Today’s blog post comes from compliance expert Tom Ambury of PT Compliance Group and WebPT writer Erica Cohen.

Before you get too far into your plans to beef up your clinic’s sales and marketing efforts, remember that you’re a healthcare provider first, which means you’ve got some HIPAA hoops to jump through (ahem, rules to follow) that the small business owner down the street probably doesn’t have to worry about. Before we get into that, though, let’s establish a bit of background.


In 1996, Congress established the Health Information Portability and Accountability Act (HIPAA) in part to ensure patients’ health information remained private and protected. As such, under HIPAA’s Privacy Rule, Covered Entities and their Business Associates can only handle a patient’s protected health information (PHI) if doing so furthers the patient’s care.

Then, along came the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which, according to legal firm Duane Morris, “strengthen[ed] these protections by implementing new requirements on the use and disclosure of PHI for marketing and sale purposes.” As of September 23, 2013—the deadline for complying with these updates—patients must provide authorization before a Covered Entity or Business Associate may use or disclose patients’ protected health information for marketing or sales.

Now, chances are you’ve already been complying with these requirements; but just in case you need a bit of a refresher, let’s take another look. After all, penalties for noncompliance can be severe.

What Constitutes Marketing?

According to the Department of Health and Human Services (HHS), the Privacy Rule defines marketing as “communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” However, here, the HHS acknowledges that there may very well be overlap “between a marketing communication and a communication for a treatment or health care purpose.” Thus, the Privacy Rule includes exceptions for communications that relate to a patient’s current care, including treatment alternatives and other benefits.

Duane Morris writes that the “2013 Amendments significantly modify the existing HIPAA rules to require that if there is financial remuneration related to the communication...then even treatment- or operations-related communications constitute marketing.” In other words, if you, the provider, are receiving any financial benefit from the third party whose product or service you’re promoting, it’s automatically considered marketing; and as such, you must disclose the remuneration and obtain patient authorization. That is, unless the communication:

  • takes place in person (“face-to-face”).
  • occurs in the form of a “promotional gift of nominal value.” (HHS uses the example of a hospital providing a “free package of formula and other baby products to new mothers as they leave the maternity ward.”)
  • relates to refill reminders for a drug or biologic that the patient is already using (as long as the remuneration is “reasonably related to the costs of the communication”).
So What’s a PT To Do?

Obtain patient authorization before marketing something for which you receive financial remuneration—and be sure to disclose said remuneration in your authorization form. According to Deborah Crandall, JD, in this PT in Motion article, these new authorizations make it unnecessary to include “notice-requirement language informing individuals that the provider may send treatment communications to the individual concerning treatment alternatives or other health-related products or services in cases when the provider receives financial remuneration from a third party.” Additionally, Crandall says that because you’re obtaining individual authorization, you no longer need to provide notice to patients regarding their opt-out rights.

What About Sales?

The good news is that rules regarding the sale of PHI are much simpler. In short, Duane Morris writes that Covered Entities and Business Associates may not share PHI for financial or “in-kind” remuneration unless the patient provides prior authorization. Now, true to standard HIPAA form, there are several exceptions to this rule. For example, it is not a “sale” if the disclosure is:

  • for the purpose of public health
  • for HIPAA-covered research, as long as “the payment is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI”
  • related to treatment and payment
  • required by law

For more on the finer points of sales and marketing under HIPAA, check out Duane Morris’s post in full here, or go right to the Final Rule source.

Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts, but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or healthcare attorney for compliance and legal advice as this article is meant for general educational purposes only. For more information on what to look for in a compliance expert, check out this post.

