covered entity or business associate cannot sell PHI unless the patient signs an authorization that clearly states the entity will receive payment for the disclosure. This applies broadly: if money changes hands in exchange for sharing patient data, the patient must know about it and agree to it in advance. There’s no workaround where an organization can frame the transaction as something other than what it is.
Your Right to Say No (or Change Your Mind)
If you’ve signed a marketing authorization, you can revoke it at any time. The revocation must be in writing, and it takes effect once the covered entity receives it, not when you mail it or hand it to a third party. The authorization form itself must clearly explain your right to revoke and describe the process for doing so. One important limit: revoking an authorization doesn’t undo actions the covered entity already took while the authorization was still valid.
Marketing Agencies and Business Associate Agreements
When a healthcare organization hires an outside marketing agency that will handle PHI, that agency becomes a business associate under HIPAA. Before any patient data changes hands, the two parties must sign a Business Associate Agreement (BAA) that spells out exactly how the agency can use the information, prohibits unauthorized disclosures, and requires the agency to implement security safeguards. The agreement must also mandate breach reporting, require the agency to return or destroy all PHI when the contract ends, and hold any subcontractors to the same standards.
This isn’t optional. A healthcare provider can’t simply email a patient list to a marketing firm and assume the firm will “handle it responsibly.” Without a BAA in place, the disclosure itself is a HIPAA violation.
Website Tracking and Digital Marketing
Online tracking technologies have become one of the most active areas of HIPAA enforcement. Tools like website analytics pixels and advertising trackers can collect information that qualifies as PHI when used on a healthcare website, particularly on authenticated patient portals or pages where users enter personal details. If that data flows to a tracking vendor without patient authorization and without a BAA in place, it’s an impermissible disclosure.
HHS issued guidance clarifying that covered entities must ensure any disclosures to tracking technology vendors comply with the Privacy Rule. In practice, this means healthcare organizations need to audit every pixel, cookie, and analytics tool on their websites. A June 2024 court order did narrow the scope of this guidance somewhat, ruling that HIPAA obligations aren’t automatically triggered just because an IP address connects someone to a visit on a public, unauthenticated webpage about a health condition. But the broader principle holds: tracking tools on authenticated pages or those collecting identifiable patient information remain squarely within HIPAA’s reach.
What This Means in Practice
For healthcare organizations, the practical takeaway is that most patient communications about your own services, care coordination, and treatment recommendations are fine without authorization. The moment a third party pays you to send a message, or you share patient data with an outside company for promotional purposes, you need explicit written authorization from each patient. That authorization must disclose any financial arrangement and explain how patients can revoke consent.
For patients, the rule gives you meaningful control. No one can use your health information to market to you without your knowledge and written permission. If you’re receiving promotional materials from companies you’ve never heard of, and you never signed an authorization, someone along the chain likely violated HIPAA. You can file a complaint with the HHS Office for Civil Rights, which investigates and enforces these rules.