Skip to content
RegenCompliance
All articles
Foundational

The HIPAA Marketing Rule for Healthcare Practices: When You Need Patient Authorization and When You Don't

Most healthcare practices conflate HIPAA compliance with FTC compliance - they're different regulatory regimes with different rules. Here's the HIPAA-specific framework for marketing that uses any patient information.

9 min readBy RegenCompliance Editorial, FDA/FTC compliance desk

HIPAA’s marketing rule restricts how protected health information (PHI) can be used in marketing communications. It’s a separate regulatory regime from FTC rules on testimonials and FDA rules on claims - and many healthcare practices conflate the three. HIPAA compliance doesn’t cure FTC issues, and FTC compliance doesn’t cure HIPAA issues. Both layers apply. This post is the HIPAA-specific framework for healthcare marketing.

What counts as marketing under HIPAA

HIPAA defines “marketing” more narrowly than general usage. Under 45 CFR 164.501, marketing means a communication about a product or service that encourages recipients to purchase or use the product or service. The definition has specific exceptions for:

  • Face-to-face communications made directly to an individual by the covered entity.
  • Promotional gifts of nominal value provided by the covered entity.
  • Certain treatment-related communicationsabout the covered entity’s own services or products.
  • Health care operations communications in specific contexts.

Outside these exceptions, using PHI for marketing requires patient authorization. And the exceptions have specific limits that most practices misunderstand.

What authorization requires

A valid HIPAA marketing authorization under 45 CFR 164.508 must be in plain language and include specific elements:

  1. Description of the information. What specific PHI will be used.
  2. Identity of recipients. Who will receive or use the information.
  3. Description of purpose. What the information will be used for.
  4. Expiration. When the authorization expires or the event that triggers expiration.
  5. Patient’s right to revoke. The authorization must state that the patient can revoke in writing.
  6. Remuneration statement. If the covered entity is receiving direct or indirect remuneration from a third party for the marketing, the authorization must disclose this.
  7. Signature and date.

General practice intake forms with blanket “authorize marketing use” clauses typically don’t meet the authorization requirements. A specific marketing-use authorization, signed at the time of the specific marketing use, is the compliant approach.

Common scenarios and the HIPAA analysis

Scenario 1: Using a patient’s before/after photo

Photos of a patient’s face or body in the context of treatment are PHI. Using them in marketing requires HIPAA-compliant authorization specific to the marketing use. The authorization needs to cover the specific medium, the specific use, and duration. Authorization should be separate from treatment consent - a single form bundling both typically doesn’t meet the authorization specificity requirements.

Scenario 2: Publishing a patient’s testimonial

Quotes, reviews, or stories from patients are PHI when they describe treatment at your practice. Using them in marketing requires authorization. Even using “John S., patient” attribution requires the underlying authorization if the content describes treatment.

Scenario 3: Responding to an online review from a patient

Responding publicly to a review that confirms or reveals treatment at your practice - even generically - can constitute a HIPAA disclosure. This is why generic responses that neither confirm nor deny treatment are the recommended approach. See our post on responding to negative reviews for more.

Scenario 4: Sending treatment-related emails to current patients

Communications to existing patients about their own treatment plan are not marketing under HIPAA. Communications about additional services the practice offers may be marketing depending on context. The treatment-communication exception has specific limits and should not be stretched beyond its text.

Scenario 5: Using patient contact information for newsletters

Using patient contact information to send general practice newsletters is typically considered marketing if the newsletter promotes services. Patients should have opted into the newsletter specifically; intake-form blanket contact consent doesn’t typically cover marketing uses.

Scenario 6: Social media success posts about patient outcomes

Posts about patient outcomes - even without names - may still reveal PHI in combination with photos, dates, or distinctive details. Authorization should cover the specific social media use.

Common misunderstandings

“Patient wrote a public review so we can use it”

The patient making their treatment public on their own platform doesn’t change your HIPAA obligations. You still need authorization to use their review in your own marketing. Their public disclosure waived their privacy in that forum, not for your republishing.

“We have treatment consent, so marketing use is covered”

Treatment consent and marketing authorization are distinct HIPAA documents with different requirements. A treatment consent that happens to mention marketing in fine print typically doesn’t meet marketing authorization requirements.

“We changed the patient’s name in the story”

De-identification under HIPAA requires meeting specific standards (either the safe harbor method removing 18 specific identifiers or the expert determination method). Casually changing a name doesn’t meet de-identification requirements. Accompanying photos, dates, or distinctive details can re-identify an otherwise-anonymized story.

