Healthcare content teams face a constraint that almost no other industry does: the act of publishing can itself trigger a regulatory obligation. Use the wrong analytics tag on the wrong page, publish a patient testimonial without a signed authorization, or make a health claim that cannot be substantiated, and you are looking at exposure under HIPAA, the FTC Act, or both.
This post covers what HIPAA does and does not restrict for marketing, what the online tracking guidance means for your website right now, how the FTC's health-claim standard works, and how to build a content approval workflow with a real compliance gate. It is written for content and growth teams at healthcare companies, not for lawyers.
Important notice: This post is general information only, not legal advice. Every healthcare organization has a different covered-entity status, different data flows, and different risk profile. Before making compliance decisions, consult your privacy officer and legal counsel.
What HIPAA Actually Restricts (and What It Does Not)
HIPAA governs what covered entities and their business associates can do with Protected Health Information (PHI). It does not govern all healthcare content in the way many marketers assume.
A covered entity under HIPAA is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically. A business associate is any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. If your organization is neither, HIPAA does not apply to you directly, though the FTC rules discussed later may still reach you.
PHI is not "any health content." It is individually identifiable health information. Under 45 CFR 160.103, PHI is information relating to an individual's past, present, or future physical or mental health condition, the provision of health care, or payment for health care, when that information identifies or could reasonably identify the individual. Publishing a blog post about diabetes management does not involve PHI. Sending an email campaign to patients you identify as diabetic from their medical records does.
The HIPAA Privacy Rule's Safe Harbor de-identification standard requires removal of all 18 enumerated identifiers before data falls outside HIPAA scope. Those 18 identifiers include names, geographic data smaller than a state, all dates directly linked to an individual (birth dates, admission dates), phone and fax numbers, email addresses, Social Security numbers, medical record numbers, IP addresses, and device identifiers, among others. Strip all of these and there is no PHI, and no HIPAA concern for your data processing.
What HIPAA does not restrict: publishing general health education content, writing about conditions and treatments without using patient data, creating topic-cluster content on medical topics, or building SEO-driven informational pages. The Privacy Rule regulates the use of PHI, not the creation of health content broadly.
The Marketing Authorization Requirement
Here is where HIPAA gets specific about content marketing. The Privacy Rule's marketing provisions at 45 CFR 164.501 define "marketing" as a communication about a product or service that encourages recipients to purchase or use it, where the covered entity receives financial remuneration from a third party for making that communication.
Under 45 CFR 164.508(a)(3), a covered entity must obtain a valid written authorization from a patient before using or disclosing their PHI for marketing purposes. There are two narrow statutory exceptions:
- A face-to-face communication with an individual (the physician can hand you a product brochure at an appointment without authorization).
- A promotional gift of nominal value (a free pen, a pamphlet at the front desk). "Nominal value" is not numerically defined by HHS; your privacy officer needs to make that call.
If the covered entity receives any direct or indirect financial remuneration from a third party in exchange for making the communication, authorization is required, and the authorization form must explicitly disclose that remuneration exists.
Three things that are expressly outside the marketing definition and need no authorization:
- Communications for the treatment of the individual (a physician recommending a specialist, a refill reminder for a currently prescribed drug).
- Case management, care coordination, or recommending alternative treatments.
- Communications about the covered entity's own health-related products and services, where remuneration is reasonable and in kind.
The practical upshot: a hospital's email newsletter about its own cardiac care program is likely not marketing under HIPAA. An email to identified patients promoting a third-party pharmaceutical product, where the pharma company pays the hospital to send it, is marketing and requires authorization.
Do's and Don'ts: Specific Content Scenarios
Patient Testimonials
A patient testimonial on your website or in your marketing materials uses that patient's health information (their condition, their treatment outcome) in a marketing context. That is PHI being used for marketing, which requires a valid HIPAA authorization before you publish it.
A valid authorization under 45 CFR 164.508(b) must describe what PHI will be used, who is authorized to make the use, an expiration date, and a statement that the individual can revoke authorization at any time. Authorization cannot be conditioned on receiving treatment.
Beyond HIPAA, the FTC's guidance on endorsements (updated in 2023) requires disclosure of material connections and prohibits disseminating testimonials if you know or should know they are untypical and do not disclose that fact.
Do: Obtain a signed, HIPAA-compliant authorization before publishing any patient testimonial. Keep the signed authorizations on file. Have legal review the authorization form.
Do not: Publish patient stories, before-and-after experiences, or outcome statements without a signed authorization, even if the patient verbally agrees.
