by Chloe Bowen Chief of Staff
Article filed in

What HIPAA requires for healthcare marketing patient authorizations

by Chloe Bowen Chief of Staff

What HIPAA Requires for Healthcare Marketing Patient Authorization - Paubox

The HIPAA Privacy Rule regulates how protected health information (PHI) can be used for marketing.  In general, HIPAA requires patient authorization before a covered entity can use PHI for marketing purposes.

HIPAA doesn’t imply that doctors cannot market to clients—simply that in some instances prior authorization is required.

There are also a number of exceptions to the authorization requirement, and there are many types of communication that HIPAA does not consider marketing.  After all, HIPAA is not intended to restrict providers’ ability to communicate about goods and services that are essential for quality healthcare.

For more details on how HIPAA defines marketing, visit our blog post on the topic here: HIPAA Definition of Marketing Explained.

What “authorization” means

But what exactly does “authorization” mean in this context?  According to the U.S. Department of Health & Human Services (HHS), authorization constitutes:


a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.


Marketing falls into the category described above.

What the authorization needs to say

According to HIPAA an authorization form must contain specific, clear language to ensure the patient is fully aware of what he or she is agreeing to.  You can combine a marketing authorization with other informed consent documents.

A signed and dated authorization must specify:

  • What PHI will be used or disclosed
  • Who will use or disclose the PHI
  • Who the PHI will be shared with
  • An expiration date
  • In some cases, the purpose for using or disclosing the PHI
  • The patient’s right to revoke the authorization

If a business associate is paying a covered entity for patient information so the business associate can market its own product or service, the authorization must indicate this as well.

In general, healthcare providers may not condition treatment or coverage on someone providing authorization to receive marketing.

The covered entity must also provide people with a copy of their signed authorization and maintain an electronic or paper copy of the authorization for six years.

For more details, visit HHS’ HIPAA Administrative Simplification.

Written authorization

There are a number of ways you can obtain patient authorization for marketing purposes.  One option is to include a marketing communications opt-in form as part of your intake packet the first time you see a patient.

Within the form, clearly explain the types of communications you will send and how frequently, and explain how those communications will benefit the patient.

Electronic authorization

HIPAA allows for electronic authorization as well.

According to HHS:


[T]he Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.


For more details, visit HHS’ Use of Electronic Informed Consent: Questions and Answers.

Electronic authorization can come in many forms, such as in an opt-in button on your website or as part of an online purchase or scheduling an appointment.

Email marketing for healthcare

After you’ve got your patient authorizations squared away, you may consider trying healthcare email marketing to grow your practice and improve patient outcomes.

For the past ten years in a row, email has been the sales channel generating the highest return on investment.  For every $1 spent, email marketing generates $38 in ROI.

The average open rate for healthcare emails is 19.7% with a 2.7% click-through rate, which is above the average for all industries.  This goes to show that patients do indeed engage with healthcare emails.

Paubox Marketing is the perfect solution for your HIPAA compliant email marketing strategy.  It allows you to send personalized email messages including PHI directly to your recipients’ email boxes.

Paubox Marketing can help you increase patient activation, prevent adverse events, and even protect patients from coronavirus.  It becomes even more powerful when coupled with a social media strategy.

Simply put, Paubox Marketing is the best HIPAA compliant email marketing solution available.

Try Paubox Marketing for free and make your email marketing HIPAA compliant today.