by Hoala Greevy Founder CEO of Paubox
Article filed in
The Adverse Opportunity of HIPAA Compliant Email Marketing
by Hoala Greevy Founder CEO of Paubox
Over the past 12 months, I’ve travelled across the country speaking, networking, and meeting lots of folks in the HIPAA industry.
These interactions yielded deep insight into the challenges organizations face when it comes to HIPAA compliance and email. It also revealed that there is ample opportunity here, the likes of which keep me up at night.
In this post, I will outline two of those insights I’ve gleaned in the industry, hiding in plain sight:
- The true diameter and momentum of the HIPAA industry
- An unmet need, the size of Mauna Kea, percolating through it
Here are the topics we’ll cover in this post:
- The HIPAA industry: Its true size and momentum
- Email marketing in healthcare
- The Business Associate Agreement
- The intersection of the Business Associate Agreement and email marketing
- HIPAA compliant email marketing: An unmet need
The HIPAA industry: Its true size and momentum
HITRUST 2019 Annual Conference. Grapevine, Texas
The true size of HIPAA
A cursory glance into the U.S. healthcare space quickly tells us that it’s the fastest-growing sector of the U.S. economy, employing over 18 million workers.
We also see that spending in healthcare is $3.9 trillion, or 18% of the nation’s gross domestic product (GDP).
What would be missed however, is that HIPAA regulations entangle more than just the healthcare sector.
For example, the Bureau of Labor Statistics (BLS) groups Health Insurance and Pharmaceutical as distinct categories, apart from Healthcare. We know however, all three categories fall under HIPAA compliance regulations.
As our HIPAA industry research reveals, it in fact covers 1.72 million organizations and 22 million American employees. That marks an additional four million employees that work at organizations that need to follow HIPAA regulations.
HIPAA momentum: macro trends at work
Here are the macro trends driving the HIPAA industry today:
- 10,000 Americans retire everyday. These of course, are the Baby Boomers.
- Higher burdens on the system. With more people aging into retirement, additional healthcare services and employees are needed to service them.
- Millennials fill the gap. Millennials make up 35% of the American workforce, the largest segment of any generation. They are predominately the ones filling the gap for new jobs in healthcare as well.
- Modern tools are expected, yet not provided. Here’s an inconvenient truth: The fax machine is the backbone of communication in U.S. healthcare today. This alone tells you the state of technology adoption in healthcare.
Now that we’ve covered the size and macro trends driving HIPAA, let’s move on and uncover the unmet need percolating beneath it.
Email marketing in healthcare
Moderating a panel at HITRUST 2019 Annual Conference. Grapvevine, Texas
Many enterprise healthcare organizations take a prohibitive stance on even sending banal email announcements to their customer base.
In effect, email marketing in U.S. healthcare barely exists, even in 2019.
Let’s look at an example that explains why this is so.
Let’s say a division of a large healthcare provider, like the Kaiser Bariatric Center of San Francisco (they are not a Paubox customer, this is merely an example), has a list of 5,000 past, present, and potential patients. To keep top of mind, they want to send an email newsletter to their list, wishing them a Happy Thanksgiving.
Somewhere in their byzantine corporate structure, someone in a Kaiser legal department intervenes and stops the email from being sent.
Their reasoning would be that merely the “To:” and “From:” fields would represent Protected Health Information (PHI), thereby triggering HIPAA compliance requirements.
They would argue that if the email newsletter can’t be sent via a secure, HIPAA compliant manner, it can’t be sent.
Let’s dive in a bit more to understand why their legal department could take such a stance in this hypothetical example.
Let’s say the beginning of the email would look like this:
From: Kaiser Bariatric Center of San Francisco <KP-Bariatric-SSF@kp.org>
To: Jane Doe <email@example.com>
Subject: Wishing you a Happy Thanksgiving!
Since the sender is coming from the Kaiser Bariatric Center, we can infer a medical condition.
And since the recipient field uses a person’s name and email address, we can tie a medical condition (i.e., the sender’s name and email) to them.
It may sound overly conservative. It may even sound absurd. But that’s the state of email marketing and HIPAA compliance today.
Now that we’re aware how low the threshold can be when it comes to triggering HIPAA compliance in email marketing, let’s now take a look at the major players in the market and their stance on HIPAA.
The Business Associate Agreement
Speaking at a HITRUST Community Extension Program. Tampa, Florida
For starters, we need to understand a crucial piece of HIPAA compliance when it comes to software vendors providing service to HIPAA entities- the Business Associate Agreement (BAA).
At a minimum, there are 10 provisions that must be covered by a BAA.
If you are a covered entity entrusting PHI to a third party like an email marketing vendor, then a BAA is required by law.
The intersection of the Business Associate Agreement and email marketing
Presenting at a HITRUST Community Extension Program. Philadelphia, Pennsylvania
In the email marketing space, a majority of vendors will not sign a BAA with their customers.
In fact, the following email marketing companies will not sign a BAA:
- Adobe Campaign (cloud version)
- Return Path
- Sendgrid by Twilio
- Zoho Campaigns
Of the remaining prominent email marketing vendors, we found three that will sign a BAA:
As a quick recap, it’s important to keep in mind that when it comes to HIPAA Compliant Email, there are two high-level HIPAA requirements to keep in mind:
- Encrypting email at-rest
- Encrypting email in-motion
Let’s take a look at why this is important.
In our research, we discovered it pays to read the fine print. Let’s use Constant Contact as an example.
In their HIPAA Knowledge Base, we can see that while they will sign a BAA, Constant Contact does not allow their customers to actually send PHI via their platform:
[You] Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.
In a nutshell, even having a BAA in place with Constant Contact still does not allow a healthcare organization to effectively market to their client base.
To the best of our knowledge, the same limitation is true with Infusionsoft and Salesforce Marketing Cloud.
HIPAA compliant email marketing: An unmet need
Presenting to Health Insurance Executives at the Waldorf Astoria Hotel. Chicago, Illinois
Since launching our Secure Email API, a common request we’ve encountered is a front-end interface to send secure, HIPAA compliant email marketing newsletters.
That basic business strategy and key to patient engagement is missing from many healthcare organizations because of the lack of a real solution.
After twelve months of diligent research and listening to customer feedback, I’m happy to say we intend to fulfill this unmet need in the market.