by Arianna Etemadieh
Article filed in
HIPAA Compliance and Healthcare Email Marketing: What You Need to Know
by Arianna Etemadieh
Updated November 26, 2019
But in order to protect patient data, you need to have patients in the first place. That’s where marketing strategies comes in.
Let’s say you want to start an email newsletter or email marketing campaign to get the word out about your practice and encourage current patients to refer you. Do you have to be HIPAA compliant when it comes to healthcare marketing purposes? And if so, how do you become HIPAA compliant?
Do healthcare marketing emails have to be HIPAA compliant?
Let’s take a look at how the HIPAA Privacy Rule defines marketing. According to the HHS:
The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:
- A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
- A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
Conclusion: Yes, healthcare marketing emails have to be HIPAA compliant. To ensure compliance, you need to obtain patient authorization before sending healthcare marketing communications.
So what should you look for to ensure your email marketing efforts are following HIPAA rules? Follow these guidelines below.
1. Make sure your patients authorize receiving email communications, including marketing emails
When patients subscribe to your email list, you need to have three things:
- Inform your patients via written authorization that they will be receiving emails related to marketing activities
- Remind them why they opted-in for your emails (i.e. baby products or health-related products, news from your practice, refill reminders, a promotional gift or discount coupons, care coordination, etc.)
- The option to unsubscribe at any time
On top of making sure your email marketing service is HIPAA compliant and that you have a HIPAA compliant email provider in place, healthcare organizations need to comply with other regulations for marketing communications too.
2. Make sure your email marketing service is HIPAA compliant
As a healthcare organization, you should have a HIPAA compliant email provider in place anyway. But not every marketing email service is HIPAA compliant.
Why would your email marketing service need to be HIPAA compliant? Because HIPAA requires that you store any hosted PHI safely, and an email address can be considered PHI.
It is your responsibility as a healthcare provider to ensure your patient’s PHI is protected, so make sure any marketing email services you use are willing to sign a BAA (Business Associate Agreement). If not, integrate a HIPAA compliant email API to make on-prem or cloud email services HIPAA compliant.
3. Make sure any general marketing emails contain no PHI
Imagine sending an email blast to your patient list of 200 or 2,000 patients, only to find out that there is a piece of individual patient information that you overlooked before you hit send. Bam – that’s a HIPAA violation.
Unless you have individual authorization from a patient to share PHI, don’t do it. And remember, since an email address can count as PHI, make sure your patients cannot see your other patients’ email addresses when you send your healthcare marketing emails.
4. If you are sending PHI in a marketing email, then use a secure email marketing solution
There are some very valid reasons to send PHI in an email marketing campaign. Especially if it’s focused around the patient’s journey and focused on having the patient be more engaged in his or her treatment.
The first key is to be sure you are segmenting your list correctly to avoid any mistakes in the personalization of any emails you send.
But just as important is that the email you send is secure and HIPAA compliant.
There are very few email marketing solutions out there that will sign a BAA and also have a seamless recipient experience to view secure emails.
That’s why we’re introducing our own solution Project Orca, powered by our HITRUST CSF certified Secure Email API.
When it comes to HIPAA and healthcare email marketing:
- Healthcare marketing emails have to abide by HIPAA regulations
- Enable patient authorization for marketing email communications
- Eliminate PHI from any general marketing emails – unless you are using a HIPAA compliant email marketing services such as Project Orca