February 27th, 2017

What is HIPAA-compliant Email Marketing?

To achieve HIPPA-compliant email marketing, you need to satisfy two objectives. First, you need to understand the fundamentals of email marketing. Second, you need to execute your email marketing activities within HIPPA’s requirements and restrictions.

HIPAA-compliant email marketing

It’s easy to make a mistake with HIPAA-compliant email marketing, especially when you’re in a rush.

Picture this:

You leave your clinic early on a Thursday afternoon to head off on a vacation. Before you go, you ask your office manager to send off an email blast. You were just certified on a new procedure and you know at least 200 patients in your files would likely benefit from it. A simple message inviting them to the office for a consultation next week is the perfect next step. Your office manager takes some quick notes and promises to send off the note tomorrow. And off you go for a weekend of golf at Pebble Beach.

On your way home, you check your email. You see an angry email from a patient and start reading. It turns out that you’ve violated some arcane HIPAA rules… Even worse, that patient’s sister is an attorney who has promised to call you tomorrow. You’re pretty sure you’ve done nothing wrong but you’re nervous on the flight home.

This situation could have been prevented if your office manager had asked you one simple question:

What is needed to send a HIPAA-complaint email marketing message?

Do you have a good answer? That’s what you will find in this short guide to HIPAA-compliant email marketing.

Let’s start with a few key terms before we go any further:

  • Email Marketing. Sending messages with the objective of selling products or services. In most cases, email marketing is delivered using a third-party service such as LuxSci. Other types of communication with your customers and patients – such as sending receipts – may be considered as “transactional email.” However, these communications may still be subject to HIPAA and contain PHI.
  • Health Insurance Portability and Accountability Act (HIPAA). This 1996 law sets a variety of provisions related to health insurance regulation and related activities. For our purposes, the most important provisions relate to privacy and the proper handling of protected health information.
  • Protected Health Information (PHI). As you develop a HIPAA-compliant email marketing strategy, you will encounter PHI questions over and over again. PHI has two components: protected health information (e.g. test results from a medical test) combined with information that personally identifies you (i.e. “individually identifiable” information). A common example of PHI would be a patient file with their name, date of birth and notes on current health conditions. However, PHI can also include other scenarios such as an appointment reminder email or an invoice for health services.

    Note: For a full definition of PHI and ePHI (i.e. electronic protected health information), read our article What exactly is ePHI?

  • HIPAA Privacy Rule. This regulation defines how certain organizations must handle, secure and provide access to PHI. For example, you have the right to access your PHI, correct errors and be notified of privacy breaches.

Email marketing gone wrong: 3 reasons HIPPA-compliant email matters

Does meeting HIPAA requirements really matter for your organization? It seems like new government regulations and requirements come out every day. If you’re a “Covered Entity” (e.g. hospital, clinic, dental practice, health insurance firm or others) or an “Business Associate” (e.g. medical testing facility or you handle PHI), satisfying HIPAA email is a professional responsibility. What happens if you get it wrong?

  1. Lose Patient Trust

Imagine if your credit card company mailed your statement to the wrong person. What would you think about their competence in handling your financial affairs? Those same questions will come up in health care. And the consequences of mishandled health information are potentially disastrous – imagine a family member being informed you have cancer through an “accidental email” rather than you having the opportunity to break the news yourself.

  1. Suffer Fines and Losses

If your marketing or other activities fail to meet HIPAA requirements, be prepared to pay up. Your organization can easily pay $1 million for failing to stay compliant with HIPAA. That’s an important message to reinforce to your staff and business partners.

Resource: Discover how CVS suffered a $2.25 million loss for failing to live up to its HIPAA requirements: HIPAA Has Teeth and They are Long and Sharp – Don’t Get Bitten.

  1. Suffer Negative Publicity

In some circumstances, your organization may face negative publicity. That could be an announcement of a lawsuit or investigation. Even if you successfully defend yourself, many prospective patients and customers will stay away. This issue is particularly important for the health care sector where a reputation for integrity and professional judgement are critical.

Why should you invest in HIPAA-compliant email marketing?

