Marketing With Care: A Practitioner's Guide to HIPAA-Compliant Marketing
I keep getting the same question.
It shows up in DMs, on strategy calls, in the middle of platform migrations: “Is this okay? Like, HIPAA-okay?”
Usually the “this” is something that feels harmless. A supplement dispensary sending automated emails. An affiliate link for a lab company. A summit host asking them to email their patient list during launch week. A CRM that seemed fine until someone mentioned the letters B-A-A and everything got uncertain.
Here’s the thing. Most practitioners learned HIPAA in the context of clinical documentation. Charts. Faxes. Records requests. The category in your head is “patient information handling,” and marketing doesn’t feel like it belongs there.
It does.
So I wrote this guide. Not as legal advice (I’ll say that again at the bottom), but as the practitioner-facing walkthrough I wish existed when I started doing this work. The one that explains what actually matters, what the real risks look like, and what you can do about it without shutting down your entire marketing operation.
Before We Start: A Few Terms Worth Knowing
If these are already familiar, skip ahead. If not, they’ll come up throughout the guide.
What “patient information” actually covers
More than charts. It covers anything that identifies a person as your patient: names, email addresses, phone numbers, appointment schedules, and the simple fact that someone is or has been your patient. When I say “patient information” in this guide, that’s what I mean.
Why marketing gets treated differently
HIPAA treats marketing as a specific, regulated activity. It’s separate from clinical communication or routine practice operations. The short version: when a third party is paying for the communication, or when the communication uses patient information to sell something, special rules kick in.
Whether HIPAA even applies to you
Here’s the actual test. HIPAA applies if your practice bills health insurance electronically. If you never bill insurance and never submit claims through software, you may sit outside the federal HIPAA rules. Cash-only practices, doulas, lactation educators, some coaches: often outside HIPAA for that reason.
Even when federal HIPAA doesn’t apply, state privacy laws often do. And your patients generally expect HIPAA-level privacy regardless. If you’re unsure, a healthcare compliance attorney can give you a clean answer in a single consultation.
State law often goes further
HIPAA is the federal floor, not the ceiling. California, Washington, and a growing list of other states extend protection beyond HIPAA’s reach. Some of those laws apply to wellness practitioners and coaches who wouldn’t otherwise be covered. This guide focuses on federal HIPAA. Treat it as the starting point, not the full picture.
What a Business Associate Agreement is
Often called a BAA. It’s a contract between your practice and a vendor: your email platform, your scheduler, your analytics provider, anyone you share patient information with. The vendor agrees to handle that information according to HIPAA’s rules. Without one, the vendor can’t legally touch patient information. Some vendors sign these freely. Many don’t.
The difference between a covered entity and a business associate
You’re the covered entity: the practice owner, the licensed practitioner. A business associate is anyone you give patient information to so they can do work on your behalf. Marketing agencies, software platforms, IT vendors. When I refer to an agency signing a BAA with a practice, that’s the relationship. You’re the covered entity. They’re the business associate.
Why This Matters (More Than You Think)
I know. You’re busy. You have clients to see and content to create and a business to run. Compliance feels like one more thing on a list that’s already too long.
But here’s the part that surprises most practice owners.
The federal Office for Civil Rights (the agency at HHS that enforces HIPAA) brings only a fraction of the cases that hit small practices. State attorneys general and the Federal Trade Commission bring the rest. And they’ve been increasingly active.
Real case: $300,000 fine over website tracking. In December 2023, the New York Attorney General fined New York-Presbyterian Hospital $300,000 over common website tracking tools, including Meta Pixel and Google Analytics, on pages where patients searched for health conditions and providers. Information about more than 54,000 patients was disclosed to those third-party platforms. The hospital had standard analytics installed on a website that handled patient information. The same setup many small practices use. The state AG treated it as a privacy violation under both HIPAA and New York consumer protection law.
Real case: FTC warns dietitians over undisclosed sponsorships. In November 2023, the FTC sent warning letters to twelve registered dietitians and health-focused content creators who’d been paid by sugar industry trade groups to post on Instagram and TikTok without disclosing the financial relationship. The letters cited per-violation civil penalties of $50,120. This wasn’t HIPAA. It was the FTC enforcing its endorsement rules, which require anyone who promotes products in exchange for payment, free product, or commission to clearly disclose the relationship.