The State of Rehab Therapy in 2019 Guide - Regular BannerThe State of Rehab Therapy in 2019 Guide - Small Banner
  • 6 Biggest Takeaways from PPS 2015 Image

    articleNov 16, 2015 | 10 min. read

    6 Biggest Takeaways from PPS 2015

    Last week, I joined hundreds of amazing physical therapy professionals, students, and vendors (including yours truly, WebPT) at this year's PPS Annual Conference in Orlando, Florida. Despite the uncomfortable combination of tropical heat and humidity outside—and near-freezing conference rooms inside—everyone was in high spirits. Though I never made it to Disney World, I still felt like I was in the most magical place on Earth, thanks to the inspiring and informative presentations I saw and the thought-provoking …

  • How to Take Over the Internet: 5 Simple Strategies to Win More Patients Image

    webinarFeb 27, 2015

    How to Take Over the Internet: 5 Simple Strategies to Win More Patients

    Nowadays, everyone is looking for a way to “go viral” online. But with all that go-big-or-go-home hype, it’s easy to get intimidated—and that leaves many small business owners wondering if they have the time, resources, or wherewithal to even make a dent in the Internet, let alone break it.  Don’t get stuck in the muck and mire of cliché goals; you don’t have to hit a million views to make a big impact online. As a private …

  • 3 Things You’ve Gotta Know About Running a PT Practice Image

    articleApr 7, 2016 | 8 min. read

    3 Things You’ve Gotta Know About Running a PT Practice

    As physical therapists, we’re observant. We closely examine movements, attentively listen to patient complaints, and expertly read between the lines. Unfortunately, though, we don’t always give that level of attention to the non-clinical stuff. Because while we’re expert empathizers, we’re not the strongest scrutinizers. And when it comes to business, you need to scrupulously scrutinize. I worked as a physical therapist for more than 15 years, and I spent a good portion of that time as a …

  • The 3 Immutable Laws of Direct Access Marketing Image

    articleOct 15, 2014 | 8 min. read

    The 3 Immutable Laws of Direct Access Marketing

    It took expensive membership dues, countless lobbying and volunteer hours, and 25 years, but we finally did it: Direct access to physical therapy services is now available in all 50 states in at least one form or another. It wasn’t easy, so it’s important to take a few moments to celebrate our achievements and raise a glass to all of the passionate physical therapists and physical therapy advocates out there who made it happen. Okay, time’s up—and …

  • Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements Image

    articleOct 10, 2019 | 6 min. read

    Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements

    Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices. So, is there anything a small-to-medium-sized physical therapy practice can do to reduce the risk of a data breach? Performing a HIPAA risk assessment is an excellent first step.  No …

  • articleSep 13, 2013 | 7 min. read

    6 Common Rehab Therapy Marketing Pitfalls and How to Avoid Them

    So, you’ve got a marketing plan , you’ve honed your content-creation skills , and you’re ready to get down to business—or, to be more accurate, you’re ready to get down to marketing your business. As with any new endeavor, you’ll probably experience a few bumps along the road to building a successful marketing campaign—and that’s okay. After all, some of the world’s best innovations came about through trial and error. But while mistakes often present you with …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • D’Oh! 3 Major Physical Therapy Marketing Fails Image

    articleSep 18, 2017 | 8 min. read

    D’Oh! 3 Major Physical Therapy Marketing Fails

    Homer Simpson introduced the catchphrase “d’oh!” on the long-running cartoon sitcom, The Simpsons, in 1989. It’s arguably one of the most recognizable catchphrases in American pop culture. So much so, in fact, that the Oxford Dictionary of English added the word in 2001. Defined as an informal exclamation “used to comment on a foolish or stupid action, especially one's own,” “d’oh” is the most fitting—and safe for work—reaction to committing a major fail. “D’oh” is even more …

  • Cloudy with a Chance of Reform: 5 Key Healthcare Forecasts for 2017 Image

    webinarJan 5, 2017

    Cloudy with a Chance of Reform: 5 Key Healthcare Forecasts for 2017

    Predicting the weather is tough—just ask any meteorologist who has called for sun on the day of a major downpour. Well, predicting the fate of the US healthcare system isn’t much easier—there’s a lot up in the air, after all. But, even without a healthcare equivalent of Doppler Radar, there are a few key trends that are sure to have a major impact on PTs, OTs, and SLPs in 2017 and beyond. And to keep your practice …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.