by Arianna Etemadieh
Article filed in

HIPAA Compliance and Healthcare Email Marketing: What You Need to Know

by Arianna Etemadieh

hipaa email marketing, hipaa compliant email marketing, email newsletter, healthcare email

Updated November 26, 2019

If you are a healthcare organization, you are familiar with HIPAA. For every patient you treat, you must abide by HIPAA to protect his or her protected health information (PHI).

But in order to protect patient data, you need to have patients in the first place. That’s where marketing strategies comes in.

Let’s say you want to start an email newsletter or email marketing campaign to get the word out about your practice and encourage current patients to refer you. Do you have to be HIPAA compliant when it comes to healthcare marketing purposes? And if so, how do you become HIPAA compliant?

RELATED: What is HIPAA Compliant Transactional Email?

Do healthcare marketing emails have to be HIPAA compliant?

Let’s take a look at how the HIPAA Privacy Rule defines marketing. According to the HHS:

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:

  • A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
  • A communication from a health insurer promoting a home and casualty insurance product offered by the same company.

Conclusion: Yes, healthcare marketing emails have to be HIPAA compliant. To ensure compliance, you need to obtain patient authorization before sending healthcare marketing communications.

So what should you look for to ensure your email marketing efforts are following HIPAA rules? Follow these guidelines below.

1. Make sure your patients authorize receiving email communications, including marketing emails

When patients subscribe to your email list, you need to have three things:

  1. Inform your patients via written authorization that they will be receiving emails related to marketing activities
  2. Remind them why they opted-in for your emails (i.e. baby products or health-related products, news from your practice, refill reminders, a promotional gift or discount couponscare coordination, etc.)
  3. The option to unsubscribe at any time

On top of making sure your email marketing service is HIPAA compliant and that you have a HIPAA compliant email provider in place, healthcare organizations need to comply with other regulations for marketing communications too.

2. Make sure your email marketing service is HIPAA compliant

As a healthcare organization, you should have a HIPAA compliant email provider in place anyway. But not every marketing email service is HIPAA compliant.

Take Mailchimp for example. Is Mailchimp HIPAA compliant? In summary, no.

Why would your email marketing service need to be HIPAA compliant? Because HIPAA requires that you store any hosted PHI safely, and an email address can be considered PHI.

It is your responsibility as a healthcare provider to ensure your patient’s PHI is protected, so make sure any marketing email services you use are willing to sign a BAA (Business Associate Agreement). If not, integrate a HIPAA compliant email API to make on-prem or cloud email services HIPAA compliant.

3. Make sure any general marketing emails contain no PHI

Imagine sending an email blast to your patient list of 200 or 2,000 patients, only to find out that there is a piece of individual patient information that you overlooked before you hit send. Bam – that’s a HIPAA violation.

RELATED: How to Undo A Sent Email in Microsoft Office 365 (With Pictures)

Unless you have individual authorization from a patient to share PHI, don’t do it. And remember, since an email address can count as PHI, make sure your patients cannot see your other patients’ email addresses when you send your healthcare marketing emails.

4. If you are sending PHI in a marketing email, then use a secure email marketing solution

There are some very valid reasons to send PHI in an email marketing campaign. Especially if it’s focused around the patient’s journey and focused on having the patient be more engaged in his or her treatment.

The first key is to be sure you are segmenting your list correctly to avoid any mistakes in the personalization of any emails you send.

But just as important is that the email you send is secure and HIPAA compliant.

There are very few email marketing solutions out there that will sign a BAA and also have a seamless recipient experience to view secure emails.

That’s why we’re introducing our own solution Project Orca, powered by our HITRUST CSF certified Secure Email API.


When it comes to HIPAA and healthcare email marketing:

  • Healthcare marketing emails have to abide by HIPAA regulations
  • Enable patient authorization for marketing email communications
  • Eliminate PHI from any general marketing emails – unless you are using a HIPAA compliant email marketing services such as Project Orca
Try Project Orca for free and make your email marketing HIPAA compliant today.
Copy link
Powered by Social Snap