Federal HIPAA fines exist and can be substantial. But they’re rarely the first consequence a small practice faces. The realistic exposure is more often a state AG action, an FTC warning letter, a civil lawsuit under state law, or a patient complaint that turns into a public reputation problem.
I’m not saying this to scare you. I’m saying it because the rest of this guide won’t make sense without understanding what’s actually at stake. Your marketing is not the same as marketing in any other industry. Most of the tools and tactics that other small businesses use freely come with strings attached the moment patient information is involved.
What HIPAA Actually Counts as Marketing
Most of the rules come back to one question. The answer determines whether the rest of the law applies to what you’re about to do.
Are you using something a patient shared with you, in the context of their care, to encourage them or someone else to buy something?
If yes, HIPAA has rules about how you do it. If no, you have far more freedom than you might think.
The rule on what counts. The HIPAA Privacy Rule defines marketing as a communication about a product or service that encourages someone to buy or use it. It also treats a communication as marketing when a third party pays you to send it, even if the message looks like routine practice communication. There are narrow exceptions: face-to-face conversations between you and your patient, refill reminders for medications the patient is already prescribed (when any payment to you is roughly equal to the cost of sending the reminder), and small promotional gifts. (Source: 45 CFR 164.501)
The rule on when patient permission is required. For any use of patient information for marketing, you generally need the patient’s signed authorization first. It has to be specific, voluntary, and revocable. If a third party is paying you to send the communication, the authorization has to say so. This is separate from the general “Notice of Privacy Practices” patients sign at intake. That intake form doesn’t cover marketing. Marketing requires its own written permission. (Source: 45 CFR 164.508)
Generally fine, no patient permission needed
- Newsletters about your services to people who opted in publicly
- Social media posts to a general audience
- Educational content on your blog
- Talking with patients in person about their care or follow-up
- Recommending other providers or treatments to a patient during a visit
- Small promotional gifts (like a branded pen)
Requires patient permission first
- Using your patient list to promote anything to those specific patients
- Letting another business pay you to communicate with your patients about their product
- Selling or sharing your patient list with anyone
- Using a patient’s story, photo, or testimonial in marketing
- Sharing patient details with a partner who will market back to them
Most of your marketing probably falls in the first column. The second column is where the biggest exposure lives.
Where You’ll Actually Run Into Trouble
I see four activities and one underlying infrastructure issue come up again and again. Almost every integrative or wellness practice touches at least one.
Virtual supplement dispensaries
You know the setup. An online platform lets you recommend supplements to patients with a markup on each sale. The platform also sends automated refill reminders, recommendation emails, promotional discount campaigns, all with your branding on them.
Under HIPAA, a communication funded by a third party whose product is being sold is generally treated as marketing. There’s a narrow exception for refill reminders, but only when any payment to you is roughly equal to what it actually costs to send the reminder. A 25 to 35 percent markup is not that.
This doesn’t mean you can’t use these platforms. It means the patient communications going through them likely need either explicit patient permission, or a careful structural review of how the program is set up.
Affiliate links and brand partnerships
If you receive a commission, kickback, or referral fee for sending patients to buy a wearable device, a CGM, a meal delivery service, a course, an app, or a piece of software, that’s a third-party-paid marketing relationship. The same rule applies whether the payment is direct cash, a discount code that earns commission, free product, or a flat sponsorship fee.
FTC rules also require clear, prominent disclosure of any material connection between you and the brand. Burying it in a hashtag or a footer doesn’t satisfy the rule. The November 2023 FTC sweep targeted this exact pattern.
Lab company markups and incentives
Many functional and integrative practices buy specialty lab tests at wholesale and resell them at a markup. That structure, on its own, is generally a permissible retail arrangement. What changes the analysis is when a lab company pays for marketing materials, sponsors education, funds patient outreach, or offers volume incentives. At that point the third-party-payment rules kick in. State medical board rules may also apply, along with the federal Anti-Kickback Statute (a separate law that prohibits paying or receiving anything of value in exchange for referrals when federal health care programs are involved).
