Practice Management Blog

How to Stay HIPAA Compliant in Email Marketing

As a health care practice owner, growing your business is probably close to the top of the list of your priorities. An essential part of this is a strong email marketing strategy.

Why email marketing you ask? The statistics speak for themselves:

  • 72% of clients prefer to receive promotions via email;
  • 80% of email users access their email accounts via a mobile device;
  • 122% is the ROI of email marketing.

It’s also inexpensive, easy to implement if you use ready-made templates, and allows you to build relationships with clients nearly on autopilot with monthly newsletters.

But it’s one thing to know why email marketing is so important; you have to work out how to do it effectively.

If you’re just getting started with email marketing, this might mean:

  • Including opt-ins on your website;
  • Building a subscriber list;
  • Writing regular newsletters;
  • Figuring how to send them out to your subscribers.

That’s quite a list… And you still need to consider the extra layer of complication that HIPAA-compliant email marketing requirements add. There’s a lot of information (and a lot of misinformation) when it comes to HIPAA and email marketing, so let’s start with the basics. 

What is HIPAA, and what are the implications for your health practice?

HIPAA is the Health Insurance Portability and Accountability Act, an act that governs all health care providers. Enacted in 1996, it sets out how practices use client Electronic Health Records (or EHRs), extending to Facebook, email, texts and more. In short, the act covers anything related to the digital transmission of protected health information (PHI).

The implications of non-compliance are serious. Violators of the act can be fined up to $1.5 million per year. And a single violation ranges from $100 to $50,000, depending on the severity of the infraction. The costs of non-compliance make it vital that your practice stays compliant and keeps abreast of any changes. 

What does HIPAA have to say about health practices and email marketing?

As a health practice, for every client (and even every prospective client), you need to protect their PHI (protected health information). This applies to any marketing efforts as well, your practices need to ensure that it’s implementing HIPAA compliant email marketing campaigns and newsletters.

According to the HIPAA Privacy Rule:

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:

  • A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39 when the communication is not for the purpose of providing treatment advice.
  • A communication from a health insurer promoting a home and casualty insurance product offered by the same company.

This makes it quite clear that most of the emails you send to your subscriber database are going to fall under “marketing,” according to HIPAA. 

Sending HIPAA-Compliant Emails

Every healthcare practice is responsible for sending emails correctly so that they don’t violate HIPAA. Luckily, sending compliant email marketing doesn’t have to be confusing – make sure that your email opt-in and opt-out process is clear and straightforward, and don’t use any personalization or PHI.

Opting Into Your Email Marketing Must Be Clear

This is simple, and it should be something you’re doing anyway. People need to know that they’re signing up for your email marketing list when they give you their contact information. This is common sense, and marketing is all about relationship building. You want to be clear about what your leads will get in exchange for their information.

On Your Website

For example, if you collect contact information through a form on your website, you should include information close to the submit button clarifying:

  • That they can expect to receive emails from you;
  • How often they are likely to receive these emails;
  • That they can opt-out at any time;
  • You won’t share their information with anyone.

In short, you want to give leads an idea of the type of content you’ll send them and how often.

On the Emails You Send

It needs to be easy to unsubscribe from your emails. We suggest including an unsubscribe link at the bottom of every email you send, so if a subscriber is not interested in your content, it’s easy for them to stop receiving your mails.

On Client Intake Forms

On initial intake forms clients fill out, providers should include an email marketing opt-in, in addition to any opt-ins they may have for PHI-related communication. It can be collected at the same time, and each opt-in should be distinct.

The main reason for doing this is that the HIPAA rules, especially since the 2013 HIPAA omnibus ruling, aren’t clear-cut, and you don’t want to overstep the mark by mistake. If an opt-in form for marketing communications is included in the intake forms, you can be sure that you have permission to use their email address for marketing.

Don’t Use Personalization

One of the cornerstones of email marking is personalization, and it’s easy to understand why: a targeted email is much more likely to convert. But to remain HIPAA compliant, you’ll need to steer clear of including personal information such as names or using segmentation attributes such as location, treatment preference or drug choice.

Why? Because any personalization used information that is classified as PHI (protected health information). And PHI can’t be used anywhere except in a patient’s chart.

When to Send Marketing Emails

  • Welcome emails, let new sign-ups know what to expect and how to connect with you
  • Holiday greetings, wish your clients happy holidays, a happy new year and more.
  • Newsletters, whether it’s weekly, monthly or quarterly, this is your time to shine (and keep your subscribers updated with what’s happening at your practice!)

When Not to Send Marketing Emails

  • If the email is targeting a specific subset of your clients, if you’re using any information that you know about a specific demographic of your client base and you’re only sending it to them, you’re not going to be HIPAA compliant, and you probably shouldn’t hit send.
  • If they’ve asked to unsubscribe, this is a big no-no, keep on top of your list by including a clearly visible Unsubscribe link on every marketing email you send.

In Summary:

  • You need to have a HIPAA compliant email marketing strategy;
  • Most of the emails you send to your subscriber list will fall under ‘marketing’ according to the Privacy Rule;
  • Make your opt-in and opt-out process clear, and avoid using personalization in your emails.

This article was originally published in 2020 and has been updated for comprehensiveness and accuracy.

Share this on:

Related Articles

START IN [month] and get your first 6 months at 50% off!
Start Your Free Trial Now
No credit card required