But in order to protect patient data, you need to have patients in the first place. That’s where marketing strategies comes in.
Let’s say you want to start an email newsletter or email marketing campaign to get the word out about your practice and encourage current patients to refer you. Do you have to be HIPAA compliant when it comes to healthcare marketing purposes? And if so, how do you become HIPAA compliant?
Do healthcare marketing emails have to be HIPAA compliant?
Let’s take a look at how the HIPAA Privacy Rule defines marketing. According to the HHS:
The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:
- A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
- A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
Conclusion: Yes, healthcare marketing emails have to be HIPAA compliant. To ensure compliance, you need to obtain patient authorization before sending healthcare marketing communications.
So what should you look for to ensure your email marketing efforts are following HIPAA rules? Follow these guidelines below.
1. Make sure your patients authorize receiving email communications, including marketing emails
When patients subscribe to your email list, you need to have three things:
- Inform your patients via written authorization that they will be receiving emails related to marketing activities
- Remind them why they opted-in for your emails (i.e. baby products or health-related products, news from your practice, refill reminders, a promotional gift or discount coupons, care coordination, etc.)
- The option to unsubscribe at any time
On top of making sure your email marketing service is HIPAA compliant and that you have a HIPAA compliant email provider in place, healthcare organizations need to comply with other regulations for marketing communications too.
2. Make sure your email marketing service is HIPAA compliant
As a healthcare organization, you should have a HIPAA compliant email provider in place anyway. But not every marketing email service is HIPAA compliant.
Why would your email marketing service need to be HIPAA compliant? Because HIPAA requires that you store any hosted PHI safely, and an email address can be considered PHI.
It is your responsibility as a healthcare provider to ensure your patient’s PHI is protected, so make sure any marketing email services you use are willing to sign a BAA (Business Associate Agreement). If not, integrate a HIPAA compliant email API to make on-prem or cloud email services HIPAA compliant.
3. Make sure any marketing emails contain no PHI
Imagine sending an email blast to your patient list of 200 or 2,000 patients, only to find out that there is a piece of individual patient information that you overlooked before you hit send. Bam – that’s a HIPAA violation.
Unless you have individual authorization from a patient to share PHI, don’t do it. And remember, since an email address can count as PHI, make sure your patients cannot see your other patients’ email addresses when you send your healthcare marketing emails.
When it comes to HIPAA and Healthcare Email Marketing:
- Healthcare marketing emails have to abide by HIPAA regulations
- Enable patient authorization for marketing email communications
- Use HIPAA compliant email marketing services
- Eliminate PHI from any marketing emails