Case Studies
A detailed case study describing a patient's condition, treatment, and outcome is PHI if the individual is identifiable. Even without a name, if the case is specific enough that the person could be identified from the details (a rare condition, a specific geographic area, a distinctive combination of factors), it may still be PHI under HIPAA's reasonably identifiable standard.
Do: Use anonymized case studies that have passed Safe Harbor de-identification (all 18 identifiers removed, no reasonable risk of re-identification). Consider having a qualified person review before publishing.
Do not: Publish detailed clinical case studies and assume no-name equals no PHI.
Social Media and Patient Reviews
A covered entity responding to a patient review on Google or Yelp must be careful not to confirm or deny that the reviewer is a patient. Even saying "we are sorry you had this experience at our clinic" can constitute a disclosure that the person received care there. That is PHI.
Do: Respond to reviews with generic language that does not confirm or deny the person's status as a patient. Invite them to contact your patient services team directly.
Do not: Respond to reviews with any detail about their care, appointment, or condition, even if you believe you are helping clarify a misunderstanding.
Educational and Blog Content
General educational content (blog posts about conditions, treatments, wellness topics) does not involve PHI and is not subject to HIPAA's marketing authorization requirements. This is where healthcare organizations have the most SEO upside with the least regulatory friction. Publishing authoritative, experience-backed educational content on health topics is HIPAA-compliant by default, as long as you are not drawing on patient data to target or personalize it.
Do: Build topic-cluster content around medical topics your organization treats. This is the lowest-risk, highest-SEO-value content you can produce. For a framework on how to do that systematically, see the guide on healthcare content marketing.
Do not: Personalize or segment educational email campaigns using PHI without following the authorization requirements above.
The Online Tracking Technology Problem
This is where we see healthcare marketers most often get tripped up, because it looks like a technical problem (analytics setup) but is a regulatory one.
In December 2022, the HHS Office for Civil Rights issued a bulletin stating that when a covered entity's website or app uses third-party tracking technologies (analytics pixels, Meta Pixel, Google Analytics, ad retargeting tags), the data transmitted to those third parties could constitute a disclosure of PHI if it includes individually identifiable health information.
The regulatory picture is now split into two clearly different risk zones.
Authenticated Pages (Patient Portals): High and Clear Risk
If a tracking pixel fires on any page a patient accesses after logging in, including a patient portal, post-appointment summary page, lab results page, or any other page behind authentication, that data transmitted to Google or Meta almost certainly constitutes PHI. The individual is identified (they are logged in), and the page context reveals health information. OCR's position here was not legally challenged and remains fully intact.
A Business Associate Agreement (BAA) is required with any third-party vendor that receives this data. Google does not offer a BAA for Google Analytics in standard form. Meta does not offer one for Meta Pixel. Without a BAA, transmitting that data is an impermissible disclosure of PHI under HIPAA.
If you have any third-party analytics or advertising pixels firing on authenticated pages, remove them or replace them with tools that offer a HIPAA-compliant configuration and will sign a BAA.
Unauthenticated Public Pages: Contested, But Not Zero Risk
OCR's original 2022 bulletin argued that even on unauthenticated public pages, an IP address combined with a visit to a page addressing a specific health condition could constitute PHI, making standard analytics implementations a potential HIPAA violation.
In June 2024, a federal district court (AHA v. Becerra, N.D. Tex.) vacated this specific portion of OCR's guidance, finding that OCR had exceeded its statutory authority in extending HIPAA to unauthenticated-page tracking. HHS withdrew its appeal in August 2024, making the vacatur final. The categorical rule that IP-address-plus-health-webpage automatically creates PHI no longer has a federal legal basis under HIPAA.
However: the OCR guidance page on HHS.gov has not been formally updated to reflect this ruling. State privacy laws (California, Colorado, Washington's My Health MY Data Act), FTC Act Section 5 enforcement, and state attorney general actions remain independent bases for liability on unauthenticated pages, particularly for sensitive health data. The HIPAA exposure on public pages is weakened; the overall regulatory risk is not zero.
The safest practical approach: treat any page where a user's health condition, symptom search, or care-seeking behavior could be inferred as a page requiring careful tracking configuration, regardless of whether that page is behind authentication.
Source: HHS OCR HITECH Act Enforcement Interim Final Rule; 2026 inflation-adjusted figures.
