Healthcare marketing can be fully HIPAA-compliant: never use patient data for marketing without written authorisation, get signed consent for testimonials and photos, keep PHI out of email subject lines, use encrypted forms and BAA-covered tools, and avoid tracking that sends patient data to ad platforms. The rule: marketing TO patients is fine; using their DATA needs authorisation.
The distinction that governs everything
HIPAA doesn't ban marketing — it governs patient data. Promoting your services to the public is fine. The obligations kick in the moment you use protected health information: a patient's identity, condition, or visit. Internalise that line and most compliance questions answer themselves — the issue is almost always how data is collected, stored, and shared, not advertising itself.
The compliance checklist
- Written authorisation before using any patient data for marketing
- Signed consent for testimonials and before/after photos
- No PHI in email subject lines or unsecured messages
- Encrypted, securely stored web forms
- Vendors handling PHI covered by a BAA
- A staff policy for social media and patient comments
Tracking is the modern trap
The easiest way to breach HIPAA today is invisible: analytics and ad pixels that quietly send visitor data — including from sensitive condition pages — to third parties. Use server-side conversions, BAA-covered analytics, and keep patient identifiers out of URLs. Most practices are exposed here without realising it, because the violation happens in code, not copy.
A worked example
A clinic ran ordinary ad-platform pixels across its whole site, including pages for sensitive conditions — quietly sending visitor signals to third parties in a way that risked a violation. Switching to server-side conversion tracking, using BAA-covered analytics, and keeping identifiers out of URLs let them measure marketing performance without exposing patient data. The fix was technical, not a copy change.
Frequently asked questions
Are patient testimonials allowed?
Yes, with signed authorisation and appropriate framing. The consent is what makes them compliant; using a patient's words or image without it is the violation.
What's the most overlooked risk?
Website tracking that sends patient data to ad and analytics platforms — especially on sensitive pages. It's a silent, common exposure that needs server-side, BAA-covered measurement.

