Keeping your healthcare email marketing HIPAA compliant

Email marketing can be a valuable addition to your healthcare practice to improve patient outcomes, increase revenue, and position yourself as a leader in your field. Healthcare email marketing use cases range from reminding people about annual screenings, sharing new developments in your field, updating patients about changes to your practice—and many more.

All email marketers must abide by the CAN-SPAM Act, which sets a national standard for the regulation of unsolicited and unwanted junk email. The HIPAA Privacy Rule has additional requirements regarding how covered entities can market to patients.

In this article we will explain how you can take advantage of this powerful marketing strategy while staying on the right side of the law.

CAN-SPAM Act Regulations to Keep in Mind

The Federal Trade Commission (FTC), Bureau of Consumer Protection provides a CAN-SPAM Act compliance guidewhich summarizes the ruling for email marketers.

Here are the main points of the CAN-SPAM to consider when sending email marketing campaigns.

• Email recipients must be able to easily unsubscribe.
• You must include a mailing address where you can receive mail.
• Your message must clearly and accurately identify the business that is sending the email in the “from,” “reply to” and “routing information” sections of the email.
• Your subject line should contain a short explanation of the email contents and must not be misleading or inaccurate.
• If your primary purpose is to advertise or promote a commercial product or service, you must clearly and conspicuously identify that your message is an advertisement.

How HIPAA Defines Marketing

HIPAA defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” In general, HIPAA requires written authorization before a covered entity can use PHI for marketing purposes.

Healthcare Marketing That Requires Patient Authorization

If your bulk emails are considered marketing by HIPAA’s definition, in most cases you must receive prior authorization before sending them.

Some examples of communications that require patient authorization are:

• A hospital informs former patients about a new cardiac facility as an FYI. (Since they are former patients, this communication is not part of treatment.)
• A healthcare insurance company tells patients about a home and casualty insurance product that they also offer.

What Is NOT Marketing According to HIPAA?

There are many types of communication that HIPAA does not consider marketing which therefore do not require prior authorization to discuss with patients.

It is not marketing when:

• A covered entity shares information about a health-related product or service that it provides.
• The communication is for treatment purposes.
• A doctor communicates about case management or care coordination, or to recommend alternative treatments or providers.

HIPAA Requirements for Safeguarding ePHI

The HIPAA Security Rule sets specific standards for the confidentiality, integrity, and availability of electronic PHI (ePHI) and the technical and non-technical protections that covered entities must implement to secure it.

In regards to email marketing, encryption is the best option for ensuring HIPAA compliant email.

Make Sure Your Email Marketing Platform is HIPAA Compliant

However, email encryption is not enough to ensure HIPAA compliance. Any email marketing platform you partner with must sign a business associate agreement (BAA) with you.

Unfortunately, most mainstream email marketing solutions will not sign a BAA, which is a nonstarter for healthcare providers. This includes such well known platforms such as Mailchimp and HubSpot, among many others.

However, there are alternatives. For more details on which platforms are safe and effective for healthcare providers to use, we have analyzed the HIPAA compliance of the top 20 email marketing solutions here.

Conclusion

As long as you abide by the CAN-SPAM Act, obtain prior authorization when required, and use a HIPAA compliant email marketing platform, you can use email marketing to grow your business and improve patient outcomes.

Although you might see HIPAA as a roadblock to implementing an email marketing strategy, it doesn’t have to be.