What is a HIPAA-compliant marketing checklist for a medical practice?

A HIPAA-compliant marketing program covers eight surfaces: signed Business Associate Agreements with every vendor that touches protected health information, server-side conversion tracking with PHI stripped before transmission, BAA-covered email and SMS platforms for any patient-communication content, written HIPAA-compliant photo and testimonial releases for any patient imagery or quote, response templates for negative reviews that never confirm patient identity, and a documented review process for AI-drafted content that requires named medical-reviewer attribution. Each of these is covered in detail in this field guide.

Can a healthcare practice use Meta Pixel or Google Ads conversion tracking?

Only with strict architecture. Meta does not offer a Business Associate Agreement for ad-platform pixel data, and Google does not offer one for Google Ads. Compliant deployments use server-side conversion tracking that strips protected health information before transmission, restrict tag firing to non-PHI completion events, and avoid all third-party pixels on logged-in patient surfaces. The HHS OCR 2022 tracking-technology bulletin and 2024 follow-up have produced 250+ class-action settlements against U.S. hospitals and health systems through 2025.

Is Mailchimp HIPAA-compliant for healthcare practices?

Mailchimp does not offer a Business Associate Agreement and is therefore not HIPAA-compliant for any communication that contains protected health information. Mailchimp can be used for general marketing email that contains no PHI (educational content, event invites, newsletters). For patient-communication email (appointment confirmations, results, treatment messages), the compliant choice is a BAA-covered patient-communication platform such as Spruce, OhMD, Klara, or NexHealth. Mixing the two on a single platform is the most common HIPAA failure pattern in healthcare email.

Do I need a HIPAA release to publish a patient testimonial?

Yes. Any publication of patient testimonials requires a signed HIPAA authorization under 45 CFR §164.508, distinct from a generic media release. The authorization must specify the content, the media (website, social media, paid advertising), the geography, the duration, and the patient’s right to revoke. Most agency-supplied testimonial templates are media releases, not HIPAA authorizations. Using a non-HIPAA-compliant release for a patient testimonial is a compliance failure regardless of how genuinely the patient consented.

Can a healthcare practice use ChatGPT or Claude for marketing content?

Yes, with two constraints. First, no protected health information should ever be entered as a prompt or fine-tune input. ChatGPT and Claude generally do not offer Business Associate Agreements at consumer tiers; entering patient context is a HIPAA disclosure to the LLM provider. Second, AI-drafted content should be treated as a draft, not a publish-and-forget output. The compliant pattern uses AI for research and drafting, names a human author with credentials in the byline, and names a medical or legal reviewer in schema and visibly on the page. Without reviewer attribution, AI-drafted YMYL content fails Google’s E-E-A-T framework regardless of HIPAA posture.

← Insights

Compliance · HIPAA

The HIPAA marketing field guide for medical practices.

By Vince SchwellenbachMay 2026Healthcare attorney review pending · placeholder slot reserved22-minute read

Listen to the intro

0:00 / 0:00

Healthcare marketing is the most regulated marketing surface in the United States, and most agencies write about HIPAA without legal review.

This is the field guide we wrote because no one else in the category has. It covers the eight HIPAA-adjacent surfaces a healthcare marketing program actually touches: Business Associate Agreements, tracking technology, conversion tracking, email, SMS, reviews and testimonials, patient photography, and AI-generated content. Each section is a pillar of its own with a deeper cluster article that drills into the operational specifics; the slugs below link to those clusters as we publish them.

Three things to know before reading. First, this is operational HIPAA, not legal advice. Implementing the patterns here is the right starting posture; an actual BAA review and an actual privacy-officer sign-off are still required for your specific stack. Second, every claim is anchored to a primary source: HHS Office for Civil Rights publications, the Federal Trade Commission’s Health Breach Notification Rule, the 2022 OCR tracking-technology bulletin and its 2024 reaffirmation, the 2024 American Hospital Association tracking-tech litigation summary, and the underlying CFR sections. Third, this guide will be reviewed by a named healthcare attorney, and the reviewer attribution will appear here at the top of the article and in the page’s schema once the review is complete. We are publishing the unattributed draft now and updating the schema with reviewer credentials within thirty days.

The eight surfaces.

01 · Pillar

Business Associate Agreements (BAAs).

Every vendor that touches protected health information needs a signed Business Associate Agreement under 45 CFR §164.504(e). Most marketing agencies don’t qualify because they don’t touch PHI; some do (form vendors, SMS platforms, video-call tools). The compliant posture is to architect the vendor stack so that PHI never reaches non-BAA-covered systems.

A vendor is a Business Associate when it creates, receives, maintains, or transmits PHI on behalf of a covered entity. Marketing agencies that produce ads, manage campaigns, or report on aggregate performance generally don’t need a BAA, because they don’t see PHI. The lines blur with form vendors, scheduling systems, SMS platforms, and call recording. When a vendor will see PHI, it needs a BAA before any data flows. Most consumer SaaS tools do not offer BAAs at any tier; some (HubSpot Healthcare, Zendesk Healthcare, Calendly enterprise, Twilio with HIPAA-eligible configuration) do at higher tiers. The decision tree: identify each vendor, identify what data they actually receive, push for the most restrictive configuration that achieves the goal, sign a BAA where one is required, and document the call.

