A lot of medical practices pull back from digital marketing because someone, usually a well-meaning but overly cautious office manager or an attorney, told them HIPAA means they can’t say much of anything online. That’s an overreaction, and it’s costing them patients. HIPAA has specific rules, but they don’t prevent you from marketing your practice. They just set some guardrails, and once you understand them, you’ll see there’s plenty of room to work with.
Key Takeaways
- HIPAA restricts how you use patient health information, but it doesn’t stop you from running ads, publishing content, or building an online presence.
- Using patient data to target ads without a signed authorization is a violation; most digital ad targeting should be based on general demographics, not your own patient records.
- Patient testimonials are allowed if you have proper written authorization, but you can’t pressure patients to provide them.
- Retargeting pixels and tracking tools on your website carry HIPAA risk if they capture health-related browsing behavior; this became a major issue after the HHS 2022 guidance update.
- Email marketing to patients is generally fine for appointment reminders and health information; marketing emails to non-patients don’t carry the same restrictions.
What HIPAA Actually Restricts in Marketing
HIPAA’s marketing rules are about protected health information (PHI): name, contact info, diagnoses, treatment history, anything that could identify a patient and connect them to health-related data. You can’t use PHI to market third-party products or services to patients without their written authorization. You also can’t share patient data with advertisers or tech companies for marketing purposes without that same authorization.
What HIPAA doesn’t restrict is your ability to market your practice to the general public. Running Google Ads, building a social media presence, publishing blog content, sending emails to prospects who opted in on your website, buying display ads, none of that involves patient data, and none of it is a HIPAA problem.
The Pixel Problem: Why Tracking Tools Got Medical Practices in Trouble
In late 2022, the Department of Health and Human Services (HHS) issued guidance clarifying that web tracking technologies, including the Meta Pixel and Google Analytics, can constitute a HIPAA violation if they capture health information from patients. Specifically, if a patient visits a page on your site about a specific condition or treatment and that behavioral data is shared with a third-party ad platform, that could be a violation.
This caught a lot of practices off guard. Many had deployed tracking pixels without thinking about it because their marketing agencies set them up. After the HHS guidance, hospitals and health systems started pulling pixels from patient portals and appointment booking pages. For smaller practices, the risk depends heavily on how the pixel is configured and what pages it fires on.
The practical fix is to avoid placing Meta Pixels on pages that reveal health conditions, like your services pages for specific treatments or your patient portal login. Keep tracking on generic pages, homepage, about us, contact. Work with a healthcare marketing agency or privacy attorney if you’re unsure where your specific setup falls.
Patient Testimonials: How to Do Them Right
Testimonials are among the most persuasive content a medical practice can publish, and they’re fully allowed under HIPAA as long as you have proper written authorization from the patient. That authorization needs to specify what information can be disclosed, how it’ll be used, and that participation is voluntary with no impact on their care. It doesn’t have to be complicated, but it does have to be explicit and documented.
You can ask patients for reviews on Google or Healthgrades. You can share those reviews on your website. What you can’t do is respond to a negative Google review in a way that confirms or reveals PHI, even something that seems harmless like “We’re sorry you had that experience on your visit last Tuesday” confirms they were a patient.
A compliant response to negative reviews looks like:
“We take all patient feedback seriously and are committed to providing high-quality care. Please contact our office directly so we can address your concerns.” That’s it. No confirming the relationship, no details. If they bring up specifics, still don’t confirm. Just offer to talk privately.
Email Marketing: What’s Allowed
Email marketing to your existing patients is generally fine for treatment reminders, appointment follow-ups, and health education, all considered “healthcare operations” under HIPAA. You can also send appointment recall campaigns to lapsed patients without a separate authorization, because that falls under treatment purposes.
Where it gets more restricted is if you’re emailing patients to promote a third-party product or service, like a supplement company or ancillary provider you have a financial relationship with. That kind of marketing email requires written authorization from the patient. The same applies if you’re sharing your patient list with another company for their marketing.
Email marketing to prospects, people who filled out a form on your website but aren’t patients yet, doesn’t carry the same HIPAA restrictions. Standard email marketing rules (CAN-SPAM, and CASL if you have Canadian patients) apply, but HIPAA is less of a concern there since you don’t have a patient relationship yet and no PHI is involved.
Social Media and Content Marketing
Social media is an area where practices often make mistakes without realizing it. Posting educational content about conditions, procedures, and your services is completely fine, and it’s good marketing. Where things go wrong is in the comments and DMs. If a patient mentions their condition or treatment publicly, your response can’t confirm or add to that information in a way that constitutes disclosure of PHI. A casual public reply acknowledging their comment could be a violation depending on what it reveals.
The safer approach is to take medical questions out of public comments and into a private conversation, then into an actual appointment. That’s both HIPAA-smart and good patient experience. For Instagram and Facebook, your practice page should have a clear policy that the platform isn’t for medical advice or patient-specific communication.
Ads: What You Can and Can’t Target
Running Google Ads or Facebook Ads targeting general demographics, location, age, interests in health and wellness, is not a HIPAA problem. You’re not using PHI to build that audience; you’re using the ad platform’s own data. Problems arise when practices try to upload their patient email list to Facebook as a Custom Audience, or use health data from their EHR to build ad targeting. That involves PHI leaving your systems and going to an advertising company, and you’d need a Business Associate Agreement (BAA) with that ad platform, which most won’t sign.
Meta does not sign BAAs. Google, depending on the specific product, sometimes does but with limitations. Until these relationships are clearly resolved, the safest approach for practice marketing is to build audiences from general demographics, website visitors on non-PHI pages, and lookalike audiences, rather than from your patient database.
