Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

Do you need patient consent to send email marketing with PHI?

Do you need patient consent to send email marketing with PHI?

Email marketing is a valuable way for healthcare marketers to expand their reach and improve patient satisfaction. 

However, it’s crucial to keep patient privacy top-of-mind. Specifically, healthcare organizations need to understand the HIPAA requirements around email marketing and protected health information (PHI). 

So, what is PHI in the context of email marketing? Keep reading to learn more about how to comply with the guidelines. Plus, find out why a HIPAA compliant email marketing platform is the best way to cover your bases. 


HIPAA requirements for PHI 

Under The HIPAA Security Rule, covered entities are required to put security protocols in place that help prevent the unauthorized access of PHI. 

PHI refers to all personally identifiable information that is used during patient care. Therefore, this definition goes beyond medical records. Any type of personal data that is connected to a patient’s health condition is automatically considered PHI. 

This means that when sending marketing emails, something as simple as a patient’s email address can become PHI. 

An example is promoting a specific industry development or treatment to all diabetes patients. While it might appear that the email is free of patients’ personal information, a cybercriminal could conclude that all recipients have diabetes. This is PHI and protected by HIPAA. 


Get proper consent from patients

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This is typically only allowed if covered entities receive a patient’s authorization.

Some healthcare marketers mistakenly believe that collecting email addresses on an intake form is sufficient. The truth is, patients must explicitly give permission to receive marketing emails. 

One way to do this is with a permission form. This can request the patient’s signed approval to send them marketing emails and inform them of their right to unsubscribe. Make sure to keep your opt-in and opt-out process as concise and seamless as possible. 

Another best practice is specifying how frequently they can expect to receive emails from your practice. 

Overall, PHI should not be included in marketing emails unless a patient has clearly consented to using their information.    

For example, medical spas and plastic surgery practices often use before-and-after photos to showcase satisfied patients and reach new people. However, they must obtain patients’ permission to incorporate these photos into marketing materials. 


Exceptions to the consent requirements

However, it's worth knowing that there are exceptions to consent requirements. All emails must be HIPAA compliant, and are considered to contain PHI, but they're considered "opt-out" rather than "opt-in."

  1. Treatment communications: Communications about a patient 's treatment or to recommend alternative treatments, therapies, healthcare providers, or care settings are not considered marketing under HIPAA. These communications may include information about a new treatment option or a referral to a specialist, and they do not require explicit authorization.

  2. Communications about health-related products or services: Communications about health-related products or services provided by the healthcare organization, or that are included in the patient's treatment plan or benefits, do not require explicit authorization. Examples include a newsletter about managing a specific health condition, or information about services offered by the covered entity.

  3. Case management or care coordination: Communications related to case management or care coordination, or to direct or recommend alternative treatments, healthcare providers, or settings of care, are not considered marketing and do not require explicit pre-send authorization.


Use a HIPAA compliant email marketing platform 

Obtaining proper consent is a smart place to start, but healthcare marketers can go one step further in safeguarding patient data with a HIPAA compliant email marketing platform. 

To accomplish this, any third-party email marketing vendor you work with must sign a business associate agreement (BAA). This written document outlines their responsibilities in securing PHI. 

It’s important to note that many popular platforms such as MailChimp and HubSpot will not sign a business associate agreement (BAA). Other companies, like Constant Contact, will state they are willing to sign a BAA, but their terms will prohibit users from sending PHI through the platform. 

With a HIPAA compliant email marketing platform, healthcare marketers can send highly personalized messages while protecting patient privacy along the way. 



Any type of personal data that is linked to an individual’s health condition is automatically considered PHI. Therefore, healthcare marketers need to be especially mindful of the information they are including in their emails.

By obtaining the necessary permissions and using a HIPAA compliant email marketing platform, healthcare organizations can strengthen their marketing efforts while safeguarding sensitive data. 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.