FTC Health Claims: The Second Compliance Layer
Even if your organization is not a HIPAA covered entity (a wellness app, a direct-to-consumer health product company, a health coaching platform), the FTC's health-claim rules apply to your marketing content.
The FTC's Health Products Compliance Guidance, updated in December 2022, requires advertisers to possess "competent and reliable scientific evidence" before making objective health benefit claims. For efficacy claims, the FTC's stated default is high-quality randomized controlled human clinical trials. A statistically significant result that is clinically trivial does not meet the standard. Consumer testimonials are explicitly not competent evidence for a medical treatment claim.
The FTC sent notices of penalty offenses in 2023 to hundreds of companies, putting them on notice that unsubstantiated health claims after receiving that notice expose them to civil penalties up to $50,120 per violation.
Separately, the FTC Health Breach Notification Rule, as amended in April 2024, applies to health apps and connected devices that are not HIPAA covered entities. The 2024 amendments explicitly confirmed that unauthorized data sharing with advertisers (not just cyberattacks) can trigger notification obligations. Penalties run up to $51,744 per violation per day.
For healthcare content teams, this means three things practically:
- Do not publish health-outcome claims in your blog, ad copy, or landing pages without a documented evidence file that your legal team has reviewed.
- Structure-function language ("supports cardiovascular health") carries less evidence burden than disease treatment claims ("reduces risk of heart attack") but is still not evidence-free.
- If you are a health app or wellness platform not covered by HIPAA, the FTC is your primary regulatory exposure, and the 2024 amendments give it broader reach than most teams realize.
Building a Compliant Content Approval Workflow
The gap between well-intentioned healthcare content teams and compliant ones is almost always a workflow problem, not a knowledge problem. The team may know HIPAA applies; they do not have a structured gate that catches violations before publication.
Here is the minimum viable compliance workflow we recommend for healthcare content teams. This is not a substitute for legal review; it is what should precede legal review to make it efficient.
Stage 1: Brief-level compliance flag. Before a piece enters drafting, the content brief should include a compliance classification:
- Type A: General educational content. No PHI involved. Standard editorial review only.
- Type B: Marketing to identified patient populations. PHI involved. Requires authorization documentation before publication.
- Type C: Testimonials or case studies. PHI or likely PHI involved. Requires authorization plus legal review.
- Type D: Health claims (outcome or efficacy claims). Requires substantiation documentation and legal review before any publication, including social media.
Stage 2: Draft-level review checklist. Every draft should pass a content-level review that catches the most common issues before it reaches legal. The checklist at the end of this post is designed for this stage.
Stage 3: Compliance review gate (legal or privacy officer). For Type B, C, and D content, no draft should publish without sign-off from someone with compliance authority. This does not need to be slow if Stage 1 and 2 are doing their jobs: the compliance gate should be reviewing a clean draft with a clear compliance brief, not reading raw copy to figure out what category it falls in.
Stage 4: Documentation and version control. Every patient testimonial should have a signed authorization on file. Every health claim in a published piece should have a linked evidence file. This is your audit trail.
For a full treatment of how to design content workflows with quality gates that scale, see the guide on content approval workflow design. If you are building the broader content operations infrastructure around these gates, the content operations framework covers the full architecture.
The E-E-A-T Connection
Google's Search Quality Rater Guidelines designate health content as "Your Money or Your Life" (YMYL) content, where the potential harm from misleading information is high and therefore the E-E-A-T bar is correspondingly higher. For healthcare content to rank well on health topics, it needs real demonstrated expertise, clear authorship credentials, and verifiable factual accuracy.
The good news: a rigorous compliance review process actually builds the E-E-A-T signals Google cares about. A published piece that links to primary clinical sources, attributes claims to named clinicians, and has been through a documented review process is genuinely more trustworthy than one that hasn't. The compliance workflow is not in tension with the SEO goal; it is an input to it.
For a full framework on building these signals into content systematically, see the guide on E-E-A-T for SEO.
HIPAA Content Compliance Checklist
Copy and paste this into your content brief template or your editorial checklist. Use it before a piece goes to legal or privacy review.
