Paubox blog: HIPAA compliant email made easy

HIPAA compliant email marketing campaigns explained

Written by Hoala Greevy | December 10, 2019

With Americans receiving an average of 2,000 robocalls per second, healthcare organizations face new headwinds around secure patient outreach. Since many people don't answer calls from an unrecognized number, how do healthcare marketing managers fulfill patient communication requirements?

To meet this need there is an emerging trend in US healthcare: HIPAA compliant email marketing campaigns. To get on the same page, we'll cover some general terms first, and then we'll segue to the heart of the post: why you should use Paubox's HIPAA compliant email marketing solution, Paubox Marketing, to grow your healthcare business.

 

Table of contents:

 

A refresher on HIPAA compliance

 

 

The term HIPAA compliance can be thought of in three parts which work together:

 

  • HIPAA privacy rule
  • HIPAA security rule
  • Business associate agreement

 

The HIPAA privacy rule created a set of national standards to safeguard Americans' health information.  HIPAA regulations around marketing are defined within the privacy rule.  We explain HIPAA's definition of marketing in detail in this post.

In short, the privacy rule allows a  covered entity to disclose protected health information (PHI) to a business associate if the business associate uses the PHI only within the scope of its engagement with the covered entity.

The HIPAA security rule sets out what protections must be in place to defend electronic PHI (ePHI), which is protected health information stored or transmitted electronically. A business associate agreement (BAA) is a written contract between a covered entity and a business associate.

It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a BAA. In a nutshell, if you are using a third party (i.e. a business associate) to transmit or host PHI, they are required by law to sign a BAA with you.

 

HIPAA compliant email and encryption

 

 

When it comes to email, both covered entities and business associates are required by law to take reasonable steps to protect PHI while it is transmitted and while it is stored. These concepts are known as encryption in-transit and encryption at-rest.

An important fact to know is that once an email reaches the recipient, the obligation of the sender ends and it becomes the recipient’s job to secure any PHI he or she has in his or her inbox.

 

Read More: HIPAA Compliant Email: A Complete Guide

 

What makes an email marketing campaign HIPAA compliant?

 

 

In order to send HIPAA compliant email newsletters, healthcare providers must:

 

  • Sign a BAA with their marketing vendor
  • Properly safeguard all data stored at-rest, as it invariably will contain PHI
  • Use a marketing solution that is capable of sending HIPAA compliant email

 

The most common email marketing tools do not cover these bases. For example, Mailchimp, one of the most popular email marketing tools, will not sign a BAA. And although  Campaign Monitor will sign a BAA, it will not let you use the service to send email containing PHI.

In fact, of the 17 email marketing vendors we looked at, only one of them would both sign a BAA and allow customers to actually send HIPAA compliant email marketing. However, the vendor still requires recipients to log into a portal to view their emails (which adds a ton of friction).

To meet this market need, we have developed Paubox Marketing, our HITRUST CSF certified email marketing solution.

To our knowledge, Paubox Marketing is the only solution on the market that allows healthcare providers to send properly encrypted marketing messages which contain PHI like regular emails – with no extra steps for the recipient.

 

When does an email newsletter have to be HIPAA compliant?

 

Healthcare organizations have been sending email newsletters for years. However, the standard marketing tools only allow healthcare providers to send generic communications and massive blasts which contain no personally identifiable information, and therefore they cannot be targeted to individuals.

You cannot use off the shelf products to deliver personalized emails with information specific to your patients' treatment or health goals. This makes your marketing emails less effective.

In contrast, Paubox Marketing  allows you to segment and send secure email including PHI to increase engagement and build your business while remaining HIPAA compliant.

What's more, patients view marketing emails like regular emails without relying on outdated portal notifications which are terrible for the recipient.   

 

HIPAA compliant email marketing uses

 

 

HIPAA compliant email marketing can be used to achieve population health objectives. For example, digital marketing managers can use Paubox Marketing to:

 

  • Email current patients for the purpose of maintaining their health and reminding them of recommended screenings
  • Reach out to the general population to mitigate health risks, such as a stroke or diabetes, and encourage people to come to their practice for treatment

 

In addition, healthcare providers can also use email for secure patient outreach. Some organizations are contractually obligated to provide outreach to their patients, and a HIPAA compliant email newsletter is a viable tool for this.

 

HIPAA compliant marketing providers

 

 

Over the past 12 months, we've thoroughly researched the HIPAA compliant email marketing landscape. In summary, the  ample opportunity we see in this space led us to launch our own HIPAA compliant email solution, Paubox Marketing, which allows you to segment and send secure emails using your patient data to drive more engagement and results. All while staying HIPAA compliant.

 

Related Items:
 
Try Paubox Marketing for free and make your email marketing HIPAA compliant today.