HIPAA compliant email marketing: What you need to know

Featured image

Share this article

hipaa email marketing, hipaa compliant email marketing, email newsletter, healthcare email

Updated 6 March 2020

If you are a healthcare organization, you are familiar with HIPAA and HIPAA compliant email regulations. For every patient you treat, you must abide by HIPAA to protect his or her protected health information (PHI).

But in order to protect patient data, you need to have patients in the first place. That’s where a marketing strategy comes in.

Let’s say you want to start an email newsletter to get the word out about your practice and encourage current patients to refer your practice. Do you have to be HIPAA compliant when it comes to HIPAA compliant email marketing? And if so, how do you become HIPAA compliant?

RELATED: What is HIPAA Compliant Transactional Email?

Do marketing emails have to be HIPAA compliant?

Let’s take a look at how the HIPAA Privacy Rule defines marketing.

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.”

RELATED: HIPAA Definition of Marketing Explained

Also, HIPAA requires that you store and transmit PHI safely.

Conclusion: Yes, healthcare marketing emails have to be HIPAA compliant. 

So how can you ensure your email marketing efforts are following HIPAA rules? Follow these guidelines below.

1. Make sure your email marketing service is HIPAA compliant

As a healthcare organization, you should already have a HIPAA compliant email provider in place to send direct encrypted emails to patients. Marketing emails are beholden to the same encryption requirements.

However, you cannot use the standard marketing tools to send emails containing PHI because they are not HIPAA compliant.

Take Mailchimp for example. Is Mailchimp HIPAA compliant? In summary, no. They will not sign a Business Associate Agreement (BAA) with you.

In fact, our research has shown that none of the most common marketing vendors will both sign a BAA and allow you to send email containing PHI via their platform.

As another example, although Campaign Monitor will sign a BAA, they will not let you use their service to send email containing PHI.

That’s why we created Paubox Marketing, our HITRUST CSF certified email marketing solution.

Paubox Marketing allows recipients to view marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient. You can use it to segment and send secure email including PHI to increase engagement and build your business while remaining HIPAA compliant.  

2. Make sure your patients authorize receiving email communications, including marketing emails

When patients subscribe to your email list, you need to do three things:

  1. Inform your patients via written authorization that they will be receiving emails related to marketing activities
  2. Remind them why they opted-in for your emails (i.e. news from your practice, refill reminderspromotional gifts or discount couponscare coordination, etc.)
  3. Include the option to unsubscribe at any time

On top of making sure your email marketing service is HIPAA compliant, healthcare organizations need to comply with other regulations for marketing communications too.

3. Only use an off the shelf marketing service to send marketing emails without PHI

If you choose a standard marketing vendor, make sure you only send the most generic email blasts which contain no PHI.

Imagine sending an email blast to your patient list of 200 or 2,000 patients, only to find out that there was a piece of individual patient information that you overlooked before you hit send. Bam – that’s a HIPAA violation.

The maximum penalty for a HIPAA violation is $1.5 million per year. For a single violation, typical fines range from $100-$50,000 for each instance of wrongdoing. 

RELATED: How to Undo A Sent Email in Microsoft 365 (With Pictures)

It might just be better to err on the safe side and sign up for Paubox Marketing which covers all your bases.

4. If you send PHI in marketing emails, use Paubox Marketing

There are some very valid reasons to send PHI in an email marketing campaign. Especially if it’s focused around the patient journey and increasing a patient’s engagement in his or her treatment.

Adding personalization can also grow your business. Individualized messages perform up to three times better than generic blast emails.  If you tailor your email to a specific patient, you can obtain 5 to 8 times more return on investment for your marketing spend, and you can increase sales by over 10%.

Paubox Marketing is the most powerful email marketing tool on the market for healthcare providers. You can use it to send email including PHI, segment recipients by any characteristic of your choosing, and send targeted emails with messages tailored to a particular patient.

Really, the sky’s the limit on uses for personalized email marketing in healthcare.


When it comes to HIPAA and healthcare email marketing:

  • Healthcare marketing emails have to abide by HIPAA regulations
  • Patients must authorize marketing email communications
  • Use Paubox Marketing to send personalized marketing emails including PHI – or better yet, cover your bases and use it for all marketing emails

Although you might see HIPAA as a roadblock to implementing an email marketing strategy, it doesn’t have to be.

Try Paubox Marketing for free and make your email marketing HIPAA compliant today.
Author Photo

About the author

Arianna Etemadieh

Arianna is an Inbound Marketing Specialist at Paubox. In her free time, she enjoys cooking, traveling, and volunteering at the animal shelter.

Read more by Arianna Etemadieh

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022