How HIPAA actually affects patient review outreach (and what most vendors get wrong)

The first objection we hear when we walk a practice manager through a structured review-outreach plan is some version of “is this HIPAA-allowed?” The honest answer is yes, but with shape. The shape matters more than most vendors admit.

The HIPAA Privacy Rule(45 CFR § 164) does not prohibit Business Associates from contacting patients on a covered entity's behalf for treatment, payment, or health care operations (TPO). It governs how they do it — what data they can use, what consent they need, what audit trail they have to keep, and what they have to do if something goes wrong.

What you CAN do under HIPAA

• Contact a patient about their recent visit on the practice's behalf. This is a permitted use of PHI for health care operations. The patient does not need to sign a separate authorization for you to call them about their care experience.
• Use minimum-necessary information: name, contact info, visit date, provider. The Minimum Necessary Rule (45 CFR § 164.502(b)) is the governing principle. You do not need the chart, you do not need diagnoses, and you actively should not have them.
• Maintain audit logs of every patient touchpoint. Required under § 164.312(b). This is also how you defend yourself in any later complaint.

What you CAN'T do under HIPAA

• Mention specific clinical details on a voicemail, SMS, or email. “Quick follow-up on your visit” is fine. “Quick follow-up on your knee MRI” is not.
• Send messages without consent on file for that channel. SMS specifically requires prior express written consent under the Telephone Consumer Protection Act (TCPA), which is separate from HIPAA but always applies in healthcare outreach.
• Ignore an opt-out, even an informal one. If a patient says “don't contact me again” on a phone call, that has to propagate across SMS, email, and future calls within hours, not days.
• Use the data for anything other than the contracted purpose. Your BAA constrains the vendor to the specific use described. Selling or sharing patient lists is a clear violation; using them to upsell unrelated services is also.

What your BAA needs to actually say

The Business Associate Agreement required under 45 CFR § 164.504(e) is not boilerplate. Six clauses are non-negotiable:

1. Permitted uses and disclosures.Should specifically describe the review-outreach scope. Generic “marketing services” language is a flag — review outreach is operations, not marketing, and the BAA should reflect that distinction.
2. Required safeguards. Administrative, physical, and technical. Encryption in transit and at rest, access controls, audit logs.
3. Subcontractor obligations. Every subprocessor that touches PHI signs a downstream BAA. Your vendor should be able to name them.
4. Breach notification timeline. 60 days from discovery is the regulatory ceiling; many vendors commit to faster (we commit to 72 hours).
5. Termination & data return. What happens to the data on day one after the contract ends.
6. Audit rights. Your right to ask for an audit log, a SOC 2 report, or a penetration test summary.

Where most vendors slip

The most common compliance failures we've seen in third-party review-outreach platforms:

• No BAA, or a BAA that's an enterprise upsell. If a vendor doesn't sign a BAA at the standard tier, they are not a healthcare vendor. They are a marketing vendor you shouldn't give patient data to.
• SMS templates that name clinical details. We've audited generic platforms that auto-fill the procedure name into the SMS. Hard violation.
• No documented opt-out propagation across channels. If a patient texts STOP, the call list should update before the next shift starts.
• Sharing the patient list with third-party analytics or ad platforms. Pixel-fired patient identifiers in retargeting is a now-frequent OCR enforcement target — see the HHS OCR bulletin on tracking technologies (Dec 2022, updated 2024). If your vendor uses Facebook Pixel or Google Analytics on patient-identifying pages without careful gating, that is a real problem.

What a clean operation looks like

A clean review-outreach setup, from a compliance standpoint:

• Signed BAA before any patient data flows.
• Minimum-necessary sync from the EHR (name, phone, email, visit date, provider; nothing clinical).
• All outbound channels (call, SMS, email) gated by consent on file, with opt-out propagation within hours.
• Scripts pre-reviewed to never mention diagnoses, procedures, or specific clinical context.
• Audit log of every touchpoint, retained for the contractual term plus 6+ years.
• Annual penetration testing and a clear breach-notification commitment.

HIPAA isn't a reason not to run structured review outreach. It's a reason to be careful about whom you run it with. (See our broader take on why review outreach shouldn't live in your front desk.)