“Business associate agreements cover our agency’s use”

Business associate agreements govern how a BA uses PHI for services to you; they don’t grant marketing use of PHI that the underlying HIPAA rules don’t authorize. Sharing patient testimonials with an agency for marketing use requires patient authorization regardless of the BA agreement.

Practical HIPAA marketing compliance

Separate marketing authorization form

Use a standalone marketing authorization form, separate from treatment consent. The form should identify specific uses (photos in website marketing, testimonial in email campaigns, video on social media) with clear scope and duration.

Document and retain authorizations

Keep signed authorizations in patient records. If you ever need to demonstrate compliance, documented authorizations are the evidence. Missing or incomplete authorizations are the weakness OCR investigations commonly find.

Respect revocations

Patients can revoke marketing authorizations in writing. When they do, stop using the specific PHI promptly. Have a workflow for processing revocations.

Train staff on the marketing rule

HIPAA training often focuses on clinical privacy and doesn’t adequately cover the marketing rule. Marketing staff specifically need training on when PHI is being used and when authorization is required.

HIPAA marketing enforcement

OCR (HHS Office for Civil Rights) has pursued enforcement actions specifically involving HIPAA marketing violations, including six-figure settlements against practices that disclosed PHI in review responses or used patient information in marketing without authorization. These actions are public and can inform your compliance review.

HIPAA compliance and FTC compliance are separate regulatory regimes. Meeting one doesn’t meet the other. Healthcare marketing that uses any patient information needs review under both layers - and often a third layer (state privacy or medical board rules) as well.

Frequently asked questions

What if I only use the patient’s first name?

Dependent on context. If first-name plus other details (photo, date, condition) could identify the patient, it’s still PHI. HIPAA de-identification has specific technical requirements; first-name-only usage typically doesn’t meet them.

Can I use patient reviews that were posted publicly?

Republishing public reviews on your own marketing channels is a different use than the patient’s own public posting. Authorization is typically needed. Some practices get authorization alongside review-solicitation workflows.

Does HIPAA apply to non-patients who become testimonial subjects?

HIPAA only applies to PHI - information generated through treatment. If someone hasn’t received treatment at your practice, HIPAA doesn’t apply to their statements. But FTC endorsement rules still do.

Are internal staff testimonials subject to HIPAA marketing rules?

Staff testimonials about their own experience or impressions of the practice aren’t typically PHI. Staff testimonials referencing specific patients’ care can be PHI even without naming the patient.

How long should authorizations be in effect?

The authorization should state its expiration or expiration-triggering event. Indefinite authorizations with no expiration are disfavored. Reasonable durations (1-5 years depending on use) with renewal processes are common practice.

What about state laws that go beyond HIPAA?

Several states have health-privacy laws stricter than HIPAA (California’s CMIA, New York’s SHIELD Act, others). Compliance requires meeting both federal HIPAA and applicable state law. The stricter standard applies.

Built for this exact problem

Scan your clinic's content before regulators do.

RegenCompliance checks every word of your marketing against live FDA and FTC enforcement data - and rewrites violations automatically. A 30-second scan can save a $50,000–$5M regulatory response.

Apply for betaTry the free demo

Related in the platform

hub

Data handling & HIPAA posture

hub

Regulatory glossary

Weekly compliance brief

One email a week. New enforcement actions, rule changes, and tactical fixes. No spam, unsubscribe anytime.

We only send one email per week. No marketing blasts.

Keep reading

FDA Warning Letters at a 25-Year High: What Every Healthcare Practice Needs to Know in 2026

More than 200 FDA warning letters hit healthcare practices in 2024 - the highest volume in a quarter century. Here is what is being flagged, why regenerative medicine and med spas are on the front line, and what a defensible marketing program looks like now.

Read article

How a Single Social Media Post Can Become a Multi-Million-Dollar FTC Settlement

Multi-million-dollar FTC settlements against stem cell and regenerative medicine clinics now routinely start with a single Instagram caption or Facebook testimonial. Here is how that chain actually works - and the four places clinics lose control of it.

Read article

Structure/Function Claims vs. Disease Claims: The One FDA Distinction That Determines Whether Your Marketing Is Legal

One line separates legal marketing from a warning letter: the difference between a structure/function claim and a disease claim. Most practice owners think they know where the line is. They are usually wrong by one or two key phrases.

Read article