Frequently Asked Questions: HIPAA and Email Marketing

October 27th, 2022

HIPAA is a complicated law that offers a lot of guidance but does not require the use of any specific technologies to protect patient privacy. This causes a lot of confusion when it comes to HIPAA-compliant marketing campaigns. This article addresses some frequently asked questions about HIPAA-compliant email marketing and what you need to do to be on the right side of the law.

Do generic practice newsletters still count as PHI?

In many cases, even generic email newsletters can be considered PHI because they are sent to lists of current patients. Email addresses are individually identifiable and combined with the email content; it may imply that they are patients of the practice. For example, say you send a “generic” newsletter to the patients of a dialysis clinic. An eavesdropper may be able to infer that the recipients receive dialysis. Therefore the email is PHI and should be protected.

In some cases, it can be complicated to determine what is PHI and what is not. Using a HIPAA-compliant marketing solution is best to avoid ambiguity and ensure you are secure.

What are email marketing best practices for organizations using Mailchimp?

The best practice is not to use Mailchimp! Mailchimp is NOT HIPAA-compliant and will not sign a Business Associate Agreement to protect your data. The best way to begin an email marketing program is to select a fully HIPAA-compliant vendor. Simply put, this means that emails are encrypted in transit, and stored data is also encrypted. 


quasi compliance

What is an Email API?

API is an acronym that stands for “Application Programming Interface.” An email API gives applications (like CRMs, CDPs, or EHRs) the ability to send emails and retrieve analytics. Email APIs are often used to send transactional or bulk marketing emails. Trigger-based emails are ideal for sending with an email API. In this situation, emails are sent when pre-determined conditions in the application are met. For example, an order confirmation is a transactional, trigger-based email. A person buys a product online, the transaction is processed, and an email is sent to the buyer with their transaction details. The email is sent automatically with an email API. When a new patient has an upcoming appointment, an email API could be used to send a reminder email and offer rescheduling options. Email APIs enable the automation of common email workflows.

Does HIPAA permit providers to send unencrypted emails with PHI to patients?

Encryption is an addressable standard under the HIPAA Security Rule, but that does not mean it’s optional. The HIPAA Privacy Rule does not explicitly forbid unencrypted email. Still, it does state that “other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email.”

The Department of Health and Human Services (HHS) has clarified this by stating that “covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” Some organizations use waivers to inform patients of the risks and acquire permission to send unencrypted emails.

However, we do not recommend this for several reasons. One, keeping track of waivers over time and recording status changes and updates is challenging. Two, signed waivers do not insulate you from the consequences of a HIPAA breach. And finally, using waivers to send unencrypted emails doesn’t eliminate your other HIPAA obligations. Using a HIPAA-compliant solution is more manageable and eliminates ambiguity.

Do patients have a right to exercise their right of access to their own PHI by receiving it via unencrypted email?

Yes, but they must be fully informed of the risks and sign waivers acknowledging them. The caveats in the previous answer apply. It’s always better to encrypt emails. 

Is Microsoft 365/Exchange 365 encryption sufficient for marketing emails?

Microsoft 365 can be configured with Office Message Encryption (OME) to comply with HIPAA. However, it is not well-suited to send marketing emails. OME primarily relies on portal pickup encryption, in which the message is stored securely on a server and requires the recipient to log in to the portal to read the email. If you are a marketer trying to increase open and response rates, the portal adds a barrier to access that many will not cross. Light-PHI marketing messages are best sent using TLS encryption. TLS-encrypted messages arrive in the recipient’s inbox just like a regular email and do not require a user to log in to read the message.

tls vs portal pickup


HIPAA can be difficult to understand, but choosing the right tools and properly vetting your vendors makes it easy to execute HIPAA-compliant email marketing campaigns. If you are interested in learning more about LuxSci’s easy-to-use, Secure Marketing platform, please get in touch with our sales team.