Blog · Medical Marketing

HIPAA compliant marketing: what your practice can and cannot do

You can market a medical practice aggressively and stay compliant — if you know where PHI hides in your ad stack, your testimonials and your analytics.

HIPAA compliant marketing means promoting your practice without using, disclosing or transmitting protected health information (PHI) unless the patient has given specific written authorization — and in 2026 the biggest violations do not come from what practices say, but from what their tracking pixels silently send to ad platforms. Marketing itself is not the problem; the plumbing behind it usually is.

This guide covers the five places compliance actually breaks: retargeting, testimonials, email and SMS, vendor agreements, and analytics. One note before we start: this is practical marketing guidance based on more than 10 years running patient acquisition for thousands of clinics and doctors, not legal advice — for decisions about your specific situation, involve your compliance officer or healthcare attorney.

What counts as PHI in a marketing context

PHI is any individually identifiable health information held by a covered entity — and "identifiable" is broader than most marketers assume. In practice, PHI shows up in marketing as:

  • Patient lists used to build ad audiences (names, emails, phone numbers of actual patients).
  • The combination of an identifier plus a health signal: an IP address or cookie ID tied to a visit to your "herpes treatment" page can be PHI.
  • Appointment data, treatment types, or portal activity flowing into any marketing tool.

The mental model that works: identity + health inference = PHI. A stranger clicking your homepage is not PHI. That same visitor's cookie being sent to Meta from your patient portal login page very likely is. The typical mistake is assuming PHI only means medical records — regulators have made clear that tracking data can qualify.

Retargeting: the highest-risk tactic in your stack

Standard retargeting drops a pixel on every page, builds an audience of visitors, and lets you advertise to them later. In healthcare that mechanism is a trap, because the pixel tells the ad platform which condition pages each identifiable user visited. Safer rules:

  • No Meta pixel, TikTok pixel or similar on condition-specific pages, appointment booking flows or anything behind a patient login. Ever.
  • Never upload patient lists as custom audiences without valid written authorization from each patient — in practice, do not do it at all.
  • If you retarget, do it only from generic pages (homepage, general "about" content) and accept the smaller audience.
  • Prefer contextual and search-intent targeting, which needs no identity: bidding on "dermatologist near me" in Google Ads for healthcare works on what someone searches, not who they are.

The typical mistake: the web agency installs pixels "everywhere, like every other client" and nobody in the practice knows. Audit what fires on your site this week — it takes an hour with your browser's developer tools or a scanning service.

Testimonials and reviews: authorization first, always

Patient stories are your most persuasive asset and the most commonly mishandled one:

  • Using a patient's name, photo, or story in your marketing requires specific written HIPAA authorization — a generic intake consent form is not enough.
  • The authorization should say where the testimonial will appear and that the patient can revoke it going forward.
  • Before-and-after photos are PHI. Same rule: written authorization for marketing use.
  • When replying to online reviews, never confirm the reviewer was a patient or mention any treatment — even if they disclosed everything themselves. Reply generically and take specifics offline.

The typical mistake is the well-meaning review reply: "We're glad your implant surgery went well, Susan." That single sentence is a disclosure. Our guide to online reputation for doctors and clinics covers compliant response templates in depth.

Email and SMS: consent is a two-layer question

Patient communications sit under two regimes at once: HIPAA (what you may say and to whom) and TCPA/CAN-SPAM (whether you may contact them at all). The workable setup:

  • Appointment reminders and recall messages are generally fine as healthcare operations — but keep content minimal: date, time, "your upcoming appointment", never the condition or procedure.
  • Promotional messages — offers, new services, newsletters — require prior express consent, a clear opt-out in every message, and honoring opt-outs immediately.
  • Collect consent explicitly at intake with checkboxes for each channel, and log it.
  • Never segment promotional campaigns by diagnosis or treatment without authorization — "email all our Botox patients about the Botox promo" is exactly the campaign that gets practices in trouble.

Expect the consent cleanup to take 2-4 weeks; it is unglamorous and it is the foundation of every reactivation campaign you will ever run.

BAAs: the vendor question nobody asks until it is too late

Any vendor that touches PHI on your behalf must sign a Business Associate Agreement (BAA). Map your stack against this rule:

  • Will sign a BAA: most healthcare CRMs, reminder platforms, HIPAA-focused email tools, some form providers, Google Workspace (for covered services).
  • Will not sign one for ads: Google Ads and Meta explicitly do not offer BAAs for their advertising products — which is precisely why PHI must never reach them.
  • Your marketing agency needs a BAA too if it can access patient data, your CRM, or your booking system.

The typical mistake is using a consumer email tool for patient newsletters with no BAA in place. If a vendor touches PHI and will not sign, replace the vendor or cut off the data.

A safe analytics setup that still gives you numbers

You can measure marketing performance without leaking PHI:

  • Keep all third-party pixels off portal, booking and condition pages; measure those with privacy-safe, first-party or HIPAA-capable analytics under a BAA.
  • Use server-side tracking with strict filtering, so you control exactly which events reach ad platforms — conversions like "appointment request submitted" can be sent stripped of identity and condition context.
  • Track calls with a HIPAA-conscious call platform that will sign a BAA, and disable call recording or transcription features you have not cleared.
  • Document the setup. If anyone asks why your architecture looks this way, a one-page data map is your best friend.

Done right, you still see cost per appointment by channel — you just stop sharing your patients with ad networks to get it. Budget 2-4 weeks for the migration in a typical practice: one week of auditing what currently fires, one to two weeks of replumbing tags and forms, and a final week of testing that conversions still count. It is the least visible project on this list and the one that removes the most risk.

How Medical Marketing helps

Medical Marketing builds compliant acquisition systems for practices every week: pixel audits, safe conversion tracking, consent-based email and SMS flows, and ad campaigns that grow the schedule without ever exposing patient data — the operating standard of our medical marketing agency for the US market. If you want a second pair of eyes on your current setup, book a free 30-minute consultation and we will flag the risks and the quick wins.

Frequently asked questions

Is it legal to market a medical practice under HIPAA?

Yes. HIPAA does not prohibit marketing — it restricts using or disclosing protected health information for marketing without written patient authorization. Advertising your services, running search ads, publishing content and managing reviews are all fine when your tracking and messaging are set up so PHI never reaches third parties.

Can a medical practice use the Meta pixel or Google retargeting?

Only with extreme care. Pixels on condition pages, booking flows or patient portals can transmit identifiable health information to ad platforms, which regulators treat as a disclosure. Neither Google nor Meta signs a BAA for their ad products, so most practices should keep pixels off sensitive pages entirely and rely on search-intent targeting instead.

Do patient testimonials violate HIPAA?

Not if you obtain specific written HIPAA authorization before using a patient's name, photo, story or before-and-after images in marketing. A general intake consent is not sufficient. Without authorization, even reposting a public review with the patient's identity attached can be a violation.

Do I need a BAA with my marketing agency?

If the agency can access anything containing PHI — your CRM, booking system, patient lists, call recordings or email platform — then yes, a Business Associate Agreement is required. If the agency only ever handles anonymous website and ad data, a BAA may not be triggered, but most working relationships eventually touch patient data.

Can I email or text patients about promotions?

Yes, with prior express consent for promotional messages, an opt-out in every message, and content that does not reference their condition or treatment. Appointment reminders are treated differently, as healthcare operations, but should still contain minimal information. Segmenting promos by diagnosis requires patient authorization.

Shall we grow your clinic?

Talk to our AI agent, trained on the €10M+ we've invested in medical marketing.

Talk to our AI agent