Last Day! 35% off Certification Training + Scholarship | Learn More

What are HIPAA’s new rules for marketing?

Answer Common HIPAA Questions

By Marcia L. Brauchler, MPH, CMPE, CPC, CPC-H, CPC-I, CPHQ
The marketing rules under HIPAA have always been complicated. Larger providers have incurred hours of legal time to make sure they are in compliance. Smaller providers tend to hold their breath and hope they aren’t running afoul of any marketing rules. And HIPAA’s final rule, effective September 23, 2013, didn’t simplify anything.
The government will tell you that marketing rules have been “tightened” to restrict occurring activities involving patient protected health information (PHI) under the previous (2002) HIPAA regulations. Privacy officers will tell you it has became a lot more difficult to determine whether an activity you’ve been doing for years now constitutes as “marketing.” The activity might be marketing; it might be marketing, but exempt from the definition of marketing under HIPAA rules; or it might be marketing, but of a particular type that doesn’t require authorization from the patient. Yikes!
The bottom line: Providers need to assess their activities that use PHI, and that are “communications” (verbal or written), to find out if they are marketing (as defined by HIPAA) to their patients. And if they are marketing, they need to get authorization from patients.
What Is “Marketing?”
Marketing (as defined by present and previous HIPAA regulations) is a communication (verbal or written) that encourages an individual to use or purchase a product or service. If PHI is used to generate a list of patients to whom a communication is being sent on behalf of a third party, you are probably flirting with “marketing” under HIPAA, and are required to obtain patient authorization before undertaking the activity, mailing, etc.

  • Must you get the patient’s written permission for everything? Not quite. There are a few marketing activities that the federal government has said do not required patient authorization. The following activities constitute marketing, but do not require patient authorization:
  • Face-to-face communications with patients that promote a product or service. This is the case even if the provider is paid to have the face-to-face discussion with the patient. For example, a prosthetics company pays Dr. Smith $15 each time he hands the patient a brochure on their product and talks about how good the product might be for the patient. This is marketing under HIPAA, but the provider can do this without authorization from the patient.
  • Gifts of nominal value, such as pens and notepads, may be given to patients, even if they promote a particular product, without having to get permission from the patient beforehand.
  • If the communication is about a drug or biologic that the patient is already taking, patient authorization is not required, provided the amount of money a provider receives to supply the list of patients taking the drug or biologic is reasonably related to the provider’s cost of sending out the reminder. This is a statutory exception to HIPAA’s marketing rule that requires patient authorization. When Congress passed the Health Information Technology for Economic and Clinical Health Act under the American Recovery and Reinvestment Act of 2009, it carved out this exception so pharmaceutical companies and other providers could remind patients when their prescription refills were due without running afoul of HIPAA.

If a provider does not receive any payment in exchange for making certain communications to patients, the communications are not considered marketing under HIPAA and do not require patient authorization. These types of communications include:

  • Communications that involve treatment activities (e.g., case management, care coordination, recommending alternative therapies or treatments, etc.)
  • Descriptions of a health-related product or service that is provided by, or included in, the patient’s plan of benefits
  • Case management or care coordination and other related functions that aren’t considered treatment.

The key here is that the provider isn’t receiving any payment in exchange for making the communication. If the provider is receiving payment from a third party, these activities are considered marketing under the new HIPAA rules and require patient authorization.
One final exception to consider: Government benefit programs cannot be considered marketing because there is no commercial component to them; sending or explaining services available through Medicare or Medicaid, for example, shouldn’t trigger any marketing or authorization concerns for your practice.
Comply with HIPAA’s Marketing Rules
If you enter into relationships with third parties to send communications to your patients, and if that third party is giving you money to do so, get clients to sign an authorization stating it’s OK with them that you do so. Better yet, use common sense with your patients’ PHI, and don’t allow your patients’ information to be used to send communications to promote a product or service based on what you know about your patients.
It’s OK to let patients know their health plan will cover a visit to a chiropractor or to suggest that getting a massage every two weeks might help with their recovery from an auto accident. You may even hand them a brochure of your favorite massage center down the street, as long as you do it face to face while the patient is in your office. If your practice is complex with many third-party relationships who send multiple communications (newsletters, coupons, etc.) to patients, consider consulting with a healthcare lawyer or privacy expert to be sure these communications don’t constitute marketing. If they do, decide how to get patient authorization before moving forward.
Marcia L. Brauchler, MPH, CMPE, CPC, CPC-H, CPC-I, CPHQ, is the president and founder of Physicians’ Ally, Inc. Since the company’s formation in 2000, Brauchler and her team of employees and consultants, have provided advice and counsel to hundreds of physicians and practice administrators, resulting in improved and enhanced efficiencies in their business operations. Brauchler and her team provide education and assistance on how best to negotiate managed care contracts, increase reimbursements to the practice, and stay in compliance with healthcare laws. Services also include professional credentialing, coding, and coding certification education. Brauchler sells the Physicians’ Ally HIPAA Policies and Procedures Manual and its general Compliance Manual on the company’s website at

Renee Dustman
Follow me

About Has 813 Posts

Renee Dustman, BS, AAPC MACRA Proficient, is managing editor - content & editorial at AAPC. She holds a Bachelor of Science degree in Media Communications - Journalism. Renee has more than 30 years' experience in journalistic reporting, print production, graphic design, and content management. Follow her on Twitter @dustman_aapc.

No Responses to “What are HIPAA’s new rules for marketing?”

  1. Carlis Collins says:

    I want to create a Refer-a-Friend program, for my dental practice, that will be managed by a third party marketing agency.
    The third party needs only my patient names and address to do an on-going e-mail campaign, no PHI will be given to the third party — just name and e-mail address.
    Because I am ‘Marketing” to my own list, and I am NOT marketing any third party products, and I am not receiving any third party payment for anything:
    * Am I in any HIPAA danger? (No PHI is ever exchanged, and I am NOT marketing anyone else’s product.)
    * Because my PHI is disidentified from the associated names and e-mail addresses, is it OK for me to hand over my patient mail list to my marketing agency (being very careful of course to include NO PHI)?
    * Does HIPAA specifically prevent me from marketing my own products to my patient list? I know that marketing other people’s products to my list will require prior consent. But, marketing my own Refer-a-Friend program… how is that a violation?
    NOTE: PHI is defined as: “(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
    So, is a mail list of my patients’ names and e-mail addresses considered to be PHI (if it contains no associated PHI as defined above)? The definition above would say NO. The definition above states that it is ONLY the health information about a patient — NOT the patient’s name and e-mail addresses themselves.
    This is a very important distinction. Having clarity on this question could free up a lot of us to proceed with e-mail marketing.
    Can you clarify?