HIPAA Marketing Rules — HIPAA Journal (December 2025)

source.hipaajournal-com.hipaa-marketing-rules-2025 ↗

HIPAA defines marketing as any communication about a product or service that encourages recipients to purchase or use it. Authorization from the individual (or representative) is mandatory for using or disclosing PHI in marketing communications, with two narrow exceptions: face-to-face communications and promotional gifts of nominal value. Covered entities cannot disclose PHI in exchange for remuneration to a third party for that party to market its own products. Exceptions to authorization exist for refill reminders, alternative treatment recommendations, and case management without remuneration beyond communication costs. Digital-age obligations include no PHI in email subject lines, no PHI in social media posts, HIPAA-compliant form channels.