June 12th, 2013

HIPAA Compliant Email Marketing

Customers are constantly referred to us with a specific requirement: The need to send newsletters, marketing materials, or semi-bulk email messages … but in a HIPAA compliant way.

Typically,  it is not just the HIPAA-compliant sending that they need (e.g. as provided by our Premium High Volume service), they also need a user interface for composing the messages, sending, tracking opens and clicks, etc.  It turns out that the vast majority of email marketing systems out there do not offer compliant sending, nor do they offer a compliant campaign management and tracking interface.  This makes it very difficult for organizations in the health care sector, and all of their business associates, to use email marketing effectively when PHI may be involved.

How could PHI be Involved? We are talking “newsletters” here!

Protected Health Information is “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.”  Email messages are sent to specific individuals and “email addresses” are identifying.  If these messages indicate or imply something about the “health status or provisioning of health care” for that individual, then that is PHI. For more details, see: What exactly is ePHI?

So, it comes down to what specifically is in these messages.  If they are generic marketing or informational materials that are sent out to a wide array of people …. not PHI.  If they are more specific like “suggested rehab plans” or “test results” or “appointment followup surveys or information”, then they will probably be PHI.

So, what if they do contain PHI?

If they do contain PHI, then they fall under the rules of HIPAA and the Omnibus rule … in particular (and this is only a few of the many considerations):

  1. Any service that you use for the composition and sending of these messages must be with your HIPAA Business Associate (with a signed agreement with you).
  2. The web interface where you manage your sending and reporting must be secure and fall under this agreement.
  3. The messages sent must be secured / encrypted in transit to every recipient.

So, if your mailing falls into this category, be careful about sending using any old “in house” marketing software, and be very sure that whomever you sign up with for managing and sending your messages online will indeed meet your HIPAA compliance needs … as most of the major players in email marketing do not.


It probably comes as no surprise that our suggestion is to use LuxSci’s “Spotlight Mailer” interface together with our Premium High Volume solution for compliant HIPAA bulk email that includes an extremely robust management and tracking interface.

  1. HIPAA compliant sending to any recipient
  2. HIPAA compliant full-featured email campaign management and tracking interface
  3. Tracking: opens, clicks, opt outs
  4. Automatic: subscribe, unsubscribe, failed delivery management

LuxSci Spotlight Mailer can provide an email marketing solution as easy-to-use and full featured as ConstantContact, MailChimp or iContact, but with the added layers of security and privacy needed for HIPAA.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.