Given all the ways you can lose money and reputation for HIPAA non-compliance rules, does it still make sense to invest in email marketing? Yes, it does!

There are two main reasons that email marketing matters to your practice. First, industry studies have shown that email marketing offers outstanding return on investment. According to consulting firm McKinsey, email marketing significantly outperforms Facebook and Twitter when it comes to acquiring new customers. A 2015 report from the UK Direct Marketing Association found email marketing returned an average of $38 for every $1 invested. Simply put, companies use email marketing because it works!

There’s just one problem. Health care isn’t like other industries: you’re handling sensitive information and need to act accordingly. At this point, you may be tempted to throw up your hands in frustration and say:

“Email marketing is too hard for healthcare. I’ll just have to do my marketing the old fashioned way.”

Not so fast!

Without a doubt, email marketing is much more difficult when you have to manage HIPAA. Fortunately, you’re not alone when it comes to addressing this challenge. You can follow in the footsteps of other highly capable marketers.

The 6 Habits of Highly Compliant Health Care Marketers

How can you make sure you are on the right path when it comes your email marketing? Of course, using a professional grade email provider like LuxSci is a great start. That’s only part of the story. You need to develop and follow these habits to keep your email marketing program working effectively.

  1. They Know The Fundamentals of Email Marketing

Protecting patient information and keeping government regulators content matters, but it’s not enough. You also need to know and practice the fundamentals of effective email marketing. For example, do your marketing messages end with a clear call to action (e.g. “call the office today to book your consultation”)? Without these best practices, all your email marketing efforts may lead nowhere.

Resource: Read “Permission Marketing” by Seth Godin for an introduction to fundamental principles of email marketing – it’s one of the most readable marketing books ever written.

Action Step: Schedule an hour in the next month to study email marketing methods. A small improvement in the effectiveness of your email marketing will play tremendous dividends.

  1. They Have Invested In HIPPA Education

Taking the time to educate yourself on HIPAA compliance is a second key habit. If you’re brand new to the HIPAA compliance requirements, you may want to take a course or hire a consultant to guide you through the compliance process. If you have a well-established HIPAA program, then you need to take the time to refresh and review its accuracy. An out of date policy or procedure doesn’t help anyone.

Resource: To get you started with HIPAA, read our article HIPAA Compliance Checklist: What You Need To Do.

Action Step: To test your knowledge of HIPAA compliance, take out a sheet of paper. On this paper, write out all the systems, procedures and methods you currently have in place to fulfill HIPAA compliance. If you come up blank, ask others in your organization. If you still don’t come up with anything, it’s time to get some serious work to boost your HIPAA compliance.

  1. They Question Their Email Service Provider

When you rely on an email service provider to serve and market to your customers and patients, you need to understand their capabilities. To assess your email service provider, review your current contract to determine if it includes HIPAA Business Associate Agreement (BAA) provisions. If these provisions are missing, it is time to consider looking for a new provider.

Action Step: Contact your current email marketing provider to ask what measures and practices they have implemented to achieve HIPAA compliance. If you find yourself having to explain HIPAA to them, that’s a big red flag.  If they have a HIPAA-compliance option and you simply missed it … find our about it and consider upgrading to it ASAP.

  1. They Know When To Use Email

Email is one of the most useful and reliable means for electronic communication. It can be tracked, secured and monitored. It’s also one of the best ways to market your services and products as we covered earlier…. However, there are circumstances when email is not the right channel to use. For example, you may have to tell a patient that they have a year left to live due to an untreatable condition. In that scenario, an in-person office visit is likely the best approach. In contrast, email marketing is a great way to send a time sensitive offer such as “year end” massage therapy or dental cleaning.

HIPAA-compliant Email Marketing

The following provides some examples of specific messages you could send that fulfill email marketing best practices and stay on the right side of HIPAA.

