Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

HIPAA compliant email marketing: What you need to know

HIPAA compliant email marketing: What you need to know

Updated 6 March 2020

If you are a healthcare organization, you are familiar with HIPAA and HIPAA compliant email regulations. For every patient you treat, you must abide by HIPAA to protect his or her protected health information (PHI).

But in order to protect patient data, you need to have patients in the first place. That’s where a marketing strategy comes in.

Let’s say you want to start an email newsletter to get the word out about your practice and encourage current patients to refer your practice. Do you have to be HIPAA compliant when it comes to HIPAA compliant email marketing? And if so, how do you become HIPAA compliant?

RELATED: What is HIPAA Compliant Transactional Email?


Do marketing emails have to be HIPAA compliant?


Let's take a look at how the HIPAA Privacy Rule  defines marketing. The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.”

RELATED: HIPAA Definition of Marketing Explained

Also, HIPAA requires that you store and transmit PHI safely.

Conclusion: Yes, healthcare marketing emails have to be HIPAA compliant. 

So how can you ensure your email marketing efforts are following HIPAA rules? Follow these guidelines below.


1. Make sure your email marketing service is HIPAA compliant


As a healthcare organization, you should already have a HIPAA compliant email provider in place to send direct encrypted emails to patients. Marketing emails are beholden to the same encryption requirements.

However, you cannot use the standard marketing tools to send emails containing PHI because they are not  HIPAA compliant.

Take Mailchimp for example. Is Mailchimp HIPAA compliant? In summary, no. They will not sign a Business Associate Agreement (BAA) with you. In fact, our research has shown that none of the most common marketing vendors will both sign a BAA and allow you to send email containing PHI via their platform.

As another example, although Campaign Monitor will sign a BAA, they will not let you use their service to send email containing PHI.

That's why we created Paubox Marketing, our HITRUST CSF certified email marketing solution. Paubox Marketing allows recipients to view marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient.

You can use it to segment and send secure email including PHI to increase engagement and build your business while remaining HIPAA compliant.  


2. Make sure your patients authorize receiving email communications, including marketing emails


When patients subscribe to your email list, you need to do three things:
  1. Inform your patients via written authorization that they will be receiving emails related to marketing activities
  2. Remind them why they opted-in for your emails (i.e. news from your practice, refill reminderspromotional gifts or discount couponscare coordination, etc.)
  3. Include the option to unsubscribe at any time

On top of making sure your email marketing service is HIPAA compliant, healthcare organizations need to comply with other regulations for marketing communications too.


3. Only use an off the shelf marketing service to send marketing emails without PHI


If you choose a standard marketing vendor, make sure you only send the most generic email blasts which contain no PHI. Imagine sending an email blast to your patient list of 200 or 2,000 patients, only to find out that there was a piece of individual  patient information that you overlooked before you hit send. Bam - that's a HIPAA violation.

The maximum penalty for a HIPAA violation is $1.5 million per year. For a single violation, typical fines range from $100-$50,000 for each instance of wrongdoing. 

RELATED: How to Undo A Sent Email in Microsoft 365 (With Pictures)

It might just be better to err on the safe side and sign up for Paubox Marketing which covers all your bases.


4. If you send PHI in marketing emails, use Paubox Marketing


There are some very valid reasons to send PHI in an email marketing campaign. Especially if it's focused around the patient journey and increasing a patient's engagement in his or her treatment. Adding personalization can also grow your business.

Individualized messages perform up to three times better than generic blast emails. If you tailor your email to a specific patient, you can obtain 5 to 8 times more return on investment for your marketing spend, and you can increase sales by over 10%.

Paubox Marketing is the most powerful email marketing tool on the market for healthcare providers. You can use it to send email including PHI, segment recipients by any characteristic of your choosing, and send targeted emails with messages tailored to a particular patient.

Really, the sky's the limit on uses for personalized email marketing in healthcare.




When it comes to HIPAA and healthcare email marketing:


  • Healthcare marketing emails have to abide by HIPAA regulations
  • Patients must authorize marketing email communications
  • Use Paubox Marketing to send personalized marketing emails including PHI - or better yet, cover your bases and use it for all marketing emails


Although you might see HIPAA as a roadblock to implementing an email marketing strategy, it doesn’t have to be.


Try Paubox Marketing for free and make your email marketing HIPAA compliant today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.