HIPAA Law on Advertising

Patient testimonials are a staple of provider advertising. Solid testimonials can translate into new patients, and with that, increased profits for your practice. Before you can post testimonials, though, you must familiarize yourself with HIPAA law on advertising – specifically, those HIPAA regulations that address patient authorization form requirements. 

What is the HIPAA Law on Advertising?

The HIPAA Privacy Rule requires that you obtain valid, written authorization from a patient before you can publish any testimonial involving that patient on your website, social media platform, or through any other medium of communication (e.g., print, radio).  

You can secure valid, written authorization through having patients sign two documents: a Notice of Privacy Practices, and a patient testimonial advertising form.

What is a Notice of Privacy Practices?

Under HIPAA regulations, healthcare providers must provide patients with a Notice of Privacy Practices, in plain language, that contains:   

  • The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
  • A description of how PHI can be used for treatment, payment, and healthcare operations.
  • A description of the types of PHI uses and disclosures requiring patient authorization.
  • A description of the circumstances in which the healthcare provider covered may use or disclose PHI without written authorization.  
  • The name, title, and phone number of a person or office to contact for further information or questions about the notice.
  • The date on which the notice is first in effect.
  • A statement that an individual may revoke an authorization.

What is a Patient Testimonial Advertising Form?

A patient testimonial advertising form is a written, signed patient authorization. The authorization serves as written consent that allows the provider to use patient information in testimonials. 

The authorization should include specific reasons as to why the patient is consenting to sign the form. The authorization should also include a full and accurate description of precisely what patient information (i.e., photographs or videos of the patient) can be used in a testimonial, and how that information will be used. 

HIPAA law on advertising does not dictate the precise, word-for-word language that an authorization must contain. 

Rather, the authorization language must contain the “why,” “what,” and “how,” discussed above.  Below is sample language that complies with HIPAA law on advertising that addresses the “why” and “what” requirements. 

“Through signing this release, I (name of patient) authorize (name of practice) and its staff to use photographs, video images, or (list any other likenesses) of myself, and the attached written testimonials, for the following purposes: (list the purposes).”  (Legitimate, permitted purposes include, for example, advertising and marketing purposes).

The above language indicates why the patient is consenting to sign the form (i.e., for marketing or advertising purposes), and also indicates what information may accompany a testimonial – photographs, video images, or other specific likenesses. 

The authorization should contain additional language addressing the “how” requirement. Such language should contain a statement indicating the patient’s understanding of the extent to which the photographs, video images, etc., can be used (e.g., whether it can be copied, circulated, or distributed), and an understanding of what medium the copying, circulation, or distribution may be in (i.e., printed or electronic form). 

Sample additional language may read as follows:

“I, (name of patient) acknowledge and understand that the photographs, video images, or other likenesses of myself, may be included in, copied, circulated, and distributed by means of various print and electronic media, such as (list all types of media through which the information is expected to be circulated, copied, or distributed – i.e., print, social media, website, etc.)….”

HIPAA advertising law requires that the testimonial authorization form contain certain additional information (this information also must be included in the Notice of Privacy Practices). The information includes:

  • The expiration date or expiration event. 
  • The name of the practice and its contact information. Such contact information may include, for example, the name, address, and phone number of a primary contact person.  
  • The full name of the individual patient from whom authorization is sought. 
  • The patient’s signature, and the date the patient signs the form. 

Finally, under HIPAA advertising law, the testimonial authorization form must include a disclosure that states that the patient may revoke the authorization form. The form must also include a disclosure as to how to revoke the authorization.