Integrating CAN-SPAM and HIPAA into email marketing

If marketing emails do not involve the use or disclosure of PHI, HIPAA may not be directly applicable. However, organizations should maintain a commitment to patient privacy by complying with both CAN-SPAM and HIPAA. 

What is CAN-SPAM?

The CAN-SPAM Act, officially known as the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, is a pivotal United States federal law designed to regulate commercial email and certain text messages. Its primary objective is to combat the proliferation of deceptive and misleading commercial messages, addressing concerns arising from the rapid growth of unwanted spam emails. The Act imposes significant penalties for non-compliance, emphasizing the necessity of businesses respecting consumer preferences and maintaining trust in electronic communications. The provisions include

1. Accurate header information: The sender must not use false or misleading header information, including the "From," "To," "Reply-To," and routing information. These details must accurately identify the sender.
2. Clear subject lines: The email's subject line must accurately reflect the content of the message and not be deceptive.
3. Identification as an advertisement: The message must clearly and conspicuously identify itself as an advertisement. The law provides flexibility in how this can be done, but it must be readily apparent to the recipient.
4. Inclusion of physical address: Commercial messages must include a valid physical postal address for the sender. This helps recipients identify the sender's location.
5. Opt-out mechanism: The message must include a clear and conspicuous explanation of how the recipient can opt out of receiving future commercial messages. This opt-out notice should be easy for an ordinary person to recognize, read, and understand.
6. Prompt honor of opt-out requests: Once a recipient opts out, the sender must honor the request within ten business days. The sender is not allowed to sell or transfer the recipient's email address or contact information, except to service providers helping with CAN-SPAM Act compliance.
7. No requirement for prior consent: Unlike some email marketing laws in other countries, the CAN-SPAM Act does not require businesses to obtain prior consent before sending commercial messages.
8. Prohibition of email address harvesting: Companies are prohibited from using automated means to generate email addresses, such as scanning websites or randomly generating email addresses.

See also: Addressable requirements for email

When does the provision of the CAN-SPAM Act apply to healthcare email?

The provisions of the CAN-SPAM Act apply to healthcare email when the primary purpose of the email is the commercial advertisement or promotion of a commercial product or service related to healthcare. The Act does not specifically exempt healthcare-related messages. Therefore, if a healthcare organization or entity is sending commercial emails to promote healthcare products or services, they must adhere to CAN-SPAM Act requirements.

Understanding opt-in and HIPAA compliant email marketing

While the CAN-SPAM Act sets the general framework for commercial emails, when it comes to healthcare email marketing, HIPAA strongly emphasizes patient consent, defining clear boundaries for what constitutes marketing and outlining specific exceptions to its opt-in requirements.

How HIPAA defines marketing

HIPAA's definition of marketing broadly includes any communication that encourages recipients to purchase or use a product or service. 

The elements of patient consent for email marketing

Successful patient consent for email marketing depends on a well-structured consent form. This form should include several elements that collectively ensure compliance, transparency, and clarity:

• Patient identification: Basic patient details for identification.
• Purpose explanation: Clear explanation of the purpose, i.e., marketing communications.
• Message types: Specification of the types of marketing messages the patient may receive.
• Usage description: A description of how PHI will be used in the marketing context.
• Voluntary nature and revocability: A statement emphasizing that consent is voluntary and can be revoked at any point.
• Opt-out mechanism: Instructions on how patients can opt out of marketing communications.
• Date and expiry: Date of consent issuance and any applicable expiration date.
• Signature: Patient or legal representative signature.

Opt-in exceptions under HIPAA

HIPAA's opt-in exceptions permit covered entities to engage with patients without obtaining direct permission. These allowances are designed to facilitate prompt healthcare information delivery, enhance patient interaction, and optimize operations, all while upholding patient confidentiality. Read the list of exceptions here.

How to ensure compliance with CAN-SPAM and HIPAA

1. Segment email lists: Maintain separate email lists for marketing and healthcare-related communications. Ensure that healthcare-related emails are sent only to individuals with explicit consent or pre-existing relationships with your healthcare organization.
2. Clear consent mechanism: Implement a clear and documented process for obtaining consent from individuals to receive marketing emails. Make sure recipients understand what they are signing up for and have the option to opt out at any time.
3. Accurate sender information: Ensure that all emails, whether for marketing or healthcare purposes, have accurate sender information in compliance with CAN-SPAM. This includes a valid physical postal address and clear identification of the sender.
4. Transparent subject lines: Craft subject lines that accurately reflect the content of the email to comply with CAN-SPAM. Avoid deceptive or misleading subject lines.
5. Clear identification of ads: Clearly and conspicuously identify marketing emails as advertisements to comply with CAN-SPAM. Use a recognizable format or label that distinguishes them from other messages.
6. Minimum necessary standard: HIPAA's "minimum necessary" rule requires organizations to limit the use, disclosure, or request for PHI to the minimum necessary to accomplish the intended purpose. This principle applies to marketing communications as well. Only the necessary information for the marketing purpose should be used or disclosed.
7. Business Associate Agreements: If a third-party service provider is involved in sending marketing emails on behalf of a covered entity (e.g., a marketing agency), a business associate agreement (BAA) may be required under HIPAA. The BAA ensures the third party complies with HIPAA regulations when handling PHI for marketing purposes.

See also: Hard bounces in healthcare email marketing and HIPAA compliance

Penalties for non-compliance with CAN-SPAM

Civil penalties

Civil penalties of up to $46,517 can be imposed for each separate violation of the CAN-SPAM Act. These penalties are per email sent in violation of the Act, and they can add up quickly if a large number of emails are found to be non-compliant.

Criminal penalties

In addition to civil penalties, the CAN-SPAM Act provides for criminal penalties for certain violations. Criminal penalties can include fines and imprisonment for more serious violations. For example, using false information to register for multiple email accounts or domain names, harvesting email addresses, or generating contact information randomly can lead to criminal charges.

Joint liability

The company whose product or service is being promoted and the company that sends the non-compliant email can be held legally responsible for violations. If a business hires a third-party marketing company to send emails on its behalf, both parties could be liable for violations.

Consumer actions

While individuals who receive unwanted commercial spam typically do not have standing to bring a civil suit against a company under the CAN-SPAM Act, some states have enacted laws that allow individuals to take legal action against senders of non-compliant commercial messages.

Pre-emption of state law

The CAN-SPAM Act preempts state laws that expressly regulate the use of electronic mail to send commercial messages. However, state laws that address fraud, deceptive practices, or incomplete message information are not preempted. This means businesses may be subject to federal and state penalties for non-compliance, depending on the specific circumstances.

See also: HIPAA compliant email marketing: What you need to know