Cluster article: /insights/hipaa-marketing-field-guide/baas (publishing within 30 days)

02 · Pillar

Tracking technologies (Pixel, GA4, conversion tags).

HHS OCR’s 2022 tracking-technology bulletin (reaffirmed 2024) classifies many standard analytics deployments as PHI disclosures when the page is patient-facing. The compliant posture is server-side conversion tracking with PHI stripped before transmission; a strict allowlist of events; and zero deployment of Pixel or third-party tags on logged-in patient surfaces.

Meta Pixel, GA4, Google Ads conversion tags, and similar tracking technologies often capture URL parameters, form-field values, IP, user-agent, and behavioral data. When that data combines with health-related context (page URL, query string, condition-specific landing page), HHS’s position is that the combination constitutes PHI disclosure. Since Meta and Google do not offer BAAs for ads-platform pixel data, deployment of these technologies on patient-facing surfaces creates HIPAA exposure that has produced 250+ class-action settlements since 2024 (HHS OCR enforcement ledger; American Hospital Association tracking-tech litigation summary). The compliant configuration: server-side gateway that strips identifiers before forwarding events, conversion events fired only on non-PHI completion, no Pixel on logged-in patient portals, and a clear data-handling addendum visible on the site’s privacy notice.

Cluster article: /insights/hipaa-marketing-field-guide/tracking-tech (publishing within 30 days)

03 · Pillar

Google Ads conversion tracking.

Google does not offer a BAA for Google Ads. Conversion tracking can be configured compliantly using offline conversion imports and server-side enhanced conversions that hash and strip PHI before transmission, but only with deliberate architecture.

Standard Google Ads conversion tracking sends URL parameters and form-field data to Google’s servers. Because Google has no BAA for Google Ads, transmission of PHI through this path is non-compliant. Two compliant configurations exist. First, offline conversion uploads: conversion events are recorded server-side, PHI is stripped, only the click ID and a non-PHI conversion category are uploaded. Second, server-side enhanced conversions with hashed identifiers: when implemented carefully, the data sent to Google is a hashed email or phone, which is not directly identifiable. The hash approach is borderline and varies by counsel; the offline-conversion approach is more defensible. Either way, conversion definitions should be category-only ('appointment booked' rather than 'orthopedic appointment for back pain'), and Smart Bidding should optimize against value rather than diagnosis.

Cluster article: /insights/hipaa-marketing-field-guide/google-ads (publishing within 30 days)

04 · Pillar

Email marketing platforms.

Mailchimp does not offer a BAA. ActiveCampaign does not offer a BAA. HubSpot offers a BAA only on its Enterprise tier with specific add-ons. Compliant posture either avoids PHI in email content entirely or runs marketing email through a BAA-covered platform.

Marketing email and patient-communication email are different surfaces with different rules. Marketing email (newsletters, educational content, event invites) does not contain PHI by design and does not require a BAA platform. Patient-communication email (appointment confirmations, results, treatment messages) does contain PHI and requires a BAA-covered platform with encryption-at-rest and audit logs. The compliance failure pattern is treating both as the same: practices send appointment-confirmation emails through Mailchimp because that’s where the marketing list lives, which sends PHI through a non-BAA platform. The right architecture: marketing email lives on the marketing platform with no PHI, and patient-communication email lives on the BAA-covered patient platform (Spruce, OhMD, Klara, NexHealth, or equivalent).

Cluster article: /insights/hipaa-marketing-field-guide/email (publishing within 30 days)

05 · Pillar

SMS for healthcare practices.

SMS is high-value and high-risk in healthcare. The compliant posture requires a BAA-covered SMS vendor (Twilio with HIPAA-eligible configuration, OhMD, Spruce, Klara, or similar), explicit patient consent at intake, content rules that avoid PHI in any non-patient-initiated message, and TCPA compliance on top of HIPAA compliance.

SMS hits both HIPAA and the Telephone Consumer Protection Act simultaneously. HIPAA controls what can be in the message (no PHI without consent); TCPA controls when and how messages can be sent (express written consent for marketing messages; reasonable consent for transactional messages). Twilio offers HIPAA-eligible configuration on its Programmable Messaging product when the right toggles are set; standard Twilio is not HIPAA-eligible. Practice-management vendors like OhMD, Spruce, Klara, NexHealth, and Doxy.me ship HIPAA-eligible SMS as part of their core platform. The compliance failure pattern is using a marketing SMS platform (Attentive, Klaviyo, SimpleTexting) for patient appointment reminders. Marketing platforms generally do not offer BAAs.

Cluster article: /insights/hipaa-marketing-field-guide/sms (publishing within 30 days)

06 · Pillar

Reviews, testimonials, and patient stories.

Patient testimonials require explicit written consent before publication, signed under 45 CFR §164.508. Responding to negative public reviews requires extreme care: even confirming that the reviewer was a patient is a HIPAA violation. The compliant response template never confirms identity, never describes care, and routes to a private channel for resolution.

