HIPAA and Marketing: What the Privacy Rule Actually Says About Advertising
Section 164.501 of the HIPAA Privacy Rule defines "marketing" in a way that surprises most healthcare advertising teams. It is not the broad definition you might expect. HIPAA defines marketing as a communication about a product or service that encourages recipients to purchase or use that product or service. But the rule then carves out specific exceptions, and within those exceptions and their boundaries lies the distinction between a permissible patient communication and a federal violation.
Most healthcare marketing teams operate based on general assumptions about what HIPAA allows. They believe that avoiding clinical data in ad targeting keeps them compliant. They believe that consent banners satisfy the authorization requirement. They believe that their ad platform vendor handles compliance on their end. Each of these assumptions conflicts with what the Privacy Rule actually says.
The Privacy Rule's Definition of Marketing: Narrower Than You Think
HIPAA's marketing definition at 45 CFR 164.501 is precise. A communication is "marketing" if it meets two criteria: it is about a product or service, and it encourages the recipient to purchase or use it. This seems straightforward, but the exceptions create a complex landscape.
Treatment communications are not marketing. A provider can send a patient information about their treatment plan, medication options, or care alternatives without triggering the marketing provision. A cardiologist's office sending a patient a reminder about cardiac rehabilitation is a treatment communication, not marketing.
Health care operations communications are not marketing. Case management, care coordination, and recommendations about alternative treatments or providers are permitted as part of health care operations. A hospital recommending that a patient see a specialist within its network falls under operations, not marketing.
The critical boundary: financial remuneration. The exception collapses when financial remuneration enters the picture. Under 45 CFR 164.508(a)(3), if a covered entity receives payment from a third party for making a communication, it is marketing regardless of the content. A pharmaceutical company paying a health system to send patients information about a specific drug is marketing, even if the communication appears to be a treatment recommendation. This requires individual written authorization from each patient before the communication is sent.
This is the provision that most healthcare advertising programs overlook. Digital advertising inherently involves financial relationships between ad platforms, publishers, and advertisers. When patient data flows through these commercial relationships, the marketing provision is triggered.
What "Authorization" Means Under the Privacy Rule
HIPAA authorization for marketing is not a cookie banner. It is not an opt-in checkbox on a form. It is a specific legal instrument defined at 45 CFR 164.508 with mandatory elements.
A valid HIPAA authorization must include: a description of the PHI to be used or disclosed, the name of the entity authorized to make the disclosure, the name of the entity receiving the PHI, an expiration date, the individual's right to revoke authorization, a statement that the information may be subject to re-disclosure, and the individual's signature.
When a healthcare organization uses tracking pixels that send patient browsing data to Meta or Google for advertising purposes, the Privacy Rule requires this level of authorization from each affected patient. A website cookie banner that says "We use cookies to improve your experience" does not satisfy these requirements. The gap between what most healthcare websites present as consent and what the Privacy Rule requires as authorization is vast.
GoodRx ($1.5M FTC + $25M class action, 2023). GoodRx shared prescription drug names, health conditions, and personal identifiers with Facebook, Google, and other ad platforms for advertising purposes. No valid HIPAA authorization was obtained from affected individuals. The FTC's enforcement was the first under the Health Breach Notification Rule, and the class action settlement reached $25 million. Source
Monument (FTC advertising ban, 2024). Monument, an alcohol addiction treatment platform, sent user data to ad platforms via tracking pixels. Custom pixel events had descriptive titles like "Paid: Weekly Therapy" and "Paid: Med Management" that were transmitted alongside email addresses and IP addresses to Meta. No authorization was obtained. The FTC imposed a ban on sharing health data for advertising. Source
Both cases involved advertising activity that used health data without the authorization the Privacy Rule requires. Neither organization obtained the specific, signed, revocable authorization that 45 CFR 164.508 mandates.
The Three Scenarios Where the Privacy Rule Applies to Digital Advertising
Healthcare marketing teams encounter the Privacy Rule's marketing provision in three primary digital advertising scenarios. Each creates compliance obligations that most teams do not realize they have.
Scenario 1: Retargeting based on health page visits. A patient visits your website's "Addiction Treatment Programs" page. A Meta Pixel or Google tag fires, associating that visit with the patient's advertising identity. You then use that audience segment to serve targeted ads on Facebook or the Google Display Network. This is a marketing communication (an ad) that uses PHI (health-related browsing tied to identity) with financial remuneration (you are paying the ad platform). The Privacy Rule requires individual written authorization.
Scenario 2: Lookalike audience creation from patient lists. Your marketing team uploads a patient email list to Meta or Google to create a lookalike audience for new patient acquisition campaigns. This upload discloses PHI (patient identities) to a third party (the ad platform) for marketing purposes. Authorization is required from every patient on the list, and the ad platform must be operating under a BAA.
Scenario 3: Conversion optimization using patient outcomes. You send conversion events (appointment bookings, procedure completions) back to ad platforms so their algorithms can optimize for similar outcomes. The conversion event ties a patient's advertising identity to a health-related action. This is PHI flowing to a third party for marketing optimization. Authorization is required.