=== HIPAA CONTENT COMPLIANCE PRE-PUBLICATION CHECKLIST ===
CLASSIFICATION
[ ] Classified as Type A (educational), B (marketing/PHI), C (testimonial/case study), or D (health claims)
[ ] Compliance review level appropriate to classification confirmed
PHI CHECK
[ ] Content does not draw on, reference, or incorporate individually identifiable patient data
[ ] If a patient is referenced, a HIPAA-compliant signed authorization is on file
[ ] Any case studies or patient stories have passed Safe Harbor de-identification (all 18 identifiers removed)
[ ] Social media response guidance followed: no confirmation/denial of patient status in public replies
TESTIMONIAL AND CASE STUDY CHECK (Type C only)
[ ] Signed HIPAA authorization on file with description of specific PHI, expiration date, and revocation notice
[ ] Authorization reviewed by legal or privacy officer
[ ] Authorization is not conditioned on receipt of treatment
[ ] FTC endorsement disclosure requirements reviewed (material connection, typicality)
HEALTH CLAIMS CHECK (Type D only)
[ ] All health-outcome or efficacy claims have a linked, documented evidence file
[ ] Claim type assessed (structure/function vs. disease/treatment) and appropriate evidence level confirmed
[ ] Evidence reviewed by legal or medical professional before publication
[ ] No testimonials cited as evidence of efficacy
TRACKING AND ANALYTICS
[ ] No third-party tracking pixels (analytics, ad, social) firing on authenticated patient-facing pages
[ ] Vendor BAA status verified for any tool that touches authenticated-page data
[ ] Public-page analytics configuration reviewed against current legal and state privacy requirements
APPROVAL AND DOCUMENTATION
[ ] Appropriate compliance review gate completed for content type
[ ] Reviewer name and date logged in content management system
[ ] Authorization forms and evidence files stored in a retrievable, auditable location
=== END CHECKLIST ===
FAQ
Does HIPAA apply to my blog?
Not to the blog content itself, if the posts are general health education and do not use patient data. HIPAA applies to covered entities using PHI, not to health content broadly. A blog post about managing Type 2 diabetes is not a HIPAA concern. An email campaign targeting your patient database flagged as diabetic, drawing on their medical records, is. The distinction is whether individually identifiable health information is being used.
Do we need patient authorization for a testimonial?
Yes, if you are a HIPAA covered entity. A patient testimonial uses their health information (their condition, their treatment, their outcome) in a marketing communication. Under 45 CFR 164.508(a)(3), that requires a signed, HIPAA-compliant authorization before you publish. The authorization must be specific about what information will be used and must include the patient's right to revoke.
Can we use Google Analytics on a healthcare website?
On public unauthenticated pages, the picture changed in mid-2024 after a federal court vacated part of OCR's guidance. Standard analytics on public informational pages carries lower HIPAA risk than it did under OCR's original 2022 position. On authenticated pages (patient portals, any page a logged-in patient sees), Google Analytics and similar tools without a BAA remain a clear compliance problem. Google does not offer a standard BAA for Google Analytics. Remove tracking pixels from all authenticated environments.
What is the difference between HIPAA marketing restrictions and the FTC's health claims rules?
HIPAA restricts a covered entity's use of PHI for marketing (you need patient authorization to use their health records to market to them). The FTC's health claims rules restrict the substantiation required to make objective health-outcome statements in any marketing content (you need competent scientific evidence for efficacy claims). The two frameworks address different things and can both apply to the same piece of content, or apply independently depending on your organization's regulatory status.
Does HIPAA apply to health apps?
If the health app is operated by a HIPAA covered entity or business associate, yes. If it is a standalone consumer health app with no relationship to a covered entity, HIPAA typically does not apply. However, the FTC's Health Breach Notification Rule does apply to non-HIPAA health apps, and the 2024 amendments extended its reach to unauthorized data sharing with advertisers. The practical compliance burden on health apps that do not qualify as covered entities shifted significantly toward the FTC framework in 2024.
What is the safest content type for a healthcare organization to produce?
General educational content on medical topics relevant to your practice, clearly attributed to named clinicians with their credentials, citing primary clinical sources, with no use of patient data and no unsubstantiated health-outcome claims. This content type has the lowest regulatory friction, the highest E-E-A-T signal value, and the best alignment with what Google's rater guidelines reward for YMYL health topics.
Healthcare is one of the hardest content verticals to get right, not because the content strategy is complicated but because the compliance layer is real and carries meaningful consequences when ignored. The teams we have seen navigate it well are the ones that treat compliance as an upstream design problem, not a downstream editorial check. If the brief-level classification is correct, and the workflow is built around it, the legal review gate becomes efficient rather than a bottleneck. The content that comes out of that system is also the content that ranks: accurate, expert-attributed, and trustworthy by verifiable signals.
At SparkBlog, we think about this as the same problem we approach for all regulated content: build the quality gate into the production system, not at the end of it.