LSU Health Logo

Office of Compliance Programs

Marketing, Fundraising, Public Relations, and HIPAA

Revised: September 1, 2017

Who Needs to Take This Training?

Anyone who:

The HIPAA Privacy Rule

A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI)about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions.

Marketing under HIPAA

Under HIPAA,  "marketing" is defined as "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." This includes any arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s authorization. LSUHSC-NO's policy on the use or disclosure of protected health information for marketing purposes can be found in CM-53 Section R.

This definition does not limit the type or means of communication considered marketing.

Examples of “marketing” communications requiring prior authorization are:

Certain types of communications are not included in the definition of “marketing” under HIPAA. These include communications to provide:

These activities are not considered marketing as it is defined in the HIPAA regulations.

Refill reminders

The following types of communications are permitted without an individual’s authorization, provided any financial remuneration received from the pharmaceutical manufacturer in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.

Example: A pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so. Please note that if the covered entity in this example does contract with a mail house to send out reminder notices, it must have a business associate agreement with the mail house before providing the PHI.

Treatment information

A communication is not “marketing” if it is made for treatment of the individual.

Example: An LSUHSC-NO healthcare provider refers an individual to a specialist for a follow-up test.

Information about Products or Services Provided by the Covered Entity

A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication.

This exception to the marketing definition permits communications by a covered entity about its own products or services.

Example: A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.

Case management

A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

Example: A hospital social worker shares medical record information with various nursing homes in the course of recommending that the patient be transferred from a hospital bed to a nursing home that can meet the patient's specific needs.

Marketing: The Authorization Requirement

LSUHSC-NO must obtain an individual’s authorization for the disclosure of PHI for marketing purposes. Additionally, if the the marketing arrangement involves direct or indirect remuneration (money or benefit) to LSUHSC-NO for the disclosure, the authorization must state so.


Simply put, a covered entity may not sell protected health information to a business associate or any other third party for that party’s own purposes. Moreover, covered entities may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list.

Example: A health plan sells a list of its members to a company that sells blood glucose monitors, which intends to send the plan’s members brochures on the benefits of purchasing and using the monitors.

Example: A health care provider provides a list of his patients to a drug manufacturer in exchange for an all expense paid cruise in the Mediterranean. The drug manufacturer then uses that list to send discount coupons for a new anti-depressant medication directly to the patients.

Mailing Lists

Even a list of names and addresses compiled from the LSUHSC-NO patient database, stripped of all medical data would still be protected. Having a name on the list indicates that the person got health services of some kind.

Exceptions to the Authorization Requirement

A communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by a covered entity to an individual; or a promotional gift of nominal value provided by the covered entity.

Example: A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward.

Example: A dentist provides toothbrushes, dental floss and toothpaste to her patients.

Example: An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well.

Receiving Money for Gifts and Communications

Receiving money for making such gifts or communications does not change the exemption. However, anti-kickback, fraud and self-referral statutes may still apply.

Opt-out Provisions

While some forms of marketing do not require an authorization form, it is a good idea to include an opt-out provision in those communications as a patient-friendly service. If an opt-out provision is provided, the HIPAA regulations require that you honor it.

Scenario 1

SOM Logo

LSUHSC-NO Stanley S. Scott Cancer Center wants to expand its efforts in cancer research. In order to assist in these efforts, the LSUHSC-Foundation wants to send all patients diagnosed with cancer at LSUHSC-NO clinics materials on enrolling clinical trials. Does this require a HIPAA authorization signed by the patient prior to receiving such communications?


Hover your mouse over or tap your finger on the box above to see the right answer. (Tap on any picture to make the answer disappear.)

Scenario 2


LSUHSC-NO recently purchased new state-of-the-art medical equipment. The equipment manufacturer wants LSUHSC-NO to make a communication to its patients regarding this recent acquisition, and is willing to pay LSUHSC-NO in exchange for making that communication. Is an authorization required under these circumstances?


Hover your mouse over or tap your finger on the box above to see the right answer. (Tap on any picture to make the answer disappear.)

Fundraising and HIPAA

Fundraising: is not specifically defined in HIPAA. HHS Office of Civil Rights interprets fundraising to mean activity for the specific purpose of raising funds for the institution, rather than a “general charitable purpose”. LSUHSC-NO's policy on use and disclosure of protected health information for fundraising can be found in CM-53 Section W.

Examples of LSUHSC-NO Fundraising Activities:

LSUHSC-NO must obtain an individual’s authorization before using or disclosing protected health information (“PHI”) for fundraising purposes. If the fundraising arrangement involves any direct or indirect remuneration (money or benefits) to LSUHSC-NO from a third party, the authorization must state so.

Exceptions to The Authorization Requirement

If the information that is used and disclosed for fundraising purposes to basic demographic information about a person (e.g. name, address, and other contact information, age, gender and insurance status) and EXCLUDES Any information about the illness or treatment or any information about diagnosis or nature of healthcare services, then an authorization is not required.

Scenario 3

Foundation Logo

LSUHSC-NO is affiliated with the LSUHSC-NO Foundation, as its non-profit fundraising organization. LSUHSC-NO wants to send a list of VIP patients to the Foundation so that the Foundation may contact them about donation opportunities. The information on the list is limited to first and last names and addresses. Does LSUHSC-NO need to obtain a written authorization from each patient before their information can be included on the list?


Hover your mouse over or tap your finger on the box above to see the right answer. (Tap on any picture to make the answer disappear.)

Notices and Opt-outs

Fundraising activities of any kind must be indicated in the Notice of Privacy Practices including those that require authorizations and those that do not require authorizations. Fundraising communications must have an opt-out provision where persons can indicate that they no longer wish to receive future solicitations or communications. LSUHSC-NO must make reasonable efforts to promptly honor opt-out requests.

Public Relations and HIPAA

Media Authorizations

Media Authorizations are required in addition to HIPAA authorizations when there is the disclosure or perceived disclosure of PHI through a print, electronic or other information medium (e.g. Internet). Some examples of these instances are:

Other Public Relations Topics at LSUHSC-NO

In addition to general public relations activities, there are specific instances of public communications that HIPAA regulates. These include:


LSUHSC-NO may use or disclose PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts for coordinating with the entity for:


Health care facilities maintaining a directory of patients can tell people who call or ask about individuals whether the individual is at the facility, their location in the facility, and general condition.


LSUHSC-NO may disclose to a law enforcement official PHI that LSUHSC-NO believes in good faith constitutes evidence of criminal conduct that occurred on the premises of LSUHSC-NO.


If LSUHSC-NO providing emergency health care in response to a medical emergency, other than such emergency on its own premises, LSUHSC-NO may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to:

Please note: this does not limit a healthcare provider’s ability to notify law enforcement officials when he or she believes a crime has been committed.

Getting Help

If you have any questions, please contact the Office of Compliance Programs by: