The HIPAA Privacy Rule requires a patient's authorization prior to marketing. And it defines "marketing" as making "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." From that definition, it would seem all marketing style emails require patient authorization. Not so fast. There are several exceptions to the HIPAA rule, one of which is most relevant to small healthcare offices.

The relevant HIPAA exception

You are permitted to market products offered by, and services performed within, your office. For example, under this exception, it is not "marketing" if you:

  • Announce the arrival of a new practitioner to your office
  • Provide information about the acquisition of new equipment (e.g., x-ray machine, therapy equipment, etc.)
  • Send a message regarding the benefits of an annual examination

Marketing can be a great tool for growing you practice. Keep your content within the margins above and you are free to email patients without their authorization.

Please note

Sending emails to patients regarding their treatment is also not considered marketing (so you won't need marketing authorization); however, you will need a different kind of authorization should your messages go to an unsecured email account such as Yahoo or gmail.

In order to email or text treatment information, or any other Protected Health Information (e.g., appointment reminders), to a patient's unsecured email account, you must first get the patient's authorization to send and receive medical information by email/text.

With regards to email marketing and ads, pay attention to rules set forth in the CAN-SPAM Act. No one likes receiving unwanted emails, your patients included.