Joint launches and summit promotions
You know how these work. A colleague asks you to promote her course in exchange for promoting yours. Or a summit host invites you to contribute an interview and email your list during the free-access window in exchange for a share of upgrade revenue.
If the list you’re emailing contains current or former patients, you’re using protected health information to send a third-party-paid marketing message. The fact that it’s another practitioner on the receiving end doesn’t change the rule. Neither does the fact that the offering is health-related.
This is the category practitioners almost never recognize as a HIPAA issue. And it’s everywhere.
Underneath all of this: your tool stack
This is the quietest and most common problem. Your scheduling software, intake form builder, payment processor, telehealth platform, file storage, fax service, transcription tool, AI assistant, billing software: they all touch patient information. The question for each one is the same. Does the vendor sign a BAA?
Many don’t. Not at their default tiers. That includes most general-purpose email marketing tools, most course delivery platforms, most landing page builders, most analytics platforms, and many of the everyday SaaS tools you might assume are fine.
The practical move: search the vendor’s website for “BAA” or “HIPAA” before signing up. If there’s nothing there, the answer is usually no.
Real case: $25,000 fine for testimonials. In February 2016, the Office for Civil Rights settled with a Florida physical therapy practice for $25,000 over patient testimonials posted on the practice’s website. Full names. Full-face photographs. No HIPAA-compliant authorization obtained. The practice was small. The marketing was the kind many practices do without thinking. The fine was real.
Real case: $182,000 for “success stories.” In September 2025, the Office for Civil Rights settled with a chain of skilled nursing and rehab facilities for $182,000. The violation: posting patient “success stories” with names, photos, and treatment details on the company’s website and social media. The investigation found 150 patients featured this way without proper authorization.
Four Questions Before You Send Anything
Before any marketing communication goes out, run it through these. They sort the easy situations from the ones that need a closer look.
One: Is anyone outside my practice paying me to send this?
Direct payment, commission, affiliate fee, dispensary markup, sponsorship, free product, discount codes that earn you a cut. All of it counts. If a third party whose product is being mentioned has any financial relationship with you, the communication is almost certainly third-party-paid marketing under HIPAA, and patient permission is generally required before sending it to a patient list.
This is the question that catches the most problems. It applies even when the message feels educational. Even when you genuinely believe in the product. Even when the payment is small.
Two: Am I using information a patient shared with me to target this message?
If you pulled a patient’s name, email, or condition from your records to send them a specific message, that’s using protected information for marketing. You generally need their permission for this even when the message is from you and about your own services.
One important exception: you can use patient contact information to communicate about their own care or treatment. A reminder about their next appointment isn’t marketing. A pitch for a new package you’re launching is.
Three: Will this go to someone I have a clinical relationship with?
If you’re communicating with someone who is your patient, the rules are stricter than if you’re communicating with the general public. Your website, your podcast, your speaking engagements, a newsletter people signed up for through a public form: that’s public marketing, and it operates with much more freedom. Anything aimed at people because they are or were your patients is direct-to-patient marketing, and the rules tighten.
A simple test: if a stranger could have signed up for this email by visiting your website, you’re doing public marketing. If you’re sending to people because they’re your patients, the rules are different.
Four: Are the tools I’m using actually allowed to handle patient information?
Every platform that touches patient information needs a BAA on file before patient data flows through it. Your CRM, email marketing platform, scheduler, intake forms, course platform if patients access it, analytics tools, any chatbot or AI assistant that might encounter patient questions.
Most popular small-business marketing tools don’t sign BAAs at their default tiers. Some healthcare-specific alternatives do. To find out: search the vendor’s website for “BAA” or “HIPAA.” If they offer one, they’ll usually have a page about it. If there’s nothing, contact support and ask directly. If the answer is no or vague, the tool isn’t suitable for patient information.
The fix is either to migrate to a platform that will sign a BAA, or to keep marketing communications on a list that contains no current or former patients at all.
