Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

What is the CAN-SPAM Act and how does it impact healthcare email?

What is the CAN-SPAM Act and how does it impact healthcare email?

In 2003, Congress enacted the CAN-SPAM Act or Controlling the Assault of Non-Solicited Pornography and Marketing Act. CAN-SPAM sets a national standard for the regulation of unsolicited and unwanted junk email. Something we know more commonly as spam though the act doesn’t just stop there.

LEARN MORE: How to get less spam in your email

How does the CAN-SPAM Act impact healthcare email and what should healthcare professionals know? First and foremost, when used correctly, healthcare email can help practitioners reach more patients and promote their healthcare brand.


The CAN-SPAM Act: key facts


Congress addressed the problem of unsolicited email with the CAN-SPAM Act, which establishes the rules for sending commercial messages. It gives recipients the right to have businesses stop emailing them with inappropriate, unsolicited, or otherwise unethical material. Moreover, it outlines the penalties incurred for those who violate the law. Each separate email is subject to penalties of up to $46,517.

CAN-SPAM doesn’t just apply to bulk email. It includes any electronic message whose purpose is the commercial advertisement or promotion of a product or service. There is no exception for business-to-business email. Furthermore, the law preempts state laws that regulate commercial email.


The six main features of CAN-SPAM

In essence, CAN-SPAM Act tells senders to:

  1. Provide the option to unsubscribe
  2. Honor opt-out requests promptly
  3. Include a physical address
  4. Keep headers and subject lines honest
  5. Identify the message as an advertisement if it is such
  6. Monitor what others are doing on your behalf

What does CAN-SPAM have to do with healthcare?

The CAN-SPAM Act covers any email whose purpose is the advertisement or promotion of a commercial product or service. For healthcare, this means communicating to patients or other providers about something the organization offers. Examples of healthcare email that could be considered commercial:

  • Advertising a new service or facility (not part of treatment for a patient already)
  • Identifying a part of your subscribers as eligible for a service
  • Sending a healthcare email newsletter
  • Offering patients referral codes

Obviously, not all emails will be marketing emails under the CAN-SPAM or even HIPAA.




HIPAA, the Health Insurance Portability and Accountability Act secures patients protected health information (PHI). That means having email security that includes the physical, technological, and administrative safeguards discussed in the HIPAA Security Rule.

READ ABOUT: Understanding and implementing HIPAA rules

But what we are interested in is HIPAA’s role in marketing. The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

SEE ALSO: Healthcare email marketing 101: Avoiding spam box

In essence, like CAN-SPAM, HIPAA requires organizations to pay attention to what and how they send messages. Compliance to both helps organizations stay clear of violations and possible fines.


Ensure both HIPAA and CAN-SPAM compliance with solid email security


CAN-SPAM and HIPAA were put in place to protect consumers. But by adhering to their policies, healthcare organizations also ensure better patient engagement and stronger businesses. The first step is to ensure end-to-end email encryption, data loss prevention, and outbound filters.

This means that only the sender and recipient can see an email. And that there won’t be a PHI breach.

Furthermore, it is also necessary to follow CAN-SPAM’s six steps:

  • Acquire explicit authorization and consent from everyone who receives an email
  • Honor all opt-out requests
  • Include a physical address in all sent emails
  • Stay honest with your message, subject, and headers,
  • If sending an advertisement, label it
  • If using a third-party email provider, understand their policies and securities


The law gives a lot of leeway in how to do the above. But once set, compliance stops violations and breaches from causing undue stress.


Paubox provides you with compliance and assurance


Paubox Marketing takes care of many CAN-SPAM and HIPAA requirements automatically. Any email you send through Paubox includes an automatic unsubscribe button as well as a section for an address footer. And since Paubox Marketing allows segmented and personalized messages, it is possible to send marketing-related emails and test results. All without violating CAN-SPAM or HIPAA but while improving patient outcomes.

Not only will Paubox sign a business associate agreement, but Paubox products run on HITRUST CSF certified solutions and enables HIPAA compliant email by default. Moreover, we register our customer’s website domains on our secure platform, which allows them to send HIPAA compliant email. No need to rely on portals or passwords.

The more authentic your email looks and the easier it is to opt out, the less likely emails are flagged as spam or junk. And the more likely your emails reach your patients.


Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.