Including patient testimonials in email marketing without violating HIPAA

HIPAA's Privacy Rule governs the use and disclosure of protected health information (PHI). PHI is broadly defined as any information that could identify a patient and relates to their health condition, treatment, or payment for care. This includes names, photos, geographic details smaller than a state, dates of treatment, and even indirect identifiers that could be combined to reveal someone's identity.

When a healthcare organization sends an email that features a patient's name alongside a reference to their condition or treatment, it may be disclosing PHI without authorization. That's a violation.

As I. Glenn Cohen and Michelle M. Mello noted in their 2018 JAMA article HIPAA and Protecting Health Information in the 21st Century, the law "attaches (and limits) data protection to traditional health care relationships and environments." Which means the rules apply fully to how you use patient information in campaigns.

Understanding what counts as "marketing" under HIPAA

According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule defines marketing as "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” As a general rule, if a communication meets that definition, written patient authorization is required before it can be sent.

However, HHS also provides communications that do not count as marketing under the Rule and therefore do not require authorization:

• Communications about your own services. A hospital announcing the arrival of a new specialty group or the acquisition of new equipment through a general mailing is not considered marketing.
• Communications made for treatment. A pharmacy mailing prescription refill reminders to patients, or a physician referring a patient to a specialist, are treatment communications.
• Care coordination communications. Sharing patient information to recommend alternative treatments, therapies, or care settings also falls outside the marketing definition.

Understanding these distinctions matters because it shapes which emails require a formal authorization and which don't. Patient testimonials used to promote your practice or services will fall within the marketing definition and therefore require written authorization.

Most importantly, HHS is explicit that covered entities may not sell protected health information to third parties or sell lists of patients without authorization from each individual. For example, a health plan selling its member list to a company marketing blood glucose monitors, even indirectly, constitutes marketing that requires prior patient authorization. There are no exceptions to this rule.

Related: HIPAA definition of marketing explained

What ethical, compliant PHI sharing actually looks like

A 2012 case study published in the Journal of the American Medical Informatics Association documented a program in Louisiana that linked statewide public health surveillance data with electronic medical records to identify HIV-positive patients who had fallen out of care. The program, known as LaPHIE, used bi-directional data exchange between a state public health authority and a large hospital network to alert clinicians when an out-of-care patient sought treatment for any condition, creating what the authors described as a "no wrong door" approach to reconnecting patients with HIV care.

What made LaPHIE work, legally and ethically, was the groundwork laid before any data was exchanged. Stakeholders from both the public health and healthcare delivery sides worked through questions of data ownership, patient privacy, and the ethics of sharing sensitive diagnoses like HIV status. Business agreements and technical safeguards were established. Patients and providers were engaged throughout the design process. According to the study, 82% of the patients identified through the exchange followed up with HIV care during the study period.

The parallel for email marketers in healthcare is that compliant use of patient information depends on doing the foundational work first. Consent, governance, and technical infrastructure are necessary to sharing patient stories.

Step one: Get a proper written authorization

Before you use any patient's story in marketing, you need a signed HIPAA authorization form specifically tailored for marketing purposes. This is different from the general consent forms patients sign at intake.

A valid HIPAA marketing authorization must include a description of the PHI to be disclosed, the purpose of the disclosure, who will receive or have access to the information, an expiration date or event, and a clear statement that the patient has the right to revoke the authorization at any time. If your marketing arrangement involves any direct or indirect payment to your organization from a third party, HHS requires that the authorization explicitly state that such remuneration is involved (45 CFR 164.508(a)(3)).

However, the HHS identifies two situations where authorization is not required even for marketing communications:

1. Face-to-face communications made directly to an individual, and
2. Promotional gifts of nominal value.

Email campaigns do not fall into either category.

Related: Obtaining consent for email marketing

Step two: Define what you'll share

The authorization should specify exactly what information will be used. If a patient authorizes the use of their first name and a general description of their experience, you cannot later publish their full name, photo, or details about their specific diagnosis without obtaining a new authorization.

Step three: Consider using de-identified testimonials

Under HIPAA's Safe Harbor method, information is considered de-identified when 18 specific identifiers are removed including names, geographic data below state level, dates other than year, phone numbers, email addresses, and more.

A de-identified testimonial might look like: "A patient in their 40s who came to us after years of managing a chronic condition shared that our care team changed their life." There's no PHI, no authorization required, and no compliance risk.

Read also: How to choose the right method for deidentification

Step four: Secure your email infrastructure

HIPAA compliance also covers how data is transmitted and stored. If your email marketing platform holds or processes any PHI (including the contact information of patients you're emailing), that vendor must sign a Business Associate Agreement (BAA) with your organization.

Some email marketing platforms do not support HIPAA compliance or offer BAAs, so verify this before building your campaigns. Platforms such as Paubox Marketing are built for healthcare and are the safer choice.

Step five: Train your marketing team

HIPAA violations often happen not because of bad intentions but because staff aren't trained in healthcare privacy law. Make HIPAA awareness part of your onboarding for any staff involved in content creation, social media, or email campaigns.

Key areas to cover include recognizing what constitutes PHI, understanding that verbal permission is never sufficient, knowing when to consult your compliance officer, and understanding the consequences of a violation.

FAQs

Can a patient revoke their authorization after they've already appeared in an email campaign?

Yes, patients can revoke their marketing authorization at any time, but revocation only applies to future uses of their information, not disclosures that have already occurred.

Does HIPAA apply if emailing prospective patients?

Prospective patients are generally not covered by HIPAA since no treatment relationship or PHI exchange has occurred yet.

Does a patient's Google or Yelp review count as their authorization to use that content?

No, a public review does not constitute HIPAA authorization.

Is using a third-party copywriter to draft patient testimonial content create a HIPAA obligation?

Yes, any vendor who handles PHI on your behalf must sign a Business Associate Agreement.