What This Looks Like in Practice
Newsletters and email lists
If people opted in publicly, this is almost always fine. Keep the patient list and the public list separate in your software. The same person can be on both, but the system should treat the two relationships separately. A list seeded only from a website opt-in form is far less restricted than one seeded from intake forms.
If your list is currently mixed: tag every contact whose email entered the system through clinical intake or scheduling. Then either move them to a separate list or send marketing communications only to the contacts whose emails came in through public opt-ins.
Testimonials and patient stories
Written permission is required before using a patient’s name, photo, story, or even a recognizable description in marketing. A patient saying in person that they loved the work is not the same as permission to use their words in a marketing email. The permission form needs to be specific: what information will be used, where it will appear, who will see it, an expiration date, and the patient’s right to revoke. A general media release isn’t enough.
Social media
Posts about your services to a public audience? Fine without patient permission. Reposting patient stories, before-and-after content, or anything specific about a real patient? Written permission first. Don’t post about a patient’s visit, even without their name, if details like the city, the condition, or the timing could let someone identify them.
Affiliate links and sponsored content
If a brand pays you to mention their product, two sets of rules apply: HIPAA’s third-party-paid marketing rules (when the audience includes patients) and the FTC’s endorsement disclosure rules (always). Patient permission may be required. The financial relationship has to be clearly disclosed regardless.
Clear disclosure means visible without scrolling, in plain language, before the recommendation itself. “#ad” alone usually doesn’t qualify. “Paid partnership with [brand]” at the top of a post does.
Supplement dispensaries and lab markups
Face-to-face recommendations in your office are exempt. Email and text follow-ups, automated refill reminders, recommendation emails sent after the visit: those aren’t, when third-party payment is involved. Most virtual dispensary platforms send communications that fall in the second category, often without you realizing it.
The audit move: log into the platform’s settings, review the automated communication templates, and identify what gets sent to patients on your behalf.
Joint launches and summit promotions
If your email list contains current or former patients and there’s any payment from the host or partner, you’re doing third-party-paid marketing to your patient list. Either get patient permission first, or send only to a list of public opt-ins.
Group programs and challenges
Inviting your patient list to a paid program you’re running is direct-to-patient marketing. It needs to follow the patient permission rules unless the program is genuinely part of their care plan. When in doubt, get an opt-in.
Website tracking pixels and analytics
If your practice website has tracking scripts from social media or analytics providers, those tools may be sending patient information to outside companies. The risk is highest on patient portals, intake forms, appointment booking pages, and pages about specific health conditions.
In June 2024, a federal court narrowed the Office for Civil Rights’ interpretation of these rules. What remains: tracking on authenticated pages and patient portals is squarely covered, and state attorneys general continue to enforce against tracking that exposes patient information to third parties.
To audit your website: open it in a browser and use a free extension that lists the third-party scripts running on the page. Pay extra attention to booking pages, intake forms, patient portals, and condition-specific pages.
What You Actually Need in Place
Three things, in order of importance.
1. A separation between your patient list and your public list. Your scheduling software, practice management system, or CRM should treat these as different relationships. The same person can appear on both. The software should know which permissions apply to which list. If everything currently lives on a single mixed list, the first move is to tag every contact whose information entered through clinical intake versus public sign-up.
2. Written permission templates for the situations that need them. Testimonials. Sponsored content. Anything where a third party is paying you. Anything where you’re using patient information to target a specific message. These should be standard forms, kept on file, and they should clearly disclose any payment involved. Federal HIPAA authorization forms have specific required elements: what information is used, who’s using it, for what purpose, an expiration, and the right to revoke. A general media release doesn’t meet the requirement.
3. An audit of every tool that touches patient information. “Touches” means any tool that stores, processes, displays, or transmits patient information. Names, emails, phone numbers, appointment data, intake responses, payment data, call recordings. For each tool, either confirm a signed BAA is on file with the vendor, or move that activity to a platform that will sign one, or remove patient information from the workflow entirely.
If you can only do one thing this month
Audit your email marketing platform. It’s usually the highest-risk tool in a small practice’s stack because it typically holds the largest list of patient contact information and is the most common path for marketing communications that need authorization. Confirm whether the platform will sign a BAA. If not, decide whether to migrate or keep that platform for non-patient marketing only.
