by Arianna Etemadieh
Article filed in

HIPAA Compliance and Healthcare Email Marketing: What You Need to Know

by Arianna Etemadieh

hipaa email marketing, hipaa compliant email marketing, email newsletter, healthcare email

If you are a healthcare organization, you are familiar with HIPAA. For every patient you treat, you must abide by HIPAA to protect his or her protected health information (PHI).

But in order to protect patient data, you need to have patients in the first place. That’s where marketing strategies comes in.

Let’s say you want to start an email newsletter or email marketing campaign to get the word out about your practice and encourage current patients to refer you. Do you have to be HIPAA compliant when it comes to healthcare marketing purposes? And if so, how do you become HIPAA compliant?

RELATED: What is HIPAA Compliant Transactional Email?

Do healthcare marketing emails have to be HIPAA compliant?

Let’s take a look at how the HIPAA Privacy Rule defines marketing. According to the HHS:

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:

  • A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
  • A communication from a health insurer promoting a home and casualty insurance product offered by the same company.

Conclusion: Yes, healthcare marketing emails have to be HIPAA compliant. To ensure compliance, you need to obtain patient authorization before sending healthcare marketing communications.

So what should you look for to ensure your email marketing efforts are following HIPAA rules? Follow these guidelines below.

1. Make sure your patients authorize receiving email communications, including marketing emails

When patients subscribe to your email list, you need to have three things:

  1. Inform your patients via written authorization that they will be receiving emails related to marketing activities
  2. Remind them why they opted-in for your emails (i.e. baby products or health-related products, news from your practice, refill reminders, a promotional gift or discount couponscare coordination, etc.)
  3. The option to unsubscribe at any time

On top of making sure your email marketing service is HIPAA compliant and that you have a HIPAA compliant email provider in place, healthcare organizations need to comply with other regulations for marketing communications too.

2. Make sure your email marketing service is HIPAA compliant

As a healthcare organization, you should have a HIPAA compliant email provider in place anyway. But not every marketing email service is HIPAA compliant.

Take Mailchimp for example. Is Mailchimp HIPAA compliant? In summary, no.

Why would your email marketing service need to be HIPAA compliant? Because HIPAA requires that you store any hosted PHI safely, and an email address can be considered PHI.

It is your responsibility as a healthcare provider to ensure your patient’s PHI is protected, so make sure any marketing email services you use are willing to sign a BAA (Business Associate Agreement). If not, integrate a HIPAA compliant email API to make on-prem or cloud email services HIPAA compliant.

3. Make sure any marketing emails contain no PHI

Imagine sending an email blast to your patient list of 200 or 2,000 patients, only to find out that there is a piece of individual patient information that you overlooked before you hit send. Bam – that’s a HIPAA violation.

RELATED: How to Undo A Sent Email in Microsoft Office 365 (With Pictures)

Unless you have individual authorization from a patient to share PHI, don’t do it. And remember, since an email address can count as PHI, make sure your patients cannot see your other patients’ email addresses when you send your healthcare marketing emails.


When it comes to HIPAA and Healthcare Email Marketing:

  • Healthcare marketing emails have to abide by HIPAA regulations
  • Enable patient authorization for marketing email communications
  • Use HIPAA compliant email marketing services
  • Eliminate PHI from any marketing emails
Looking for an email API that can connect with an on-prem solution? Try Paubox API for FREE and make your transactional email HIPAA compliant today.