  • A monthly newsletter sent to all patients with general health and wellness tips
  • Notification that your practice is about to offer a new service starting next month
  • A patient satisfaction survey

Transactional Emails

Some of the emails you send to your patients are not designed to promote or sell your services but still must be HIPAA-compliant. Their purpose is often to notify the customer:

  • Notification that your prescription medical is ready for pick up
  • A statement of account email summarizing all the charges you were billed in the past year
  • Order confirmation email confirming the delivery date and other details for a product ordered by a patient
  • Confirmation email message that the patient has subscribed to your monthly exercise tips newsletter
  • Payment receipt messages for the patient’s records

Action Step: Review the last 50-100 emails you sent. Could some of these messages been better communicated as phone calls or in person meetings?

  1. They Know When To Use The Phone

If you have a highly complex offering – perhaps a brand new medical device – email marketing may not be enough. A phone call and/or meetings will probably be needed to close the sale. Remember that your patients rely on you to recommend products and services to improve their health. If you keep news on new products to yourself, you’re depriving patients of an improved quality of life.

Action Step: Schedule time each day or week to make important patient phone calls. During those times, keep a notebook (or digital equivalent) on hand to take quick notes. As you take notes, your patients will notice your improved active listening.

  1. They Know Their Organization’s PHI

Managing protected health information (PHI) is impossible until you understand all the different forms it can take in your organization. As an example, let’s consider a medium-sized dental practice.

What types of PHI might be on file there? First, you will have each patient’s file (i.e. paper folders in a cabinet and/or files in a database). Second, you may have email correspondence with third parties who create customize dental appliances for your patients. Third, you may have payment and insurance data for various patients in yet another system. Fourth, you probably have records relating to diagnostic tests like X-Rays. And that’s just the beginning.

Effective marketers know what PHI they have and how that translates into email messages.  Effective marketers capitalize on the data they have and use proper channels to communicate frequently with their customers.

Action Step: Ask two people in your organization to write a list of all the different types of PHI that you manage. Remember to include PHI that you provide to third parties, vendors and service providers.

Discover your HIPAA-compliant email marketing options

Contact LuxSci today to request discuss your HIPAA-compliant email marketing needs. If you’re fed up with the limitations of email service providers who don’t “get HIPAA”, then you need to come to LuxSci to take your organization’s email marketing to the next level.

Further reading:

To provide additional context and resources, we have prepared a further reading list. These resources will give you an overview of important recent developments in HIPAA, relevant news stories and government resources.

Health Information Privacy (U.S. Department of Health & Human Services). Provides guidance to individual citizens and organizations on managing health information privacy.

Defining Marketing And The HIPAA Privacy Rule (U.S. Department of Health & Human Services). It’s always helpful to get the government’s perspective on privacy as it relates to HIPAA.

Covered Entities and Business Associates. (U.S. Department of Health & Human Services). Ever wondered which organizations and companies are covered by HIPAA? This article provides a helpful overview.

Omnibus HIPAA Rulemaking (U.S. Department of Health & Human Services). The government issued new regulations in 2016 relating to HIPAA. Find an introduction to the requirements here – be prepared for a long read. The official Federal Register Document is over 100 pages long.

Email Archival is Required by HIPAA (LuxSci). What happens after you send an email in a HIPAA context?

Cybersecurity 2017 – The Year In Preview: HIPAA Compliance (Foley Hoag LLP). New areas of focus for HIPAA compliance include cloud computing services.

What exactly is ePHI? Who has to worry about it? Where can it be safely located? (LuxSci). Knowing what ePHI you have is the first step… But is it safely stored and secured?

What exactly does HIPAA say about Email Security? (LuxSci). It’s more complicated than “secure” or “not secure”!

HIPPA Compliance Program: Frequently Asked Questions (The University of Texas Health Science Center at San Antonio). San Antonio’s approach gives you a starting point if you are designing a HIPAA compliance program in a large health care organization.

Tips and Tactics for Transmitting PHI by Email (Alston & Bird LLP). Among other topics, this resource addresses how to safely dispose of PHI emails – just hitting “delete” isn’t quite enough.

7 Ways You Could be Unknowingly Violating HIPAA (LuxSci). Number five the one that drives IT security experts crazy because it is difficult to stop.


Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.