Skip to main content

HIPAA prohibits use of PHI for marketing activities without prior patient authorization.

Marketing means a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  Communications for treatment, to describe health-related products or services, and certain healthcare operations are not included. However, authorization is required for treatment and healthcare operations communications where the covered entity receives financial compensation from a third party whose product or service is being marketed.  See UNC Health Uses and Disclosures of PHI for Marketing Policy.

Patient Authorization Required

As outlined in the Uses and Disclosures of PHI for Marketing Policy, the UNC Health Use or Disclosure of PHI for Education, Fundraising or Marketing Authorization must be signed by the patient before using or disclosing PHI for marketing which includes:

  1. Providing subsidized treatment communications to patients; or
  2. Using or disclosing any information about a patient if the information will be used for marketing purposes, including patient photographs and testimonials.

Health-Based Marketing Communications

If UNC SOM intends to use UNC Health patient information to engage in marketing communications based on the patient’s health status and does not obtain patient authorization, then UNC SOM must include language similar to the following in the communications:

“This material has been presented to you because [the UNC Health Facility] has determined that the products/services offered herein would be beneficial to your health, particularly by [insert explanation as to how the product or services relate to the health of the Individual targeted]”

See UNC Health Uses and Disclosures of PHI for Marketing Policy.

Business Associate Agreement

If a covered entity contracts with a third party to perform services (e.g., distribute fundraising materials) on behalf of the covered entity and the third-party will create, receive, transmit, access, or store PHI to perform those services, then a Business Associate Agreement must be obtained.  See UNC Health Business Associates Policy.