Talk to sales
Start for free

The HIPAA Security Rule requires covered entities to implement procedures that help prevent the unauthorized access of protected health information (PHI). 

However, there can often be confusion around what exactly constitutes PHI. Are email addresses and names considered PHI too?

Gaining clarity on this topic is particularly critical for healthcare providers looking to engage in email marketing. In order to stay HIPAA compliant, PHI in electronic form (ePHI) must be secured both at rest and in transit. 

Keep reading to learn more about what information is protected under HIPAA. Plus, find out how to add an extra layer of security with a HIPAA compliant email marketing platform.


What information is considered PHI?


PHI is any type of information used to identify a patient during the course of their care.

Therefore, PHI isn’t just limited to medical records. It can actually include data that does not relate to a health condition on its own. Examples include names, email addresses, physical addresses, birthdates, phone numbers, social security numbers, and employment records. 

Essentially, any personal data that is connected to an individual’s health condition automatically becomes PHI. 

This means that a patient’s email address could be considered PHI if it is linked to a health condition or treatment. An example is sending a marketing email promoting a treatment to a set group of individuals who were chosen to receive it based on their medical history. 

There are instances where covered entities may use personal data for communications such as appointment reminders. However, these should include minimal information and leave out details on the appointment purpose. 


Choose a HIPAA compliant email marketing platform  


Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.

In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This written document describes the obligations of the business associate to safeguard PHI.

The truth is, many popular email marketing platforms such as MailChimp and HubSpot will not sign a business associate agreement (BAA). Other companies will state they sign a BAA, but reading the final print will reveal that they are still not a viable option. 

For instance, Constant Contact will sign a BAA. However, the company’s terms and conditions note that users are not permitted to transmit PHI through the platform. (And as discussed, even email addresses become PHI when linked to a health condition.) Similarly, the scope of Salesforce Marketing Cloud’s BAA only covers data at-rest on their platforms. 


Strengthen security with Paubox


The smartest way for covered entities to send secure marketing emails is by using a HIPAA compliant email marketing platform that guarantees encryption on 100% of the emails you send. That’s where Paubox Marketing comes in. 

Prior to its launch, healthcare providers were stuck with generic messaging. This is because it was impossible to personalize email with patient information while complying with HIPAA email rules. 

Unlike standard marketing tools, Paubox Marketing allows you to send secure, targeted emails including PHI to increase patient engagement and build your business—all while remaining HIPAA compliant. Recipients can also conveniently access secure marketing emails directly into their inbox, without having to take any extra steps.

Paubox Marketing is HITRUST CSF certified and free to use for up to 100 contacts. The free plan also includes a business associate agreement for all customers.


Start a 14-day free trial of Paubox Email Suite today