What not to overcorrect on
If you’ve just read through all of this, you might be tempted to pull back hard. Shut down the newsletter. Remove the website tracking. Stop the dispensary. Decline every brand partnership.
That overcorrection isn’t necessary, and it isn’t the goal.
The goal is to know what’s what, route each activity through the right rules, and put structures in place so you can keep marketing without exposure. Most practitioners reading this are already doing many things correctly without realizing it. The work is to identify the specific gaps, fix those, and leave the rest of your marketing intact.
A Closer Look at Marketing Platforms
Two platforms come up constantly in practitioner conversations, and they’re worth understanding clearly: HighLevel and FG Funnels. They share underlying technology but sit at opposite ends of the HIPAA spectrum.
HighLevel
HighLevel offers a HIPAA Security add-on at $297 per month, which includes a signed BAA, encryption at rest, multi-factor authentication enforcement, and audit logging. Once purchased, HIPAA mode applies at the agency level and can’t be deactivated. The add-on must then be enabled on each individual sub-account that will handle patient information.
The add-on is the floor, not the ceiling. None of the gaps below make HighLevel unusable for healthcare. They mean that if you want to use HighLevel for patient-facing work, deliberate configuration and workarounds are required: external HIPAA-compliant form services that pass only non-patient data into HighLevel, separate secure portals for clinical document exchange, custom code that gates file uploads behind authentication, and disciplined workflow design that keeps patient information out of the modules HighLevel doesn’t cover. Some HighLevel agencies specialize in this kind of healthcare configuration and serve practitioner clients on properly-configured sub-accounts with their own BAA in place. (This is, plainly, the kind of work I do.)
HighLevel’s HIPAA add-on does not, on its own, make you HIPAA-compliant. You still have to handle Title II compliance on your side: training, risk assessments, written policies, breach response procedures, and BAAs with any practice clients downstream.
Most-cited limitations of HighLevel HIPAA mode:
- File uploads through forms can produce publicly accessible URLs not protected by authentication
- Agencies must purchase HIPAA at the agency level even if only one sub-account needs it
- Several integrations aren’t covered by the BAA, including Voice AI, Conversation AI, the Social Planner, the WordPress integration, and most third-party automation tools (Zapier, Make, Pabbly Connect)
- Mobile app HIPAA coverage is limited to Conversations, Calendars, and Contacts
- Custom encryption keys and custom data retention policies aren’t available
Questions to ask (whether the HighLevel account is one you bought yourself or one an agency runs for you):
- Has the HIPAA Security add-on actually been purchased and is it active on the specific account or sub-account I’d be using?
- Is there a signed BAA, and from whom: HighLevel directly, or the agency hosting the sub-account?
- Which specific features have been configured for HIPAA, and which are excluded?
- How are file uploads, AI features, and external integrations being handled?
- Who is responsible for my practice’s own Title II compliance: training, written policies, breach response?
FG Funnels
FG Funnels is built on the same underlying technology as HighLevel, but Funnel Gorgeous has chosen not to offer HIPAA-eligible service. Their official position is unambiguous: FG Funnels is not HIPAA compliant and will not sign a BAA. No add-on. No upgrade path.
This doesn’t make FG Funnels useless for you. It means FG Funnels can be used for the parts of your marketing that don’t touch patient information: a public newsletter where the list is built from website opt-ins only, a course or community for non-patient audiences, social media scheduling, lead magnet delivery to people who haven’t yet become patients. It can’t be used for anything that involves communicating with current or former patients about their care, or any communication where the audience contains identifiable patients.
If your practice currently uses FG Funnels and your list contains current or former patients, the practical move is to migrate that list to a HIPAA-eligible platform (one that signs a BAA), keep FG Funnels for genuinely public marketing, and treat the two as separate systems.
The principle these two platforms illustrate: marketing platforms vary widely in HIPAA eligibility, and none of them make you compliant on their own. The platform either signs a BAA or it doesn’t. You still have to do your own compliance work either way.
Common Pushback (and What’s True)
“I’m too small to be on anyone’s radar.”
