HIPAA Marketing Rules — Key Requirements
Source: HIPAA Journal, hipaajournal.com (independent HIPAA compliance publication)
Published: December 4, 2025
Fetch status: alternative (tier 3 — hhs.gov was 403-blocked; Wayback Machine unavailable from this environment)
HIPAA Definition of Marketing
HIPAA defines marketing as "a communication about a product or service that encourages recipients to purchase or use the product or service." This applies to covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates.
Authorization Requirements
Authorization from the individual (or their personal representative) is mandatory for:
- Using PHI in any marketing communication
- Disclosing PHI to a third party "in exchange for direct or indirect remuneration" for that third party to market its own products or services
Exceptions requiring NO authorization:
- Face-to-face communications between a covered entity and an individual
- Promotional gifts of nominal value provided by the covered entity
Conditional exceptions (no remuneration beyond communication costs):
- Refill reminders
- Alternative treatments or provider recommendations
- Health-related product/service descriptions
- Case management and care coordination communications
Key Obligations for Digital Channels
- PHI must never appear in email subject lines
- PHI must never be disclosed in social media posts
- Website contact forms transmitting PHI must use HIPAA-compliant channels
- Compliance with FDA and FTC regulations on marketing content and frequency
Telemarketing
A covered entity may share PHI with a telemarketer only if the covered entity has obtained the individual's prior written authorization or has entered into a Business Associate Agreement with the telemarketer for a non-marketing communication purpose.
KG Relevance
- constraint.hipaa-phi-cdp-healthcare (TC-34): Alternative distributor source grounding HIPAA Marketing Rule requirements. The authorization requirement for PHI in marketing directly affects what CDP-powered healthcare marketing workflows are permissible. This source provides the regulatory baseline that constraint.hipaa-phi-cdp-healthcare encodes.
- use-case.hipaa-safe-performance-marketing (OC-008): The definition of permissible healthcare marketing communications (refill reminders, care coordination, treatment alternatives without remuneration) shapes what "HIPAA-safe" means in the OC-008 use case context.
- Related proposal: TC-34