Paubox blog: HIPAA compliant email made easy

Demystifying PHI for healthcare marketers

Written by Anne-Marie Sullivan | November 30, 2022

Demystifying PHI for healthcare marketers is key to sending impactful email marketing while remaining HIPAA compliant. PHI is protected health information. When in electronic form, it’s often referred to as ePHI.

PHI includes the personal and private patient information entrusted to organizations caring for those clients and patients. Leaked ePHI can be devastating if it gets into the wrong hands. 

As a marketing professional, it’s vital to honor the personal nature of this data. Protecting PHI while communicating information of value is a core value in good healthcare marketing.

Learn how to keep PHI safe while also reaching out to your patients with personalized HIPAA compliant email marketing here.

 

What is PHI exactly? 

  • An individual’s past, present or future physical/mental health or condition
  • The provision of healthcare to the individual
  • The past, present or future payment for the provision of healthcare to the individual

Download: Healthcare’s Guide to HIPAA Compliant Email Marketing

 

Demystifying PHI for healthcare marketers

Sensitive patient information getting into the wrong hands is a gross breach of trust and can devastate those whose information is leaked. That’s where HIPAA comes in. The spirit of the law is designed to safeguard the public from harm such as blackmail, fraud, reputation damage and the psychological damage of violating personal privacy. 

 

How can I tell what information is PHI? 

In a nutshell, PHI is any characteristic that can uniquely identify individuals during the course of their care. There are 18 unique patient identifiers that HHS recognizes as PHI. 

 

The 18 unique identifiers of PHI

  1. Names
  2. Social security numbers
  3. Vehicle identifiers
  4. Addresses
  5. Medical record numbers
  6. Device identifiers
  7. Email addresses
  8. Health plan beneficiary numbers
  9. Web URLs
  10. Telephone numbers
  11. Account numbers
  12. IP addresses
  13. Fax numbers
  14. Certificate/license numbers
  15. Finger or voice prints
  16. Photographic images
  17. Any other characteristic that can uniquely identify an individual
  18. All elements of dates (except years) related to an individual birth, admission, discharge, age and death

Can you see why a marketing professional would steer clear of personalized email messages?

The U.S. Department of Health and Human Services’ (HHS) Security Rule stipulates “appropriate administrative, technical and physical safeguards” must be in place to ensure “the confidentiality, integrity and availability of” ePHI. 

 

Can being a member of an email marketing list be considered a unique identifier?

Yes. Because a segmented list can indicate that the recipients have the condition discussed in the email. A segmented list falls under, “Any other characteristic that can uniquely identify an individual.”

 

Can I send PHI in my current email marketing software?

To date, the vast majority of email marketing software products do not have the level of encryption needed to be HIPAA compliant. As an unencrypted email journeys to its destination, it can be intercepted and read in plain text by hackers and some government entities. Email messages must be encrypted to be secured and HIPAA compliant. 

When email reaches the recipient’s inbox it is their responsibility to secure any PHI in their inboxes. The sender is not responsible for PHI at the recipient’s inbox. *This is important to note!

 

How to send healthcare marketing newsletters

A great way to help patients improve their health through better treatment compliance is by sending email newsletters with advice, treatment options and encouragement for their specific condition. There are two ways to do this.

  1. Send it to your entire practice so a group with a specific condition is not recognized, or 
  2. Use a HIPAA compliant email solution, like Paubox Marketing, that ensures segmented newsletters are HIPAA compliant and secure.

You must have a business associate agreement (BAA) with any vendor that has access to your patients’ personal information, and that includes email marketing providers. 

A BAA is a signed document where the business associate takes on the responsibility of keeping your clients’ information safe and explaining how it will do so. In addition, it outlines the steps it will take in case of a breach. 

 

Why email in healthcare is powerful 

Imagine the power of easily connecting with individuals and groups through email containing protected health information. This approach is a tremendous improvement for healthcare providers and a powerful asset for under-resourced employees. In the past, healthcare was at a considerable disadvantage because solutions that addressed issues of HIPAA compliance and security in email communication were either non-existent or provided a woefully inadequate user experience. 

Finally, new technology has opened the door for frictionless email communications that are HIPAA compliant, provide maximum security and are HITRUST CSF certified.