In each scenario, the tracking technology is the mechanism that creates the PHI disclosure. The advertising use makes it subject to the marketing provision. And the absence of valid authorization makes it a violation.
Where the Privacy Rule and State Laws Intersect
HIPAA sets the federal floor for healthcare privacy, but state laws are building higher. Several states have enacted health privacy laws that apply to organizations beyond HIPAA's scope and impose additional requirements on those within it.
Washington's My Health My Data Act requires consent before collecting, sharing, or selling health data. It applies to any entity doing business in Washington, regardless of HIPAA coverage. Its definition of "health data" is broader than HIPAA's PHI definition and specifically targets consumer health data collected through websites and apps.
State consumer privacy laws in California, Colorado, Connecticut, Virginia, and others classify health information as "sensitive data" requiring opt-in consent before processing. These laws apply alongside HIPAA, not instead of it.
For healthcare marketing teams, this means compliance with the Privacy Rule's marketing provision is necessary but may not be sufficient. State laws may impose additional consent requirements, shorter response timelines for consumer requests, and private rights of action that HIPAA does not provide.
Consent and privacy management is becoming the operational infrastructure that healthcare marketing runs on. Organizations that build consent-gated data architectures now are building the foundation that both HIPAA and emerging state laws require.
Aligning Marketing Operations with the Privacy Rule
Bringing healthcare advertising into compliance with the Privacy Rule's marketing provision requires structural changes to how data flows through the marketing stack.
Eliminate direct data flows from patient browsers to ad platforms. The Privacy Rule's marketing provision is triggered when PHI is disclosed to a third party for advertising purposes. Server-side architecture prevents this by routing data through your infrastructure first, where compliance controls can be applied before any data reaches an ad platform.
Implement true HIPAA authorization for marketing uses. If your organization uses PHI for any communication that meets HIPAA's definition of marketing, implement the authorization process defined at 45 CFR 164.508. This is not a cookie banner. It is a signed document with specific required elements. Your consent management platform must distinguish between website cookie consent and HIPAA marketing authorization.
Require BAAs with every vendor in the advertising data chain. Any vendor that receives PHI as part of your advertising operations must sign a BAA. This includes ad platforms, analytics tools, CRM systems, and any intermediary that touches the data. Vendors should also maintain SOC 2 Type II certification with all five trust criteria to demonstrate the rigor healthcare data requires.
Audit advertising data flows regularly. The Privacy Rule's marketing provision applies to every instance of PHI use in advertising, not just the ones you know about. Marketing teams add tracking pixels, create new audience segments, and build new campaign workflows continuously. Regular audits, supplemented by ongoing web scanning, ensure that new data flows do not create unauthorized PHI disclosures.
FAQ
Does HIPAA apply to healthcare advertising at all?
Yes. The Privacy Rule at 45 CFR 164.501 specifically defines "marketing" and regulates how covered entities and business associates may use PHI for marketing purposes. Any use of PHI to encourage individuals to purchase or use a product or service requires individual authorization unless a specific exception applies (treatment communications or health care operations without financial remuneration from a third party).
Is a cookie consent banner sufficient for HIPAA marketing authorization?
No. HIPAA authorization under 45 CFR 164.508 requires specific elements: a description of the PHI, identification of the parties involved, an expiration date, the right to revoke, and the individual's signature. Standard cookie consent banners do not include these elements and do not satisfy the Privacy Rule's authorization requirement for marketing uses of PHI.
Can we use patient email lists for digital advertising?
Using patient email lists for advertising (custom audiences, lookalike audiences) constitutes a disclosure of PHI for marketing purposes. This requires written authorization from each patient on the list. Additionally, uploading the list to an ad platform that has not signed a BAA creates an impermissible disclosure. Most major ad platforms do not sign BAAs for their advertising products.
What is the difference between a treatment communication and marketing under HIPAA?
A treatment communication provides information about a patient's treatment, care alternatives, or health management. It does not require marketing authorization. A communication becomes marketing when it encourages the purchase or use of a product or service, especially when the covered entity receives financial remuneration from a third party for making the communication. The same message can be treatment or marketing depending on the context and financial arrangements behind it.
Do the 2022 OCR tracking technology guidelines change what the Privacy Rule says about marketing?
The December 2022 OCR guidance did not create new rules. It clarified how existing Privacy Rule provisions, including the marketing provision, apply to tracking technologies. The guidance made explicit that tracking pixels, cookies, and session replay tools that disclose PHI to technology vendors trigger existing HIPAA requirements, including the marketing authorization requirement when the data is used for advertising.
The HIPAA Privacy Rule's marketing provision is not ambiguous. It defines what constitutes marketing, specifies when authorization is required, and has been enforced with increasing frequency since 2022. If your healthcare advertising program needs to align with what the Privacy Rule actually requires, Ours Privacy provides the server-side infrastructure and consent management to run compliant advertising operations.
Related reading:
What Is PHI? A Healthcare Marketer's Guide
Cookie Consent vs HIPAA Authorization: They're Not the Same Thing
HIPAA Penalties for Marketing Violations
HIPAA-Compliant Tools
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.