Two distinct compliance surfaces. First, soliciting and publishing testimonials: the patient must sign a HIPAA-compliant authorization that specifies what content will be used, how it will be used, where, for how long, and the right to revoke. Most agency-supplied testimonial release forms are not HIPAA-compliant; many are generic media releases that don’t specify the regulatory framework. Second, responding to negative public reviews: even acknowledging that the reviewer was a patient violates HIPAA. The compliant response says, in substance: 'we take feedback seriously, we cannot discuss specific situations in this forum, please contact [practice manager email or phone] so we can address your concern directly.' Variations on this template are the only public response a practice should ever publish to a negative review.

Cluster article: /insights/hipaa-marketing-field-guide/reviews (publishing within 30 days)

07 · Pillar

Before/after photos and patient imagery.

Photographs of patients are PHI even when faces are cropped, because contextual identification is possible. Publication requires a HIPAA-compliant photo-release authorization that specifies media, geography, and duration. Stock-style “model” photography is the safer default for non-actual-patient imagery in marketing.

Healthcare practices commonly publish before/after photos for medspa, dermatology, plastic surgery, dental cosmetic, weight-loss, and orthodontic work. The compliance baseline: a written, HIPAA-compliant photo release that names the practice, names the media (website, Instagram, paid ads), names the geography (United States, web-only, regional), names the duration (one year, perpetual, until revoked), and is countersigned by the patient and the practice. Generic model releases pulled from photography templates do not satisfy HIPAA. The right operational posture maintains a release tracker that ties each published image to its release on file, removes images on revocation, and uses model imagery (not actual patients) for stock-style hero photography. For practices with extensive photo programs, a quarterly compliance audit of published imagery against signed releases is the right cadence.

Cluster article: /insights/hipaa-marketing-field-guide/photos (publishing within 30 days)

08 · Pillar

AI-generated content under HIPAA + E-E-A-T.

AI-generated healthcare content sits at the intersection of HIPAA (the input data cannot include PHI) and YMYL E-E-A-T (the output content needs medical-reviewer attribution to satisfy Google’s quality framework). The compliant posture: never train, fine-tune, or prompt AI with PHI; always have a credentialed medical reviewer attribute the output; treat AI as a draft-and-research tool, not a publish-and-forget tool.

Two failure modes are common. First, prompting an LLM with patient context (‘write a follow-up email to Mrs. Johnson, who came in for a knee MRI yesterday and is worried about a torn meniscus’) constitutes PHI disclosure to the LLM provider, which generally does not have a BAA. The compliant prompt strips identifiers and uses categorical placeholders. Second, publishing AI-drafted content under a faceless byline or no reviewer creates an E-E-A-T failure that Google’s 2024 Helpful Content Update is designed to demote. The compliant pattern: AI as a research and drafting layer, named human author with credentials on the byline, named medical or legal reviewer with credentials in the schema (`reviewedBy`) and visible on the page (“Reviewed by Dr. Smith, MD, board-certified dermatologist, on May 1, 2026”), and primary-source citations inline for any clinical claim.

Cluster article: /insights/hipaa-marketing-field-guide/ai-content (publishing within 30 days)

The 30-day compliance reset.

If you are reading this and your practice is exposed on more than two of the eight surfaces above, the right posture is a 30-day compliance reset rather than panic. The order of operations: confirm BAAs in place for every vendor that touches PHI (week 1); audit and remediate tracking technology on every patient-facing page (week 2); separate marketing email from patient-communication email and migrate the latter to a BAA-covered platform (week 3); document the photo-release and testimonial-release workflow and audit existing published imagery against signed releases (week 4). The 30-day reset will not eliminate exposure on prior years\u2019 conduct, but it will materially reduce the surface area for new exposure and give the practice an audit-defensible posture from that point on.

Primary sources.

HHS Office for Civil Rights, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” December 2022, reaffirmed March 2024.
45 CFR §164.504(e), Business Associate Contracts.
45 CFR §164.508, Authorization for Uses and Disclosures of PHI.
45 CFR §164.510, Uses and Disclosures Requiring Opportunity to Agree.
FTC Health Breach Notification Rule, 16 CFR §318, as amended in 2024.
American Hospital Association, “Tracking Technology Litigation Summary,” 2024-2025 quarterly updates.
HHS OCR enforcement ledger, public case database.
LegitScript Healthcare Merchant Certification Standards, 2025-2026 edition.

This guide is for operational planning. It does not constitute legal advice and does not establish an attorney-client relationship. Have your privacy officer or external counsel review your specific stack before deployment.

Audit your HIPAA marketing posture

Where do you stand on the eight surfaces?

The Practice Audit returns a real read on your HIPAA marketing posture across BAAs, tracking technology, email, SMS, reviews, photos, and AI content. Three minutes, no PHI required, no obligation.

Start the Practice Audit See AdsPRO & HIPAA

Shorter path

If your question doesn't fit the audit.
Send a line.

Have a question that doesn't fit the Practice Audit form? Send it here. We route it to the right person on our team and come back when there's a substantive next step, usually within a business week.