Skip to content
All Blogs

Red flag: Your healthcare marketing vendor won’t sign a BAA!

Author: Tiffany Staples


Healthcare marketing is a critical component of the healthcare industry. It enables healthcare providers to communicate with patients, educate them about new treatments, and promote their services. But there are strict regulations governing the use of patient information in marketing campaigns, and violating these rules can have serious consequences. Since healthcare providers have access to a vast amount of personal and sensitive information about their patients, it’s your responsibility to protect that information and ensure it’s only used for legitimate healthcare purposes. But in recent years there have been instances where healthcare marketing has violated HIPAA.

It’s important to know how HIPAA regulations apply to healthcare marketing and what steps your organization can take to ensure HIPAA compliance in all your marketing efforts, especially in light of the recent guidance on third-party trackers.

Is your healthcare marketing violating HIPAA?

When it comes to marketing healthcare services, privacy concerns must be taken into consideration. Remember that any use or disclosure of protected health information (PHI) must comply with HIPAA, and that includes for marketing purposes.

One of the most common ways healthcare marketing violates HIPAA is through the unauthorized disclosure of PHI. For example, a healthcare provider may share patient information with a marketing company without the patient's consent, which is a violation of HIPAA. Even if a patient signs a form that allows their information to be used for marketing purposes, if the form is unclear or misleading it’s not HIPAA-compliant.

Another way healthcare marketers can violate HIPAA is using PHI for targeted advertising. While healthcare providers are allowed to use PHI for treatment, payment, and healthcare operations, you can’t use it for marketing purposes without obtaining the patient's authorization. Targeted advertising based on a patient's medical history without consent is a violation of their privacy.

In some cases, healthcare marketing may even use deceptive practices to obtain PHI, such as offering incentives in exchange for personal information. This not only violates HIPAA but also erodes the trust patients have in their healthcare providers.

Violating HIPAA can have serious consequences for healthcare providers and other organizations. OCR can impose significant fines for violations - ranging from $100 to $50,000 per violation, up to $1.5 million per year. In addition to the financial penalties, organizations that violate HIPAA will face massive negative publicity, damage to their reputation, and legal action from patients.

What’s the deal with PHI and healthcare marketing?

PHI is any information that can be used to identify an individual and relates to their health status, medical conditions, treatments, or payment for healthcare services. It’s clear this includes data such as name, address, test results, medical diagnosis, health insurance, and prescription information. But what’s come to light recently, with the new HIPAA guidance around third-party trackers, is how seemingly “safe” data, such as IP address, is also considered PHI because it can identify an individual, as well as be linked to sensitive information.

So, if you track a website visitor’s activity on a condition-related page, and also track their IP, that’s PHI. And since most healthcare organizations use third-party data capture and marketing solutions, the data is shared outside the organization. This is where the problems start, and it’s a huge concern for healthcare marketers who rely on third-party trackers like Google Analytics to feed customer profiles and deliver personalization. Long story short – you can’t do that anymore.

How does HIPAA affect healthcare marketing?

HIPAA sets certain limits on how personal data from patients can be used and disclosed. Under HIPAA guidelines, PHI must only be used for “treatment, payment, or healthcare operations” purposes and can’t be shared without patient consent. This applies to all digital communications, such as websites, email campaigns, social media, and paid ads, as well as printed materials like brochures and direct mailings.

When healthcare providers or other organizations use PHI in their marketing campaigns, they must obtain the patient's written consent to do so. This consent must be specific, and patients must be informed about how their information will be used.

Organizations must also take steps to ensure patient data is properly encrypted when transferred between systems or sent over a network, so it always remains secure. Best practice for healthcare data capture is to use a first-party data solution, so the data isn’t collected outside the protected healthcare infrastructure at all. Also, keep in mind you’ll need a Business Associate Agreement (BAA) for any third parties involved with PHI handling - for example if you’re outsourcing things such as data capture, hosting servers, or analytics work. Yes - this includes Google Analytics, and no - they won’t sign a BAA.

Why do I need to worry about BAAs in healthcare marketing?

Keep in mind HIPAA was created to protect the confidentiality of patient information and establish standards for the electronic exchange of healthcare information. The law applies to healthcare providers, health plans, and healthcare clearinghouses, as well as any business associates that handle protected health information (PHI) on their behalf.

The last part is key – because healthcare marketers must have a BAA (Business Associate Agreement) with any business associates that handle PHI. This includes any vendor in your MarTech stack who captures, shares, processes, or in any way deals with (or could potentially receive) PHI.

You can’t ensure HIPAA compliance in your healthcare marketing if you can’t control your patient data and how it’s used by your marketing vendors. When a vendor can’t or won’t sign a BAA…that should be a huge red flag.

How can you ensure your healthcare marketing efforts are HIPAA compliant?

It’s important for healthcare providers and marketing companies to understand the requirements of HIPAA and take steps to protect patient privacy. This includes obtaining patient consent before using PHI for marketing purposes, ensuring any forms or agreements are clear and easy to understand, and implementing safeguards to prevent unauthorized access to patient information. Of course you still want to provide a personalized patient experience, and you can, you just have to be careful how you do it.

To ensure your healthcare marketing efforts are HIPAA compliant, follow these guidelines:

Obtain patients' written consent: Before using PHI in any marketing campaign, obtain the patient's written consent. The consent should be specific and clearly explain how their information will be used.

De-identify or anonymize PHI: To prevent patients from being identified, ensure any PHI used in marketing campaigns is de-identified or anonymized before sharing outside the organization.

Train your staff: Make sure your staff is trained on HIPAA regulations and understands how to handle PHI. This includes training on how to obtain patient consent and how to de-identify or anonymize PHI.

Conduct regular audits: Regularly audit your healthcare marketing efforts to confirm they’re HIPAA compliant. This includes reviewing your marketing materials and tracking patient consent.

Work with a HIPAA compliance expert: If you're unsure about whether your healthcare marketing efforts are HIPAA compliant, work with a HIPAA compliance expert. They can help you understand the regulations and develop a compliance plan.

Best Practices for HIPAA Compliance in Healthcare Marketing

Staying on top of HIPAA regulations shouldn’t be complicated or difficult. Here are some best practices to ensure your healthcare marketing efforts stay compliant:

  • Leverage a first-party data capture solution so you own and control the data
  • Use strong encryption methods when transferring PHI between systems
  • Follow proper authorization processes when collecting and exchanging PHI with third-parties
  • Ensure you have valid BAAs with all external vendors
  • Regularly monitor staff compliance with HIPAA rules
  • Have a clear policy governing how employees should handle PHI
  • Track access logs closely so you know who has accessed which records
  • Update your security protocols regularly

By taking these simple steps you can help protect your patients’ sensitive information while also avoiding costly violations of federal regulations – something no one wants!


Healthcare marketing is an essential part of the healthcare industry, but it must be done in a way that complies with HIPAA regulations. Healthcare marketers can violate HIPAA in many ways, from unauthorized disclosure of PHI to targeted advertising based on medical history. Healthcare providers and marketing companies must protect patient privacy and ensure you’re complying with the requirements of HIPAA. By doing so, you can build trust with your patients and maintain the integrity of the healthcare system while avoiding the serious consequences of financial penalties and damage to your organization’s reputation.



Subscribe to our blog for regular updates!