Size matters less than the type of complaint. Federal cases against solo practitioners are rare. But state attorneys general, the FTC, and individual patients (through state lawsuits) act on patient complaints regardless of practice size. A patient complaint or a competitor’s tip is what triggers most actions, not active scanning by federal agencies.
”Other people in my niche do this all the time.”
Often true. Also irrelevant. Widespread practice doesn’t make it legal. The dietitians named in the FTC sweep were doing what was normal in their space until the day it wasn’t.
”My patients have never complained.”
A patient typically doesn’t know to complain until they discover the issue, which usually happens when something else goes wrong: a breach, a news story, a personal life event that makes them care about privacy. Quiet acceptance is not the same as informed consent.
”I can’t afford a healthcare-specific platform.”
The cost gap is real, and you don’t necessarily need to migrate everything. The minimum viable structure: a HIPAA-eligible tool (with a signed BAA) for anything that handles patient information, and any general marketing tool for content sent only to a public list. That separation can usually be achieved without major spending if you’re thoughtful about which list goes where.
”This is too much to figure out alone.”
For many practices, it is. The path forward is usually some combination of a healthcare compliance attorney for the legal questions, a practice infrastructure consultant for the systems work, and a properly-configured platform stack for the day-to-day.
Where to Go From Here
Most HIPAA marketing problems don’t come from bad intent. They come from busy practitioners who built their marketing the way every other small business does, without realizing healthcare operates by different rules. The structures that look normal in coaching, e-commerce, or other online business spaces become exposure points the moment patient information is involved.
If you’ve read this far, you have enough to know whether your current setup is clearly fine, clearly needs work, or somewhere in between.
If everything here felt familiar and you’re already doing it: you’re ahead of most practices. The annual move is to revisit the audit each year as platforms change their HIPAA policies, as new tools enter the stack, and as your marketing evolves.
If you noticed one or two specific gaps: start with the email marketing platform audit. Address one item at a time. It’s more manageable than it looks when broken into specific platform decisions.
If most of this is new and the gaps feel large: don’t try to fix everything at once. Start with a written list of every tool currently in use that touches patient information. That list alone is the foundation for every other decision.
If you want help figuring out which bucket you’re in: this kind of practice infrastructure assessment is part of the work I do with clients. The starting point is a conversation about what’s already in place and what’s actually at risk.
The point of this guide isn’t perfection. It’s clarity, then movement. Knowing what you’re working with is most of the work.
Sources
Cases referenced
- New York-Presbyterian Hospital, $300,000, December 2023. New York Attorney General press release.
- FTC warning letters to dietitians and influencers, November 2023. Federal Trade Commission press release.
- Complete P.T., Pool & Land Physical Therapy, $25,000, February 2016. HHS Office for Civil Rights resolution agreement.
- Cadia Healthcare Facilities, $182,000, September 2025. HHS Office for Civil Rights press release.
Underlying rules and law
- HIPAA Privacy Rule, marketing definition. 45 CFR 164.501.
- HIPAA Privacy Rule, authorization for marketing. 45 CFR 164.508.
- HHS Office for Civil Rights guidance on refill reminders and similar communications. hhs.gov.
- OCR and FTC joint warning to hospitals and telehealth providers on online tracking technologies, July 2023. ftc.gov press release.
- FTC Endorsement Guides. ftc.gov disclosures guide.
Platform documentation
- HighLevel HIPAA compliance support article. help.gohighlevel.com.
- HighLevel security and compliance overview. help.gohighlevel.com.
- HighLevel public ideas portal, HIPAA topic. ideas.gohighlevel.com.
- FG Funnels HIPAA compliance support article. support.fgfunnels.com.
This guide is educational. It is not legal advice and does not create any attorney-client or consulting relationship. The information here describes federal HIPAA rules in general terms and does not address the full scope of state laws, the federal Anti-Kickback Statute, FTC obligations, professional licensing rules, or the specific facts of any particular practice. Platform features, vendor policies, and federal rulemaking change over time. The HighLevel and FG Funnels details described here reflect publicly available platform documentation as of May 2026. Verify current platform terms before relying on them. For decisions affecting your practice, work with a qualified healthcare compliance attorney who can review your specific situation.
