This is an excerpt from a member-only article. To read the article in its entirety, please login or subscribe.

Many healthcare marketers are confused about HIPAA's rules regarding fundraising and other marketing efforts. And although patient authorization is not necessary when using protected health information (PHI) for treatment, payment, or healthcare operations, it is usually a requirement for other purposes-especially marketing. Enforcement has been lax, but providers who engage in fundraising activities or market services and programs directly to patients must thoroughly understand the rules nonetheless. "It's discouraging that the healthcare industry still doesn't get it," says Kate Borten, founder of The Marblehead Group, a consulting firm in Marblehead, MA.