by Hoala Greevy Founder CEO of Paubox
Article filed in

The Adverse Opportunity of HIPAA Compliant Email Marketing

by Hoala Greevy Founder CEO of Paubox

Doctor looking for HIPAA compliant email marketing software

Over the past 12 months, I’ve travelled across the country speaking, networking, and meeting lots of folks in the HIPAA industry.

These interactions yielded deep insight into the challenges organizations face when it comes to HIPAA compliance and email. It also revealed that there is ample opportunity here, the likes of which keep me up at night.

In this post, I will outline two of the insights I’ve gleaned from the industry, hiding in plain sight:

  • The true diameter and momentum of the HIPAA industry
  • An unmet need, the size of Mauna Kea, percolating through it


Table of Contents:


The HIPAA industry: its true size and momentum

HIPAA Industry: Its True Size and Momentum - Paubox
HITRUST 2019 Annual Conference. Grapevine, Texas

The true size of HIPAA

A cursory glance into the U.S. healthcare space quickly tells us that it’s the fastest-growing sector of the U.S. economy, employing over 18 million workers.

We also see that spending in healthcare is $3.9 trillion, or 18% of the nation’s gross domestic product (GDP).

What would be missed however, is that HIPAA regulations entangle more than just the healthcare sector.

For example, the Bureau of Labor Statistics (BLS) considers health insurance and pharmaceuticals as distinct categories, apart from healthcare. However, all three categories fall under HIPAA compliance regulations.

As our HIPAA industry research reveals, today more than 22 million Americans are required to be HIPAA compliant in the workplace. By 2022, this is forecast to climb to nearly 26 million employees.

HIPAA momentum: macro trends at work

Here are the macro trends driving the HIPAA industry today:

Now that we’ve covered the size and macro trends driving HIPAA, let’s move on and uncover the unmet need percolating beneath it.


Email marketing in healthcare today

Hoala Greevy: The Adverse Opportunity of HIPAA Compliant Email Marketing
Moderating a panel at HITRUST 2019 Annual Conference. Grapvevine, Texas

Many enterprise healthcare organizations take a prohibitive stance on even sending banal email announcements to their customer base.

In effect, email marketing in U.S. healthcare barely exists, even in 2019.

Let’s look at an example that explains why this is so.

Let’s say a division of a large healthcare provider, like the Kaiser Bariatric Center of San Francisco (they are not a Paubox customer, this is merely an example), has a list of 5,000 past, present, and potential patients. To keep top of mind, they want to send an email newsletter to their list, wishing them a happy Thanksgiving.

Somewhere in their byzantine corporate structure, someone in Kaiser’s legal department intervenes and stops the email from being sent.

Their reasoning would be that merely the “To:” and “From:” fields would represent protected health information (PHI), thereby triggering HIPAA compliance requirements.

They would argue that if the email newsletter can’t be sent in a secure, HIPAA compliant manner, it can’t be sent.

Let’s dive in a bit more to understand why their legal department could take such a stance in this hypothetical example.

Let’s say the beginning of the email would look like this:

From: Kaiser Bariatric Center of San Francisco <KP-Bariatric-SSF@kp.org>
To: Jane Doe <janedoe55@gmail.com>
Subject: Wishing you a Happy Thanksgiving!

Since the sender is coming from the Kaiser Bariatric Center, we can infer a medical condition.

And since the recipient field uses a person’s name and email address, we can tie a medical condition (i.e., the sender’s name and email) to them.

It may sound overly conservative. It may even sound absurd. But that’s the state of email marketing and HIPAA compliance today.

To solve this problem, we have developed Project Orca, powered by the HITRUST CSF certified Paubox Email API.

Project Orca allows healthcare providers to send properly encrypted marketing messages which contain PHI directly into the recipients’ email mailboxes. We sign a business associate agreement (BAA) with our partners, and we encrypt PHI both at-rest and in-transit, both of which are HIPAA requirements.

Read on to learn more about why these features differentiate Project Orca from our competitors’ products.


How to make your email marketing HIPAA compliant

Hoala Greevy: The Adverse Opportunity of HIPAA Compliant Email Marketing
Speaking at a HITRUST Community Extension Program. Tampa, Florida

Sign a business associate agreement with your marketing vendor

As we’ve previously covered, a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required for HIPAA compliance.

At a minimum, there are 10 provisions that must be covered by a BAA.

If you are a covered entity entrusting PHI to a third party like an email marketing vendor, then a BAA is required by law.

Hoala Greevy: The Adverse Opportunity of HIPAA Compliant Email Marketing
Presenting at a HITRUST Community Extension Program. Philadelphia, Pennsylvania

Read more: HIPAA Compliance and Healthcare Email Marketing: What You Need to Know

In the email marketing space, the majority of vendors will not sign a BAA with their customers.

In fact, the following email marketing companies will not sign a BAA:

Of the remaining prominent email marketing vendors, we found four that will sign a BAA:

More on why these solutions still won’t work for your healthcare marketing needs below.

Encrypt your email

When it comes to HIPAA compliant email, there are two more high-level HIPAA requirements to keep in mind:

  • Encrypting email at-rest
  • Encrypting email in-motion

Let’s take a look at why this is important.

In our research, we discovered it pays to read the fine print. Let’s use Constant Contact as an example.

In their HIPAA Knowledge Base, we can see that while the company will sign a BAA, Constant Contact does not allow its customers to actually send PHI via their platform:

[You] Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.

In a nutshell, even having a BAA in place with Constant Contact does not allow a healthcare organization to effectively market to its client base.

To the best of our knowledge, the same limitation is true with Infusionsoft and Salesforce Marketing Cloud.

On the other hand, Oracle Eloqua can be used in a HIPAA compliant manner for email marketing and automation. However, it is difficult to use and configure, and most importantly, it requires recipients to log into a secure portal to read their messages which decreases open rates.

This is in contrast to Project Orca which will: 1) Sign a BAA; 2) Encrypt email both in transit and at rest; and 3) Allow your patients to read their emails directly from their inbox with no extra steps.


Meeting the growing need of HIPAA compliant email marketing

Display Name Spoofing protection - Paubox
Presenting to Health Insurance Executives at the Waldorf Astoria Hotel. Chicago, Illinois

Healthcare providers are only now realizing the power and potential of email marketing to their patients and potential patients.

This basic business strategy and key to patient engagement has been missing from many healthcare organizations because of the lack of a real solution – until now.

After twelve months of diligent research and listening to customer feedback, I’m happy to say we intend to fulfill this unmet need in the market with Project Orca, which allows you to segment and send secure emails using your patient data to drive more engagement and results. All while staying HIPAA compliant.


Related Items:


Try Paubox Marketing for free and make your email marketing HIPAA compliant today.
Copy link
Powered by Social Snap