What HIPAA requires for healthcare marketing patient authorizations
by Chloe Bowen Chief of Staff
The HIPAA Privacy Rule regulates how protected health information (PHI) can be used for marketing. In general, HIPAA requires patient authorization before a covered entity can use PHI for marketing purposes.
HIPAA doesn’t imply that doctors cannot market to clients—simply that in some instances prior authorization is required.
There are also a number of exceptions to the authorization requirement, and there are many types of communication that HIPAA does not consider marketing. After all, HIPAA is not intended to restrict providers’ ability to communicate about goods and services that are essential for quality healthcare.
For more details on how HIPAA defines marketing, visit our blog post on the topic here: HIPAA Definition of Marketing Explained.
What “authorization” means
But what exactly does “authorization” mean in this context? According to the U.S. Department of Health & Human Services (HHS), authorization constitutes:
a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
Marketing falls into the category described above.
What the authorization needs to say
According to HIPAA an authorization form must contain specific, clear language to ensure the patient is fully aware of what he or she is agreeing to. You can combine a marketing authorization with other informed consent documents.
A signed and dated authorization must specify:
- What PHI will be used or disclosed
- Who will use or disclose the PHI
- Who the PHI will be shared with
- An expiration date
- In some cases, the purpose for using or disclosing the PHI
- The patient’s right to revoke the authorization
If a business associate is paying a covered entity for patient information so the business associate can market its own product or service, the authorization must indicate this as well.
In general, healthcare providers may not condition treatment or coverage on someone providing authorization to receive marketing.
The covered entity must also provide people with a copy of their signed authorization and maintain an electronic or paper copy of the authorization for six years.
For more details, visit HHS’ HIPAA Administrative Simplification.
There are a number of ways you can obtain patient authorization for marketing purposes. One option is to include a marketing communications opt-in form as part of your intake packet the first time you see a patient.
Within the form, clearly explain the types of communications you will send and how frequently, and explain how those communications will benefit the patient.
HIPAA allows for electronic authorization as well.
[T]he Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
For more details, visit HHS’ Use of Electronic Informed Consent: Questions and Answers.
Electronic authorization can come in many forms, such as in an opt-in button on your website or as part of an online purchase or scheduling an appointment.
Email marketing for healthcare
For the past ten years in a row, email has been the sales channel generating the highest return on investment. For every $1 spent, email marketing generates $38 in ROI.
The average open rate for healthcare emails is 19.7% with a 2.7% click-through rate, which is above the average for all industries. This goes to show that patients do indeed engage with healthcare emails.
Simply put, Paubox Marketing is the best HIPAA compliant email marketing solution available.