Marketing with HIPAA: What you can and can’t do
HIPAA ensures your clients’ protection, but you can be creative inside the lines.

As you know, the Health Insurance Portability and Accountability Act (HIPAA) protects your patients. In particular, the HIPAA Privacy Rule gives people control over how their health information is used for marketing. This offers a few challenges for those who work in healthcare communications.
First of all, you should know the HIPAA Privacy Rule defines marketing as communication about products or services that encourage the message receiver to purchase or use these products or services.
Also, the privacy rule requires you to get a patient’s permission for all use or disclosure of protected health information (PHI). You must do this before you use it for marketing. A few exceptions exist, but it can get a little confusing. These examples may help.
HIPAA and websites
- You can’t create website ads or pages that show images of your patient without consent from the patient. Also, you’ll want to make sure you are following the HIPAA Security Rule. This is vital when it comes to online patient forms, patient portals or live chat features.
- You can showcase your company and list the services you provide. Your provider webpages can feature their bios and pictures. Remember that stock photos, like those found on Shutterstock or Adobe, can be used to add a visual component to your design.
HIPAA and social media
- You can’t allow staff or patients to post pictures that show patients. One way to avoid this is to ensure that posts or comments on your social media platforms receive approval before they go public. Your facility should also consider a photo and cellphone policy for staff, volunteers and vendors.
- You can show off your staff and facility on social media, as well as promote new healthcare products and services you provide. If you want to announce a certain procedure, this is another time to make use of stock photos and footage that don’t reveal patient identities.
HIPAA and mailing lists
- You can’t sell patient or member lists to a third party without getting permission from each patient or member on that list. Examples include a healthcare or health plan provider selling lists of patients or members to a company that intends to advertise to that list.
- You can use your mailing list to announce a new specialty group or new equipment or service. You can also use your list to send reminders about prescription refills or Medicare eligibility. Basically, the privacy rule allows healthcare companies to market their own products and services to their patient or member list.
HIPAA and email marketing
- You can’t use patient information in any email or email campaign without first getting the permission of the patient involved. Also, you must encrypt any email sent to patients that involves PHI, which includes names and email addresses.
- You can use a third-party firm to help you with email marketing. Make sure they are HIPAA-compliant and have a business associate agreement. In fact, working with a HIPAA-compliant marketing firm takes a great deal of stress off of you.
If you are worried about compliance, you can get assistance. The Coffey team has experts in healthcare marketing strategy who know the rules. Call 888.805.9101 or email us to learn how we can help you reach your marketing goals.