by Hoala Greevy Founder CEO of Paubox
Article filed in
HIPAA compliant email marketing campaigns explained
by Hoala Greevy Founder CEO of Paubox
Since many people don’t answer calls from an unrecognized number, how do healthcare marketing managers fulfill patient communication requirements?
To meet this need there is an emerging trend in US healthcare: HIPAA compliant email marketing campaigns.
To get on the same page, we’ll cover some general terms first, and then we’ll segue to the heart of the post: why you should use Paubox’s HIPAA compliant email marketing solution, Paubox Marketing, to grow your healthcare business.
Table of contents:
- A refresher on HIPAA compliance
- HIPAA compliant email and encryption
- What makes an email marketing campaign HIPAA compliant?
- When does an email newsletter have to be HIPAA compliant?
- HIPAA compliant email marketing uses
- HIPAA compliant marketing providers
A refresher on HIPAA compliance
The term HIPAA compliance can be thought of in three parts which work together:
- HIPAA privacy rule
- HIPAA security rule
- Business associate agreement
The HIPAA privacy rule created a set of national standards to safeguard Americans’ health information. HIPAA regulations around marketing are defined within the privacy rule. We explain HIPAA’s definition of marketing in detail in this post.
In short, the privacy rule allows a covered entity to disclose protected health information (PHI) to a business associate if the business associate uses the PHI only within the scope of its engagement with the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a BAA.
In a nutshell, if you are using a third party (i.e. a business associate) to transmit or host PHI, they are required by law to sign a BAA with you.
HIPAA compliant email and encryption
When it comes to email, both covered entities and business associates are required by law to take reasonable steps to protect PHI while it is transmitted and while it is stored. These concepts are known as encryption in-transit and encryption at-rest.
An important fact to know is that once an email reaches the recipient, the obligation of the sender ends and it becomes the recipient’s job to secure any PHI he or she has in his or her inbox.
Read More: HIPAA Compliant Email: A Complete Guide
What makes an email marketing campaign HIPAA compliant?
In order to send HIPAA compliant email newsletters, healthcare providers must:
- Sign a BAA with their marketing vendor
- Properly safeguard all data stored at-rest, as it invariably will contain PHI
- Use a marketing solution that is capable of sending HIPAA compliant email
The most common email marketing tools do not cover these bases. For example, Mailchimp, one of the most popular email marketing tools, will not sign a BAA. And although Campaign Monitor will sign a BAA, it will not let you use the service to send email containing PHI.
In fact, of the 17 email marketing vendors we looked at, only one of them would both sign a BAA and allow customers to actually send HIPAA compliant email marketing. However, the vendor still requires recipients to log into a portal to view their emails (which adds a ton of friction).
To meet this market need, we have developed Paubox Marketing, our HITRUST CSF certified email marketing solution.
To our knowledge, Paubox Marketing is the only solution on the market that allows healthcare providers to send properly encrypted marketing messages which contain PHI like regular emails – with no extra steps for the recipient.
When does an email newsletter have to be HIPAA compliant?
Healthcare organizations have been sending email newsletters for years.
However, the standard marketing tools only allow healthcare providers to send generic communications and massive blasts which contain no personally identifiable information, and therefore they cannot be targeted to individuals.
You cannot use off the shelf products to deliver personalized emails with information specific to your patients’ treatment or health goals. This makes your marketing emails less effective.
In contrast, Paubox Marketing allows you to segment and send secure email including PHI to increase engagement and build your business while remaining HIPAA compliant. What’s more, patients view marketing emails like regular emails without relying on outdated portal notifications which are terrible for the recipient.
HIPAA compliant email marketing uses
HIPAA compliant email marketing can be used to achieve population health objectives.
For example, digital marketing managers can use Paubox Marketing to:
- Email current patients for the purpose of maintaining their health and reminding them of recommended screenings
- Reach out to the general population to mitigate health risks, such as a stroke or diabetes, and encourage people to come to their practice for treatment
In addition, healthcare providers can also use email for secure patient outreach. Some organizations are contractually obligated to provide outreach to their patients, and a HIPAA compliant email newsletter is a viable tool for this.
HIPAA compliant marketing providers
Over the past 12 months, we’ve thoroughly researched the HIPAA compliant email marketing landscape.
In summary, the ample opportunity we see in this space led us to launch our own HIPAA compliant email solution, Paubox Marketing, which allows you to segment and send secure emails using your patient data to drive more engagement and results. All while staying HIPAA compliant.
- HIPAA Compliance and Healthcare Email Marketing: What You Need to Know
- HIPAA and Marketing: What You Need to Know to Build a Modern Healthcare Marketing Strategy
- Patient Engagement and HIPAA Compliance: What You Need to Know
- Secure Email Marketing for Population Health
- Secure Patient Outreach via HIPAA Compliant Email Marketing