Question: I’m a little confused about how to advertise a service that is specific to our practice without falling afoul of the HIPAA Privacy Rule. Are there any exceptions that apply to marketing what makes our practice different from others in the area? Codify Subscriber Answer: Understanding which aspects of marketing could put you at risk of noncompliance is crucial to good business. You’re already very familiar with the Privacy Rule components of HIPAA, but you’re also trying to make sure that your business stays profitable, which usually involves some aspect of trying to recruit new patients and retain established patients. The language your practice uses in these endeavors matters, especially in marketing materials, and you must understand what constitutes appropriate language for marketing materials to patients, as well as what is OK in terms of marketing data and other information to covered entities. Patients may be used to signing away their information in nonhealthcare settings, like when downloading a new app or using a social media platform. You may ask patients to sign a waiver that ensures that they’re OK with certain practices, but it’s helpful to know exactly which types of communications may cross the line into noncompliance or illegality. For example, when it comes to marketing, talking about a product or service (regardless of whether you’re speaking or you have written materials) or encouraging a patient to purchase or use that product or service is probably a no-no, unless the product or service is directly related to that particular patient’s treatment. The Code of Federal Regulations Title 45 – Public Welfare has the specific definitions — along with three categories of marketing that it exempts explicitly, treatment included — but the application is pretty common sense. “If a health care operation communication does not fall within one of these specific exceptions to the marketing definition, and the communication falls under the definition of ‘marketing,’ the Privacy Rule’s provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual’s authorization is required before a covered entity may use or disclose protected health information,” says the HHS Office of the Inspector General (OIG).