17 Questions To Ask Before Sending A HIPAA-Compliant Marketing Email

April 20th, 2021

You’ve just been told that your email marketing program is putting your company at risk of violating HIPAA. What now? If you want to continuing using email to communicate with patients, you must implement HIPAA-compliant email marketing.

Start by breaking down that goal into two components: becoming HIPAA-compliant and achieving your marketing objectives. Setting up HIPAA-compliant systems and procedures will ensure your patient data is protected. However, you don’t have to let your marketing objectives suffer for the sake of security. Implementing a HIPAA-compliant marketing program can actually help you achieve better marketing results.

Ask yourself these 17 questions to ensure your email marketing plan aligns with your business goals and HIPAA.

HIPAA-Compliant Marketing Emails

If your organization requires HIPAA-compliant email, start by using these questions to inspect your email marketing for compliance. Note that we cannot provide legal advice. However, these questions will serve to identify some of the most common points of failure.

1. Do you have security controls to protect access to your email marketing system?

HIPAA-compliant email comes with high expectations for cybersecurity. As a starting point, check your internal security processes for access restrictions. For example, do you restrict access to your email marketing system to only those people who truly need access?

Resource: What exactly does HIPAA say about Email Security?

2. Do you have a documented procedure to guide your HIPAA-compliant email marketing?

It’s not a good idea to “wing it” when it comes to HIPAA-compliant email. To protect your organization from compliance mistakes, develop an email marketing procedure. If you’re starting from scratch, use the answers to the questions in this article to create your first procedure.

For additional background, reference our other articles such as What is HIPAA-Compliant Email Marketing?

3. Can you send encrypted emails?

If you are sending highly sensitive information or PHI in your emails, be aware that HIPAA requires the data be encrypted in transit and at rest. Most major email marketing providers are unable to provide encryption for sent messages and only protect data in their systems.

Learn More: Is Constant Contact HIPAA-Compliant?

4. Do you know your organization’s PHI and ePHI?

If you’re unclear on the meaning of these HIPAA terms, it’s time to brush up on your knowledge. Anyone who sends email on behalf of the organization needs to know these terms and what they mean for your email marketing. Tip: Translate “PHI” and “ePHI” requirements into your organization’s context by listing the PHI and ePHI typically handled in your business. Those examples will help your staff navigate HIPAA-compliant email requirements.

Resource: For additional background on this topic, read our articles: What exactly is ePHI? and Can I share my patient list with my marketing company?

5. Do you have a required training process for anyone sending HIPAA-compliant marketing email?

Your HIPAA compliance program is only as strong as your weakest link. If you hire someone next week who will send email to patients and customers, they need to be trained on HIPAA. It’s a specialized area and you cannot expect new hires to understand these requirements and your approach without training.

6. Do you have effective protection against malware and viruses?

If you needed any encouragement to improve your anti-virus/anti-malware practice, thank HIPAA compliance requirements. To protect yourself and your customers against threats, start with these two points:

  1. Do you have anti-virus and anti-malware protection running on all of your organization’s devices?
  2. Does your email marketing provider have protection in place to guard against malware and other threats as per HIPAA?

7. Do you have valid Business Associate Agreements in place?

It’s normal to outsource activities like email marketing to a service provider. However, you still have responsibility for choosing a professional HIPAA-compliant provider especially in areas like email marketing. Your first step should be to ask whether your email service provider has a HIPAA-compliant business associate agreement in place.

What Results Do You Want From Your Email Marketing?

Now that you’ve confirmed your systems are HIPAA-compliant, make sure your email strategy aligns with your business goals. Use these questions as a “monthly review” to keep your emails on track.

8. Why am I sending this email?

For the best results, each email you send should have a single purpose. I know what you’re thinking – my customers and patients are smart, they can handle multiple points in a single message. A single goal is the best way to go for your emails.


Your email is one of dozens or hundreds received by your patients. If your email is long and overly complicated, the reader may skip over it or simply delete it.

9. What is the recipient’s awareness level?

Whether you are selling medical devices, technology or anything else, it is important to understand your prospect’s awareness levels. If you are writing an email to introduce a brand new product, keep it simple and avoid technical jargon. On the other hand, if you’re writing an email to experienced, highly knowledgable readers, going into greater depth makes sense.

