Are Marketing and Fundraising the Same? A Guide to HIPAA's Definitions (45 CFR § 164.501)

HIPAA distinguishes clearly between marketing and fundraising, each with its own rules, and patient rights under 45 CFR § 164.501. While both involve communication with patients and the use of Protected Health Information (PHI), they serve different purposes and have different compliance obligations. Misclassifying one as the other can result in unauthorized disclosures, penalties, or reputational damage. This guide helps small practices understand the definitions, boundaries, and compliance strategies for each category.

You’ve likely sent out a newsletter, invitation to a fundraising gala, or reminders about wellness programs. But did you know that some of these messages may qualify as "marketing" under HIPAA and require prior patient authorization?

HIPAA doesn’t prohibit communication, but it does regulate how PHI is used in marketing and fundraising. These definitions matter, especially for small practices working with third-party service providers, or those affiliated with nonprofit healthcare foundations.

Understanding the legal boundaries under § 164.501 ensures your practice remains compliant, builds trust, and avoids costly enforcement.

What Does HIPAA Define as “Marketing”?

Definition

Per HIPAA, marketing is any communication about a product or service that encourages the recipient to purchase or use it, except when:

• The communication is for treatment of the individual

• It is for case management or care coordination

• It relates to recommending alternative treatments or providers

Examples of Marketing

• A flyer encouraging patients to try a new medication sold by a third party

• A newsletter promoting a weight-loss program for a fee

• A partnership email with a pharmacy encouraging product purchases

Unless exempt, marketing requires prior written patient authorization, particularly if a third party pays for the communication.

HIPAA allows certain communications without authorization, including:

• Communications about current prescriptions or treatments

• Reminders for annual checkups or vaccinations

• Recommending a patient to another provider based on clinical judgment
  

Is "Fundraising" a defined term under HIPAA?

Per 45 CFR § 164.501, "fundraising" is not a separately defined term, but it is listed as one of the business management and general administrative activities that fall under the definition of "health care operations". As a result, a covered entity may use protected health information for fundraising activities under the rules governing "health care operations."

While the provided document does not specify which types of PHI can be used for fundraising, it does state that fundraising for the benefit of the covered entity is a part of "health care operations". Therefore, the use of PHI for fundraising activities is governed by the rules for "health care operations," rather than the specific rules for "marketing".

A large regional health network launched an ambitious fundraising campaign aimed at generating support for its oncology department. The campaign specifically targeted former cancer patients, sending out personalized letters that included emotionally charged phrases such as “the strength you showed during your cancer journey” and detailed references to the type of treatment each recipient had undergone.

However, the organization failed to obtain prior written authorization from any of the patients whose information was used. HIPAA permits only limited PHI to be used for fundraising purposes such as a patient’s name, address, phone number, dates of service, department of service, treating physician, and outcome. In this case, the health network referenced diagnosis and treatment details, which fall outside what is legally allowed without the patient’s explicit consent.

One patient, alarmed by the language in the letter, filed a formal complaint with the Office for Civil Rights (OCR), stating that the message violated their privacy and revealed sensitive health information without their permission.

OCR Findings

The OCR launched an investigation and uncovered several compliance failures:

• Prohibited PHI was used in fundraising communications. The content of the letters clearly exceeded HIPAA’s allowable categories for fundraising outreach, particularly through the inclusion of treatment-specific language.

• No opt-out mechanism was included in the correspondence. HIPAA requires all fundraising materials to offer a clear and simple way for recipients to decline future messages. The health network failed to meet this requirement entirely.

• A third-party fundraising contractor had unrestricted access to PHI. The network had not limited the contractor’s access to only permitted data, nor had it ensured proper safeguards were in place through business associate agreements or internal controls.

Outcome and Consequences

As a result of the violations, the health network entered into a resolution agreement with OCR, which included:

• A $50,000 monetary settlement

• The development and implementation of new, HIPAA-compliant fundraising policies

• Mandatory training for all staff and vendors involved in patient communications

• Regular audits to ensure future compliance

This case underscores the importance of clearly distinguishing between what is permitted and what requires patient authorization in the context of fundraising. Even well-intentioned outreach can lead to costly consequences if HIPAA safeguards are ignored.

How to Comply: Key Rules for Each Category

Marketing Compliance Requirements

Can I send a wellness newsletter that includes product offers?

Only if the product is directly related to treatment, not paid for by a third party, and you’ve informed the patient through your Notice of Privacy Practices.

Is verbal authorization enough for marketing?

No. Marketing authorizations must be written, signed, and HIPAA-compliant.

• 45 CFR § 164.501 – Definitions (Marketing, Fundraising)

• HHS FAQ: Fundraising and HIPAA

• HHS FAQ: Marketing and HIPAA

• 45 CFR § 164.514(f): Fundraising Rules

HIPAA’s definitions of marketing and fundraising are not interchangeable, and confusing the two can expose your practice to unnecessary risk. Each falls under its own specific set of compliance rules, with distinct requirements for documentation, patient authorization, and opt-out mechanisms. Even if both involve communicating with patients, they operate in entirely different regulatory lanes.

Staying Compliant Means Knowing the Difference

To ensure your practice complies fully with HIPAA, you need to approach each type of communication with clarity and caution:

• Never assume a message is exempt from HIPAA rules. Always review the content carefully to determine if it meets the criteria for marketing or fundraising. What might seem like a simple message could legally qualify as marketing and require formal authorization.

• Obtain written authorization for marketing communications when required. This is especially important if a third party is paying you to promote a product or service that is not part of the patient's current treatment plan.

• Use only limited PHI for fundraising purposes, and always offer patients the ability to opt out. You’re only allowed to use specific information (such as name, address, treatment dates, department of service, treating physician, and outcome) and must make it easy for patients to decline future solicitations.

• Train all staff members and regularly audit outgoing communications. Make sure your team understands the distinctions and knows how to handle both types of outreach in a way that aligns with HIPAA’s requirements.

Getting this right is about more than just avoiding fines. It’s about respecting your patients’ privacy choices and building trust with your community. By applying the correct rules to your marketing and fundraising efforts, you safeguard your practice, support ethical outreach, and demonstrate a strong commitment to compliance and transparency.