Your Healthcare Client’s Patient Data Is Your Problem
In 2022, an Alabama dentist handed 5,384 patient names and addresses to his campaign manager and a marketing firm for political mailers and campaign emails. The result: a $62,500 fine from the HHS Office for Civil Rights and a two-year corrective action plan. The marketing firm that received that data was on the hook too.
If your agency handles healthcare clients, this is your problem. Yours.
HIPAA Compliance for Marketing Agencies
The Business Associate Trigger
Under 45 CFR 160.103, a business associate is any person or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. That includes marketing agencies.
The definition is function-based, not industry-based. If you run a healthcare client’s email campaigns, manage their CRM, build their intake forms, or handle their ad targeting, you are a business associate. It does not matter that your agency also handles restaurant clients.
7 Ways Agencies Touch PHI Without Realizing It
- Website contact forms that collect patient names, conditions, or appointment requests
- CRM records containing patient names, emails, and service history
- Email marketing lists built from patient databases
- Retargeting pixels that track users who visit condition-specific pages
- Social media management where patients message the practice account with health details
- Testimonial collection that captures patient names, photos, and treatment outcomes
- Review responses that confirm someone is a patient or reference their care
Every one of these triggers HIPAA obligations for your agency.
Real Fines for Marketing-Related Violations
$62,500 - Patient Data Used in a Political Campaign
Northcutt Dental in Fairhope, Alabama shared an Excel file containing 3,657 patient names and addresses with a campaign manager. An additional 1,727 patient email addresses went to a marketing company called Solutionreach for campaign emails. The dentist was running for state senate and used his patient list as a voter contact database.
OCR settled the case in April 2022 for $62,500 plus a corrective action plan. The HHS enforcement page is public record.
$50,000 - Responding to a Google Review with PHI
A dental practice in Charlotte, North Carolina responded to a pseudonymous Google review by disclosing the patient’s full name, dental condition, treatment details, and appointment history.
OCR told the practice to remove the response. The practice ignored the request and a data subpoena. OCR imposed a $50,000 civil monetary penalty under the willful neglect tier.
$30,000 - A Psychiatrist’s Google Review Replies
Manasa Health Center in Kendall Park, New Jersey disclosed the PHI of four patients in responses to negative Google reviews. The disclosed information included diagnoses and treatment details for mental health conditions.
OCR settled the case in October 2023 for $30,000 and a two-year corrective action plan. If your agency drafts review responses that confirm someone is a patient or reference their treatment, you are the one creating the violation.
What HIPAA Requires From Your Agency
The BAA (Non-Negotiable)
Before your agency touches any PHI, you need a signed Business Associate Agreement with every healthcare client. This is not optional. Under 45 CFR 164.502(e), a covered entity cannot share PHI with a business associate without one.
A BAA defines what PHI you can access, how you protect it, breach procedures, and your obligation to return or destroy data when the contract ends. Skipping it is one of the 7 BAA mistakes that lead to HIPAA fines.
Tracking Pixels, Retargeting, and the FTC Crackdown
In 2023, the FTC fined GoodRx $1.5 million and BetterHelp $7.8 million for sharing health data through tracking pixels with Facebook and Google. That same year, the FTC and HHS sent a joint warning letter to 130 hospital systems and telehealth providers about tracking technology risks.
If a user visits a page about “depression treatment†and that visit gets sent to Meta for retargeting, you have transmitted PHI to a third party without authorization. Under 45 CFR 164.508, using PHI for marketing requires written patient authorization. Retargeting ads based on health conditions do not qualify for any exception.
Patient Testimonials and Authorization Forms
Patient testimonials become PHI the moment they include a name, photo, or description of treatment. You need a signed HIPAA authorization form before publishing any testimonial, video, before-and-after photo, or case study.
The authorization must specify what information will be used, where it will appear, and the patient’s right to revoke consent. Generic intake paperwork does not meet this standard. See HIPAA authorization form requirements.
HIPAA Compliance Checklist for Marketing Agencies
- Sign a BAA with every healthcare client before accessing any patient data
- Audit tracking pixels on healthcare client websites and remove any that transmit health-related browsing data to third parties
- Collect signed HIPAA authorizations before using any patient testimonial, photo, review, or case study
- Train your team on what counts as PHI - names, emails, appointment dates, conditions, treatments, IP addresses linked to health pages
- Encrypt PHI in transit and at rest - email, cloud storage, CRM databases, shared drives
- Segregate healthcare client data from other client data in your CRM and project management tools
- Draft review response templates that never confirm a patient relationship or reference treatment
- Document everything - policies, training records, authorization forms, BAA copies, pixel audits
- Build a breach response plan - you have 60 days to notify affected individuals and HHS after a breach
- Review and update annually - HIPAA compliance is not a one-time project
For platform-specific rules, see HIPAA and social media compliance.
Frequently Asked Questions
Do marketing agencies need to be HIPAA compliant? Yes. Any agency that handles PHI on behalf of a healthcare provider is a business associate under HIPAA. This includes agencies managing email lists, CRM data, website forms, social media accounts, or ad campaigns for healthcare clients.
Can I use patient testimonials in healthcare marketing? Only with a signed HIPAA authorization. The authorization must specify what information will be disclosed, the purpose, and where it will be published. Verbal consent or a generic intake form signature does not satisfy this requirement. See HIPAA authorization form requirements.
What happens if my agency causes a HIPAA breach? Your agency is directly liable as a business associate. Fines range from $141 to $2,134,831 per violation depending on negligence level. Criminal penalties can reach $250,000 and 10 years imprisonment for intentional misuse. The $6.6 million in HIPAA fines in 2025 shows enforcement is increasing.
Are Google Analytics and Meta Pixel HIPAA compliant? Not by default. Neither Google nor Meta signs a BAA for their standard analytics and advertising products. If these tools capture data linkable to a health condition, they are transmitting PHI without authorization. Evaluate server-side tracking, anonymization, or HIPAA-compliant analytics alternatives.
Can I respond to negative reviews for a healthcare client? Yes, but the response cannot confirm or deny that the reviewer is a patient, reference treatment details, or disclose identifying information. Thank the reviewer, state a commitment to quality care, and invite offline contact. Anything beyond that risks a violation, as the $30,000 and $50,000 fines above demonstrate.
One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. Learn more
Sources
- 45 CFR 160.103 - Business Associate Definition - Electronic Code of Federal Regulations
- 45 CFR 164.508 - Uses and Disclosures for Which an Authorization Is Required (Marketing) - Electronic Code of Federal Regulations
- HHS Guidance on Marketing Under HIPAA - U.S. Department of Health and Human Services
- FTC and HHS Warn Hospital Systems and Telehealth Providers About Privacy and Security Risks from Online Tracking Technologies - Federal Trade Commission, July 2023
- Northcutt Dental Enforcement Action - HHS Office for Civil Rights, April 2022
- Manasa Health Center Enforcement Action - HHS Office for Civil Rights, October 2023
- OCR Announces 4 Financial Penalties to Resolve HIPAA Violations - HIPAA Journal