10. Is my email’s subject line interesting?

The email subject line is the most important part of your email. It “sells” people on why they should open the message and read what you have to say. Yet many people use terrible, ineffective subject lines and wonder why their emails are failing to produce results. By the way, the sample principle also applies to blog posts – headlines matter.

For the best results, write up three to ten subject lines for your next email. Then step away from your computer for 5-10 minutes. Come back and then choose the subject line that suits you best.

Consider these examples to check your understanding:

Ineffective Email Subject Lines

  1. Blank (i.e. you write nothing in the subject line)
  2. Clinic Newsletter (i.e. tell them more – what’s theme for the month?)
  3. Overusing exclamation marks!!!

Effective Email Subject Lines (These examples are based on a dental practice):

  1. BRAND-NEW dental product released today
  2. How to cut down on your health insurance paperwork
  3. [Case Study] How We Helped 3 Ex-Smokers Get White Teeth

11. For Transactional Emails: Is The Transaction Clear?

Let’s define transactional email:

Transactional emails are usually triggered based on a customer’s action with a company. (Wikipedia)

If you are sending a message to provide a receipt, for example, then make that clear in the subject line and the opening lines of the note. You may want to provide a link to download a secure PDF receipt as well. To distinguish these emails from others, consider adding a phrase such as “(RECEIPT)” in the subject line.

The clearer you are, the better your results will be.

12. For Transactional Emails: Am I Equipped To Send These In A Timely Way?

Patients and customers expect fast service. That expectation extends to receiving timely updates on order confirmations and receipts. The best way to fulfill this expectation is to use an automated system that sends transactional emails within 24 hours (but preferably within minutes or seconds) of providing the service. If there is a delay in preparing the email – which may happen with complex services – let your patient know there is a delay.

13. For Newsletters: Would The Reader Miss Receiving This Newsletter?

Do you have a favorite magazine that you receive each week or each month? For me, it’s The Economist. If you have a favorite publication, you know the anticipation when you open your mailbox and see the next issue. That’s the feeling you want to generate with your email.

If you never receive replies or comments about your newsletter, that’s a wakeup call to revise your approach. A forgettable newsletter does nothing for your business.

14. For Newsletters: Is It Easy To Share With Others?

Referrals are one of the best ways to grow your business. With the right approach, your email newsletter is an excellent method to encourage referrals.

You can put this principle into action by including links in each issue to encourage recipients to share the newsletter with another person. For example, if you provide a newsletter edition on wellness tips for runners, you could encourage readers to share that issue with their running friends.

15. Have I Tested My Message For Reading Ease?

Do you know one of the reasons that Hemingway was popular? He wrote short sentences or many short phrases. His sentences were easy to understand. There was no jargon, abbreviations or “insider” terms. When in doubt, keep your writing short.

When you’re deeply involved in the details of your business, you may forget just how much specialized jargon and language you use. There’s a simple solution. Use a tool like the Text Readability Consensus Calculator.

16. Have I Tested My Message’s Spam Score?

There are bad actors in the world of email marketing. In fact, a whole novel – “419” by Will Ferguson – has been written about one category of misleading and unethical email. Those abuses have triggered a vast infrastructure of anti-spam tools and technologies.

If you’re not careful, your email marketing may be trapped by these tools. To test if your next message may be perceived as SPAM, use a tool like IsNotSpam.

17. Have I Sent My Message To a Test Email Account?

If you’ve followed all of the advice above, you’re almost ready to hit SEND… There’s just one more test you need to check.

Send a test email to one of your own email accounts. This is the best way to see if your email is clear and readable once it is received. In particular, make sure you test all of the links in the email. A bad link frustrates customers and costs you sales. Even better, send the test email to somebody else on your team and ask for their opinion about the clarity of the message.

Help with HIPAA-Compliant Marketing Email

Learn more about this tricky topic at our upcoming webinar “Improving Patient Engagement with HIPAA-Compliant Email Marketing.” Instead of locking away PHI, it is possible to safely use PHI to improve the performance of your marketing emails.