Over the past 12 months, I've travelled across the country speaking, networking, and meeting lots of folks in the HIPAA industry.
These interactions yielded deep insight into the challenges organizations face when it comes to HIPAA compliance and email. It also revealed that there is ample opportunity here, the likes of which keep me up at night.
In this post, I will outline two of the insights I've gleaned from the industry, hiding in plain sight:
- The true diameter and momentum of the HIPAA industry
- An unmet need, the size of Mauna Kea, percolating through it
Table of Contents:
- The HIPAA industry: its true size and momentum
- Email marketing in healthcare today
- How to make your email marketing HIPAA compliant
- Meeting the growing need of HIPAA compliant email marketing
The HIPAA industry: its true size and momentumHITRUST 2019 Annual Conference. Grapevine, Texas
The true size of HIPAA
A cursory glance into the U.S. healthcare space quickly tells us that it's the fastest-growing sector of the U.S. economy, employing over 18 million workers. We also see that spending in healthcare is $3.9 trillion, or 18% of the nation's gross domestic product (GDP).
What would be missed however, is that HIPAA regulations entangle more than just the healthcare sector. For example, the Bureau of Labor Statistics (BLS) considers health insurance and pharmaceuticals as distinct categories, apart from healthcare.
However, all three categories fall under HIPAA compliance regulations. As our HIPAA industry research reveals, today more than 22 million Americans are required to be HIPAA compliant in the workplace. By 2022, this is forecast to climb to nearly 26 million employees.
HIPAA momentum: macro trends at work
Here are the macro trends driving the HIPAA industry today:
- 10,000 Americans retire everyday. These of course, are the baby boomers.
- There is an increasing burden on the system. With an aging population, additional healthcare services and employees are needed.
- Millennials fill the gap. Millennials make up 35% of the American workforce, the largest segment of any generation. They are predominately the ones filling the gap for new jobs in healthcare as well.
- Modern tools are expected, yet not provided. Here's an inconvenient truth: the fax machine is still the backbone of communication in U.S. healthcare today. This alone tells you the state of technology adoption in healthcare.
Now that we've covered the size and macro trends driving HIPAA, let's move on and uncover the unmet need percolating beneath it.
Email marketing in healthcare today
Moderating a panel at HITRUST 2019 Annual Conference. Grapvevine, Texas
Many enterprise healthcare organizations take a prohibitive stance on even sending banal email announcements to their customer base. In effect, email marketing in U.S. healthcare barely exists, even in 2019. Let's look at an example that explains why this is so.
Let's say a division of a large healthcare provider, like the Kaiser Bariatric Center of San Francisco (they are not a Paubox customer, this is merely an example), has a list of 5,000 past, present, and potential patients.
To keep top of mind, they want to send an email newsletter to their list, wishing them a happy Thanksgiving. Somewhere in their byzantine corporate structure, someone in Kaiser's legal department intervenes and stops the email from being sent.
Their reasoning would be that merely the "To:" and "From:" fields would represent protected health information (PHI), thereby triggering HIPAA compliance requirements. They would argue that if the email newsletter can't be sent in a secure, HIPAA compliant manner, it can't be sent.
Let's dive in a bit more to understand why their legal department could take such a stance in this hypothetical example. Let's say the beginning of the email would look like this:
From: Kaiser Bariatric Center of San Francisco <KP-Bariatric-SSF@kp.org> To: Jane Doe <firstname.lastname@example.org> Subject: Wishing you a Happy Thanksgiving!
Since the sender is coming from the Kaiser Bariatric Center, we can infer a medical condition. And since the recipient field uses a person's name and email address, we can tie a medical condition (i.e., the sender's name and email) to them.
It may sound overly conservative. It may even sound absurd. But that's the state of email marketing and HIPAA compliance today.
Paubox Marketing allows healthcare providers to send properly encrypted marketing messages which contain PHI directly into the recipients' email mailboxes. We sign a business associate agreement (BAA) with our partners, and we encrypt PHI both at-rest and in-transit, both of which are HIPAA requirements.
Read on to learn more about why these features differentiate Paubox Marketing from our competitors' products.
How to make your email marketing HIPAA compliantSpeaking at a HITRUST Community Extension Program. Tampa, Florida
Sign a business associate agreement with your marketing vendor
As we've previously covered, a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a BAA.
If you are a covered entity entrusting PHI to a third party like an email marketing vendor, then a BAA is required by law.
Presenting at a HITRUST Community Extension Program. Philadelphia, Pennsylvania
In the email marketing space, the majority of vendors will not sign a BAA with their customers. In fact, the following email marketing companies will not sign a BAA:
- Adobe Campaign (cloud version)
- Return Path
- Sendgrid by Twilio
- Zoho Campaigns
Of the remaining prominent email marketing vendors, we found four that will sign a BAA:
More on why these solutions still won't work for your healthcare marketing needs below.
Encrypt your email
When it comes to HIPAA compliant email, there are two more high-level HIPAA requirements to keep in mind:
- Encrypting email at-rest
- Encrypting email in-motion
Let's take a look at why this is important. In our research, we discovered it pays to read the fine print. Let's use Constant Contact as an example. In their HIPAA Knowledge Base, we can see that while the company will sign a BAA, Constant Contact does not allow its customers to actually send PHI via their platform:
[You] Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.
In a nutshell, even having a BAA in place with Constant Contact does not allow a healthcare organization to effectively market to its client base.
To the best of our knowledge, the same limitation is true with Infusionsoft and Salesforce Marketing Cloud.
On the other hand, Oracle Eloqua can be used in a HIPAA compliant manner for email marketing and automation. However, it is difficult to use and configure, and most importantly, it requires recipients to log into a secure portal to read their messages which decreases open rates.
This is in contrast to Paubox Marketing which will: 1) Sign a BAA; 2) Encrypt email both in transit and at rest; and 3) Allow your patients to read their emails directly from their inbox with no extra steps.
Meeting the growing need of HIPAA compliant email marketing
Presenting to Health Insurance Executives at the Waldorf Astoria Hotel. Chicago, Illinois
Healthcare providers are only now realizing the power and potential of email marketing to their patients and potential patients. This basic business strategy and key to patient engagement has been missing from many healthcare organizations because of the lack of a real solution - until now.
After twelve months of diligent research and listening to customer feedback, I'm happy to say we intend to fulfill this unmet need in the market with Paubox Marketing, which allows you to segment and send secure emails using your patient data to drive more engagement and results.
All while staying HIPAA compliant.
- HIPAA Compliance and Healthcare Email Marketing: What You Need to Know
- HIPAA Compliant Email Marketing Campaigns Explained
- Patient Engagement and HIPAA Compliance: What You Need to Know
- Secure Email Marketing for Population Health
- Secure Patient Outreach via HIPAA Compliant Email Marketing