As we've previously covered, protected health information (PHI) according to HIPAA regulations is any identifiable health information that a covered entity or a business associate uses, maintains, stores, or transmits as a part of healthcare services. But we've been asked by our customers—what exactly constitutes PHI? What about just names and email addresses? Are they considered PHI too? This question is especially relevant for healthcare providers interested in email marketing, since in order to maintain HIPAA compliance, PHI in electronic form ( ePHI) must be stored not only at-rest on a secure platform, but also in-transit. Most mainstream email marketing solutions do not provide this level of security, but Paubox Marketing does.
So...is a name considered PHI?Protected health information is any piece of information in someone's medical record that can identify the person. It ties a medical condition to an individual. The HIPAA Security Rule stipulates that covered entities and their business associates must implement appropriate technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. PHI includes information which is not by itself related to a health condition, such as:
- Email address
- Phone number
- Physical address
- Social security number
- License numbers
- Demographic information
- Education records
- Employment records
- Full face photographic images
Any personal detail linked to someone's health condition automatically becomes PHI. For example, patient name or email alone can be considered PHI if it is in any way associated with a health condition or treatment—such as in a marketing email coming from your practice advertising a specific treatment to a group of individuals who were selected to receive the email based on their medical history. As a note, there are times where some personal detail may be used by covered entities in the course of healthcare operations, such as appointment reminders. But even then, it should be the minimum necessary information, such as name and address (either physical or email) of the recipient, with no detail as to what the appointment is for.
Storing PHI with business associates
Cloud storage services qualify as business associates even if the organization never accesses or views the PHI that they store. This is important to consider when choosing a vendor for your HIPAA compliant email marketing needs. In fact, most mainstream email marketing solutions will not sign a business associate agreement (BAA), which is a nonstarter for healthcare providers. This includes such well known platforms such as MailChimp, HubSpot, and Salesforce Pardot, among many others. Although a few companies will sign a BAA, if you read the fine print, you will find that they are not safe options for covered entities either. For example, while Constant Contact will sign a BAA, its terms and conditions specify that users are not allowed to transmit PHI via the platform. And as we've learned, even names or email addresses become PHI when coupled with a health condition. Covered entities must take reasonable steps to protect PHI sent via email all the way to the recipient’s inbox. In the case of Infusionsoft and Salesforce Marketing Cloud, the scope of their BAA's protect and encrypt data only at-rest on their platforms. In other words, any email sent from Infusionsoft’s or Salesforce Marketing Cloud’s platform is not covered by a BAA. All these restrictions make it difficult for covered entities to do even the most basic email marketing to help drive revenue for their practice. Segmentation and personalization will become critical as value-based care and digital transformation becomes more widely adopted. For more details on which platforms are safe and effective for healthcare providers to use, we have analyzed the HIPAA compliance of the top 20 email marketing tools here.
Why you should choose Paubox Marketing
Paubox Marketing lets recipients view healthcare marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient. It allows you to send secure, personalized email including PHI to increase engagement and build your business while remaining HIPAA compliant.
Paubox Marketing is the only HIPAA compliant email marketing solution that will:
- Sign a BAA
- Provide military-grade encryption
- Allow you to include PHI in your marketing emails
- Allow patients to read your emails directly from their inboxes with no extra steps
In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing. Although you might see storing and sending PHI electronically as a roadblock to implementing an email marketing strategy, it doesn’t have to be.