• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

Consider patient privacy when marketing your practice


Marketing activities may help to bolster revenue, but they must also be HIPAA compliant. Here are the legal issues to consider when marketing your practice.


As a result of increased competition within the healthcare industry, many providers are considering, or have pursued, marketing activities to bolster their practices. The most common question posed by healthcare providers when contemplating marketing is ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Healthcare providers must ensure that they are not violating HIPAA through the impermissible use or disclosure of a patient’s protected health information (PHI). In addition, healthcare providers need to be aware of other federal and state laws when developing their marketing strategies.

HIPAA defines marketing as any oral or written communication about a product or service that encourages the recipient of the communication to purchase or use the product or service. With limited exceptions, the HIPAA Privacy Rule requires that a healthcare provider, as a covered entity, obtain the written authorization of the patient prior to any use or disclosure of the patient’s PHI for marketing purposes. 

HIPAA exceptions

The two stated exceptions to the HIPAA Privacy Rule are:

  • face-to-face communication between the personnel of the healthcare provider and the patient, and

  • promotional gifts to the patient of nominal value (e.g., pens, toothbrushes, key chains, coffee mugs with the healthcare provider’s name on it).

Absent an exception, the healthcare provider would need to obtain the written authorization of the patient.

What information must be included in the written authorization? The HIPAA Privacy Rule details a list of core elements and required statements that need to be included in the written authorization for it to be effective.


Next: Paying patients for marketing


Paying patients for marketing

There is a key additional requirement in connection with marketing practices. If the marketing involves financial remuneration (i.e., direct or indirect payment from or on behalf of a third party whose product or service is being described) to the healthcare provider from a third party, the authorization must state that such remuneration is involved.

Other laws, regulations

Obtaining a HIPAA-compliant authorization is merely the first step. The healthcare provider must also ensure that any marketing activities are in accordance with all federal and state statutes and regulations.

Patient testimonials

Because there has been an exponential increase in the utilization of patient testimonials as a marketing tool, it is worth spending a moment to discuss the Federal Trade Commission Act (FTCA).

The FTCA aims to prevent unfair competition methods and unfair or deceptive acts that may affect business commerce. 

In 2009, the Federal Trade Commission (FTC) released “Guides Concerning the Use of Testimonials and Endorsements” to provide direction to advertisers, including healthcare providers, on how to ensure that testimonial and endorsement advertisements are in accordance with the FTCA.  The 2009 release of the Guides was the first re-interpretation of the testimonial and endorsement regulations in nearly 30 years, as the FTC had not updated the guide since 1980. 

The guidelines define an endorsement (which includes a patient testimonial) as any advertising message that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. 

The advertisement must reflect the honest opinions, findings, beliefs, or experience of the patient and should be reflective of a typical experience for patients using a similar product or service. 

If the testimonial is not reflective of the typical experience of most patients, the healthcare provider must clearly and conspicuously disclose the generally expected experience of similar patients. 

This is a departure from the guide promulgated by the FTC in 1980, which permitted an advertiser to describe unusual results in an advertisement, provided that a disclaimer was included which stated that “results were not typical.”  


The use of marketing by healthcare providers will continue to grow and evolve. It is essential that providers develop and implement a marketing strategy that is compliant with HIPAA, the FTCA, and all other federal and state laws.   


Matthew Colongeli, JD, is an associate at Garfunkel Wild, P.C., in Great Neck, New York. Send your legal questions to

Related Videos