What HIPAA requires for healthcare marketing patient authorizations

Featured image

Share this article

What HIPAA Requires for Healthcare Marketing Patient Authorization - Paubox

The HIPAA Privacy Rule regulates how protected health information (PHI) can be used for marketing.  In general, HIPAA requires patient authorization before a covered entity can use PHI for marketing purposes.

HIPAA doesn’t imply that doctors cannot market to clients—simply that in some instances prior authorization is required.

There are also a number of exceptions to the authorization requirement, and there are many types of communication that HIPAA does not consider marketing.  After all, HIPAA is not intended to restrict providers’ ability to communicate about goods and services that are essential for quality healthcare.

For more details on how HIPAA defines marketing, visit our blog post on the topic here: HIPAA Definition of Marketing Explained.

What “authorization” means

But what exactly does “authorization” mean in this context?  According to the U.S. Department of Health & Human Services (HHS), authorization constitutes:


a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.


Marketing falls into the category described above.

What the authorization needs to say

According to HIPAA an authorization form must contain specific, clear language to ensure the patient is fully aware of what he or she is agreeing to.  You can combine a marketing authorization with other informed consent documents.

A signed and dated authorization must specify:

  • What PHI will be used or disclosed
  • Who will use or disclose the PHI
  • Who the PHI will be shared with
  • An expiration date
  • In some cases, the purpose for using or disclosing the PHI
  • The patient’s right to revoke the authorization

If a business associate is paying a covered entity for patient information so the business associate can market its own product or service, the authorization must indicate this as well.

In general, healthcare providers may not condition treatment or coverage on someone providing authorization to receive marketing.

The covered entity must also provide people with a copy of their signed authorization and maintain an electronic or paper copy of the authorization for six years.

For more details, visit HHS’ HIPAA Administrative Simplification.

Written authorization

There are a number of ways you can obtain patient authorization for marketing purposes.  One option is to include a marketing communications opt-in form as part of your intake packet the first time you see a patient.

Within the form, clearly explain the types of communications you will send and how frequently, and explain how those communications will benefit the patient.

Electronic authorization

HIPAA allows for electronic authorization as well.

According to HHS:


[T]he Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.


For more details, visit HHS’ Use of Electronic Informed Consent: Questions and Answers.

Electronic authorization can come in many forms, such as in an opt-in button on your website or as part of an online purchase or scheduling an appointment.

Email marketing for healthcare

After you’ve got your patient authorizations squared away, you may consider trying healthcare email marketing to grow your practice and improve patient outcomes.

For the past ten years in a row, email has been the sales channel generating the highest return on investment.  For every $1 spent, email marketing generates $38 in ROI.

The average open rate for healthcare emails is 19.7% with a 2.7% click-through rate, which is above the average for all industries.  This goes to show that patients do indeed engage with healthcare emails.

Paubox Marketing is the perfect solution for your HIPAA compliant email marketing strategy.  It allows you to send personalized email messages including PHI directly to your recipients’ email boxes.

Paubox Marketing can help you increase patient activation, prevent adverse events, and even protect patients from coronavirus.  It becomes even more powerful when coupled with a social media strategy.

Simply put, Paubox Marketing is the best HIPAA compliant email marketing solution available.

Try Paubox Marketing for free and make your email marketing HIPAA compliant today.
Author Photo

About the author

Chloe Bowen

Read more by Chloe Bowen

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022