Where are you located?
See the best information for your region

Practice Management Blog

Is Your Practice Compliant? How to Stay HIPAA Compliant in Email Marketing (+ a FREE Checklist)

As a health care practice owner, growing your business is probably close to the top of the list of your priorities, and an essential part of this is a strong email marketing strategy. Why email marketing you ask? The statistics speak for themselves:

  • 72% of clients prefer to receive promotions via email;
  • 80% of email users access their email accounts via a mobile device;
  • 122% is the ROI of email marketing.

Having decided on email marketing as a key component of your strategy, you have to work out how to do it effectively. This means:

  • Including opt-ins on your website;
  • Building a subscriber list;
  • Writing regular newsletters;
  • Figuring how to send them out to your subscribers.

That’s quite a list… And you still need to consider the extra layer of complication that HIPAA compliant email marketing requirements add. There’s a lot of information (and a lot of misinformation) when it comes to HIPAA and email marketing, so let’s start with the basics.

What is HIPAA, and what are the implications for your health practice?

HIPAA is the Health Insurance Portability and Accountability Act, an act that governs all health care providers. Enacted in 1996, it sets out how practices use client Electronic Health Records (or EHRs), extending to Facebook, email, texts and more. In short, the act covers anything related to the digital transmission of protected health information (PHI).

The implications of non-compliance are serious. Violators of the act can be fined up to $1.5 million per year. And a single violation ranges from $100 to $50,000, depending on the severity of the infraction. The costs of non-compliance make it vital that your practice stays compliant and keeps abreast of any changes.

What does HIPAA have to say about health practices and email marketing?

As a health practice, for every client (and even every prospective client), you need to protect their PHI (protected health information). This applies to any marketing efforts as well, your practices need to ensure its implementing HIPAA compliant email marketing campaigns and newsletters.

According to the HIPAA Privacy Rule:

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:

  • A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39 when the communication is not for the purpose of providing treatment advice.
  • A communication from a health insurer promoting a home and casualty insurance product offered by the same company.

This makes it quite clear that most of the emails you send to your subscriber database are going to fall under “marketing,” according to HIPAA.

Sending HIPAA-Compliant Emails: Your 3-Step HIPAA Email Marketing Compliance Checklist

Sending compliant email marketing doesn’t have to be confusing; there are only three steps to keep in mind:

✔#1 – Send emails using approved encryption
✔#2 – Make the email opt-in and opt-out process clear and straightforward
✔#3 – Don’t use personalization (PHIs)

Check 1 – Send Emails Using Encryption

If sending emails forms part of your marketing strategy (Read our Marketing articles here), you need to use a HIPAA compliant email service provider.

The most popular options are:

  • GSuite (by Google);
  • Office365;
  • Infusionsoft;
  • SalesForce;
  • Mailchimp;
  • AgileCRM;
  • Clinical Contact;
  • Spotlight Mailer.

If your ESP isn’t on the list, that doesn’t mean that it’s not HIPAA compliant, it just means you’ll need to do a bit more digging. Check that they have a BAA (Business Associate Agreement). These are the legal documents that ensure the ESP remains responsible for any non-compliance from their side, not you.

It should be easy to get this information from your ESP through their Help Desk FAQs or by getting in touch with them directly. If you can’t get the information you need, or if they aren’t able to answer your questions about HIPAA, rather find another provider.

Check 2 – Opting Into Your Email Marketing Must Be Clear

This is simple, and it should be something you’re doing anyway. People need to know that they’re signing up for your email marketing list when they give you their contact information. This is common sense, and marketing is all about relationship building. You want to be clear about what your leads will get in exchange for their information.

On Your Website

For example, if you collect contact information through a form your website, you should include information close to the submit button clarifying:

  • That they can expect to receive emails from you;
  • How often they are likely to receive these emails;
  • That they can opt-out at any time;
  • You won’t share their information with anyone.

In short, you want to give leads an idea of the type of content you’ll send them and how often.

On the Emails You Send

It needs to be easy to unsubscribe from your emails. We suggest including an unsubscribe link at the bottom of every email you send, so if a subscriber is not interested in your content, it’s easy for them to stop receiving your mails.

Check 3 – Don’t Use Personalization

One of the cornerstones of email marking is personalization, and it’s easy to understand why: a targeted email is much more likely to convert. But to remain HIPAA compliant, you’ll need to steer clear of including personal information such as names or using segmentation attributes such as location, treatment preference or drug choice.

Why? Because any personalization used information that is classified as PHI (protected health information). And PHI can’t be used anywhere except in a patient’s chart.

* * * * * * * * * * * * * * * * * * *

In Summary:

  • You need to have a HIPAA compliant email marketing strategy;
  • Most of the emails you send to your subscriber list will fall under ‘marketing’ according to the Privacy Rule;
  • There are three checks to stay compliant: send encrypted emails, make your opt-in and opt-out process clear, and avoid using personalization in your emails.

Share this on:

Related Articles

START IN [month] and get your first 6 months at 50% off!
Start Your Free Trial Now
No credit card required