2 min read

What HIPAA requires for healthcare marketing patient authorizations

Chloe Bowen September 24, 2020

Patient privacy Email marketing
Hand filling out a prior authorization medical form with a pen
Hand holding pen over tax forms and prior authorization paperwork The  HIPAA Privacy Rule regulates how protected health information ( PHI) can be used for marketing.  In general, HIPAA requires patient authorization before a covered entity can use PHI for marketing purposes. HIPAA doesn’t imply that doctors cannot market to clients—simply that in some instances prior authorization is required. There are also a number of exceptions to the authorization requirement, and there are many types of communication that HIPAA does not consider marketing.  After all, HIPAA is not intended to restrict providers’ ability to communicate about goods and services that are essential for quality healthcare. For more details on how HIPAA defines marketing, visit our blog post on the topic here: HIPAA Definition of Marketing Explained.

What "authorization" means

But what exactly does "authorization" mean in this context?  According to the U.S. Department of Health & Human Services (HHS), authorization constitutes:
a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
Marketing falls into the category described above.

 

What the authorization needs to say

According to HIPAA an authorization form must contain specific, clear language to ensure the patient is fully aware of what he or she is agreeing to.  You can combine a marketing authorization with other informed consent documents. A signed and dated authorization must specify:
  • What PHI will be used or disclosed
  • Who will use or disclose the PHI
  • Who the PHI will be shared with
  • An expiration date
  • In some cases, the purpose for using or disclosing the PHI
  • The patient's right to revoke the authorization
If a business associate is paying a covered entity for patient information so the business associate can market its own product or service, the authorization must indicate this as well. In general, healthcare providers may not condition treatment or coverage on someone providing authorization to receive marketing. The covered entity must also provide people with a copy of their signed authorization and maintain an electronic or paper copy of the authorization for six years. For more details, visit HHS' HIPAA Administrative Simplification.

 

Written authorization

There are a number of ways you can obtain patient authorization for marketing purposes.  One option is to include a marketing communications opt-in form as part of your intake packet the first time you see a patient. Within the form, clearly explain the types of communications you will send and how frequently, and explain how those communications will benefit the patient.

 

Electronic authorization

HIPAA allows for electronic authorization as well. According to HHS:
[T]he Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
For more details, visit HHS' Use of Electronic Informed Consent: Questions and Answers. Electronic authorization can come in many forms, such as in an opt-in button on your website or as part of an online purchase or scheduling an appointment.

 

Email marketing for healthcare

After you've got your patient authorizations squared away, you may consider trying healthcare email marketing to grow your practice and improve patient outcomes. For the past ten years in a row, email has been the sales channel generating the highest return on investment.  For every $1 spent, email marketing generates  $38 in ROI. The average open rate for healthcare emails is  19.7% with a 2.7% click-through rate, which is above the average for all industries.  This goes to show that patients do indeed engage with healthcare emails. Paubox Marketing is the perfect solution for your HIPAA compliant email marketing strategy.  It allows you to send personalized email messages including PHI directly to your recipients' email boxes. Paubox Marketing can help you increase  patient activation, prevent  adverse events, and even  protect patients from coronavirus.  It becomes even more powerful when coupled with a social media strategy. Simply put, Paubox Marketing is  the best HIPAA compliant email marketing solution available.

 

Try Paubox Marketing for free and make your email marketing HIPAA compliant today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Doctor holding megaphone with one hand raised

HIPAA definition of marketing explained

Chloe Bowen : June 8, 2020

The HIPAA Privacy Rule regulates how patients' protected health information (PHI) can be used for marketing. In general, HIPAA requires written...

HIPAA compliance Email marketing
Read More
laptop and smartphone

Best practices for patient communication using HIPAA compliant email

Picture of Tshedimoso Makhene Tshedimoso Makhene : February 15, 2025

Using HIPAA compliant email to communicate with patients requires adherence to best practices to ensure privacy, security, and compliance.

HIPAA compliant email Patient privacy
Read More
Person using a laptop at a desk

HIPAA compliant email marketing: What you need to know

Picture of Kirsten Peremore Kirsten Peremore : March 1, 2025

In 1998, only 7% of American physicians communicated via email with patients due to initial resistance. However, this figure has significantly...

Email marketing
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.