Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

July 26th, 2019

Healthcare is a competitive business! A well thought out marketing strategy can help you outshine your competition, but providers need to keep compliance in mind when considering email marketing for healthcare.

Many organizations have substantial email lists of their clients and wonder how they can utilize them to increase patient engagement. Marketing professionals may strongly suggest email communications, but it is important to understand the HIPAA restrictions around email marketing for healthcare before starting a campaign.

So, do healthcare marketing emails have to be HIPAA-compliant? It’s an important question to ask, and one that’s not exactly clear-cut, because the answer is dependent on the context.

Does the Marketing Email Contain Protected Health Information?

Email marketing for healthcare is subject to HIPAA regulations if the emails contain “protected health information” that is “individually identifiable.”  The term “protected health information” refers to any data that relates to a person’s health, treatment, or payment information, whether it is in the past, present, or future.

Under this definition, some examples of PHI may include:

  • Test results
  • Prescription refill notifications
  • Appointment reminders
  • A receipt or bill for healthcare services

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked back to the individual. There are a long list of identifiers that include:

  • Names
  • Addresses
  • Birthdays
  • Contact details (like email addresses)
  • Insurance details
  • Biometrics

The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual,” so this concept is really is all-encompassing.

Do Your Marketing Emails Need to Comply?

If both conditions are met, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t your organization may be safe. Before you rush to start an email campaign, you need to be careful. The edges of HIPAA can be blurry and it is best to proceed with caution.

Let’s take this example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it can use this information not just to help mothers-to-be, but to also bring in new business. The clinic then sends out an email to all of its expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Each email address is also considered individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could violate HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA. This approach wouldn’t single out the women who were pregnant (though it might single you out as a former patient of that clinic and could also imply things about your past/present/future medical treatments). It might seem unlikely, but these situations occur all the time. 

Even if most of your organization’s emails don’t include PHI, sending them in a HIPAA-compliant manner is wise. It is very easy to make a mistake and accidentally include ePHI in a marketing email. When you consider the high penalties of these violations, making sure that all of your emails are sent securely ends up being a worthwhile investment.

How Can You Make Email Marketing for Healthcare HIPAA-Compliant?

If your healthcare organization sends out marketing emails, then it is important to make sure that they are sent in a HIPAA-compliant manner. The best approach is to use an email marketing platform designed specifically for health care, such as LuxSci’s HIPAA-Compliant Secure Marketing platform.

Your organization will need to sign a HIPAA Business Associate Agreement with any service provider you work with. It is also important to use the appropriate encryption, access controls, and other security mechanisms that are required to protect ePHI. Be sure to vet your email provider thoroughly and remember that signing a BAA is not enough to ensure compliance.