" email marketing Archives - Page 8 of 9 - LuxSci

Posts Tagged ‘email marketing’

How do you drive meaningful patient engagement?

Tuesday, February 2nd, 2021

Not only is patient engagement critical to the well-being of your patients, but it’s also a key driver in the long term success of your organization. If you have been neglecting this important component of healthcare and business, it’s time to reexamine your approach.

But before you jump in too deeply, you also need to consider the risks involved in certain patient engagement strategies, as well as how you can mitigate them. Through careful planning and the right tools, you can drive patient engagement without endangering patient data or putting your organization at risk. Ultimately, this allows you to safely boost patient outcomes while pushing your business forward.

Meaningful Patient Engagement

Read the rest of this post »

When Should You Send ePHI in Your Marketing Emails?

Monday, July 20th, 2020

secure marketing email from LuxSci

If you operate in the healthcare sector, you should always be wary of your organization’s electronic protected health information (ePHI). One of the most complicated situations involves email marketing, because carelessly sent messages can easily lead to HIPAA violations and their costly ramifications.

Because of this danger, you should only send ePHI in your marketing messages under certain conditions:

When Using a HIPAA-compliant Email Marketing Service

If you want to send ePHI in your marketing emails, you will need a HIPAA-compliant marketing service. If you send ePHI through Mailchimp or its equivalents, the messages won’t be encrypted or compliant with the regulations.

Because email is so inherently insecure by nature, using a normal email marketing service makes it easy for hackers to access ePHI in messages. They can intercept the messages, then use the data to commit a range of crimes.

The result? Sending ePHI over one of these services can lead to your organization violating the privacy of everyone whose sensitive data was sent. Not only is this a shocking breach of their rights, but it leaves you open to damages from fraud, extortion and other crimes.

Each instance/email also counts as a HIPAA violation for your company. These can result in huge fines, disruption to business, harm to your company’s reputation and even jail time in the most egregious offenses.

Unless your company is hellbent on its own destruction, it must use a HIPAA-compliant email marketing service when sending ePHI in its messages.

The Features of a HIPAA-compliant Email Marketing Service

If you need to send ePHI in your marketing emails, LuxSci’s HIPAA-compliant Secure Marketing tool is the perfect fit. It combines a state-of-the-art marketing interface with all of the necessary HIPAA-compliant measures to safely send ePHI.

With easy-to-use and beautiful design templates, A/B testing, analytics tools and everything else you need to run a successful marketing campaign, Secure Marketing is an excellent solution for organizations in the health industry.

Protect Your ePHI with Opt-out Encryption

If you plan to regularly send ePHI, make sure you use the opt-out encryption feature in our HIPAA-compliant Secure Marketing service. When you use the opt-out feature to set up encryption by default, then the worst case scenario is that someone sends a message that’s needlessly encrypted. Sure, it might be a little more difficult for the recipient to access, or you might have to send through an unencrypted version as well, but no major damage is done.

Now, compare this to the opposite scenario. Let’s say that one of your staff members creates an email that includes ePHI – perhaps it’s some test results from a patient’s latest psychiatric evaluation. In a moment of forgetfulness, the employee forgets to encrypt the message before they send it.

If it hasn’t been encrypted, then the patient’s family members could read it on an unlocked device. Hackers could also intercept it and blackmail the person, or use the sensitive data for identity theft and other types of fraud.

The point is that such a simple mistake can easily become a HIPAA violation, something that could have disastrous effects for the individual, as well as the company responsible. It’s pretty clear that this outcome is far worse than sending a needlessly encrypted message.

When Should You Avoid Sending ePHI in Marketing Emails?

You shouldn’t send ePHI in any situation where there isn’t a serious benefit to your patients or your company. Even though ePHI can certainly be secured with tools like LuxSci’s Secure Marketing, why bother sending out such sensitive data for no major gain?

Of course, it goes without saying that you should also avoid sending ePHI in your marketing emails if you don’t have the appropriate HIPAA-compliant tools. If you really need to send ePHI in your messages, subscribe to a suitable service that gives you the business advantages of email marketing campaigns, without having to constantly worry about violations.

Is Mailchimp HIPAA-Compliant?

Friday, January 17th, 2020

“Is Mailchimp HIPAA-compliant?” has echoed through the boardrooms of healthcare organizations countless times. Whenever companies explore their options for email automation and marketing software, the popular provider’s name tends to be one of the first to pop up.

Mailchimp has long been the go-to option for designing emails and newsletters, sending them out, sharing to social networks, tracking results and much more. 

The company offers an integrated marketing platform that helps to simplify how businesses connect with their customers and also enhances their results.

It’s only natural that healthcare organizations are also wondering whether Mailchimp HIPAA-compliant bulk email is possible.

Is Mailchimp HIPAA Compliant?

Sadly, the answer will disappoint most of those in the healthcare sector, as well as other businesses that deal with electronic protected health information (ePHI). Mailchimp is not HIPAA-compliant.

Despite this, there are some promising aspects of Mailchimp’s security that make it seem as though it could be a HIPAA-compliant marketing email option.

These include login pages that are encrypted with TLS, hashed password storage and brute-force protection that prevents attackers from attempting to log in with every possible password combination. The company also conducts regular penetration tests and other security audits.

While these security features are a positive sign for Mailchimp’s service, the platform has a major stumbling block – there’s not a single mention of a business associate agreement (BAA) on the company’s website. 

This is concerning, because a BAA is essential for HIPAA compliance whenever companies share their data or allow it to be processed by another organization.

BAAs are a critical part of HIPAA compliance and failure to have one is considered an immediate HIPAA violation. It doesn’t matter if all security best practices are being followed, and the ePHI is being shared in a manner that’s compliant in every other way – sharing data without a BAA in place is still a violation.

This is because BAAs set out how two organizations can share data, and under what circumstances. BAAs also delineate where the legal responsibilities of each party fall, and who will be culpable if there are any problems.

If a company puts in the extra effort to provide a HIPAA-compliant service, they will generally advertise their compliance so that they can attract more clients from the health sector.

Since Mailchimp doesn’t have any reference to BAAs on its site – not even a single mention buried in its legal section – it’s safe to assume that the only answer to “Is Mailchimp HIPAA-compliant?” is a resounding “No”.

Beyond the absence of a HIPAA BAA, Mailchimp also does not make any provision for encrypting the bulk mail that would be sent out from its platform.  This makes it completely unsuitable for sending email in a context where compliance counts. There are many, many other security nuances also missing from Mailchimp — ones would not be needed unless you have to follow HIPAA or other compliance frameworks.

Mailchimp HIPAA-Compliant Alternatives

All is not lost for healthcare companies that need a HIPAA-compliant bulk email solution or other marketing tools. While they may have to rule out popular options like Mailchimp, there are a number of HIPAA-compliant marketing email services that are specifically designed for organizations that have to abide by the regulations.

At LuxSci, we specialize in providing secure and HIPAA-compliant services. When building our solutions, we take security, regulatory and practical considerations into account from the early planning stages up until the finished product.

Our approach results in tailor-made tools and services like HIPAA-compliant bulk email and secure hosting. These offer healthcare companies the right balance between their security and regulatory concerns, as well as their need for high-performance tech solutions.

Is Constant Contact HIPAA-Compliant?

Monday, January 6th, 2020

In a perfect world, using Constant Contact would make it easy for your business to perfect its email marketing strategy, while still staying within the narrow lanes of HIPAA regulations.

Back on earth, it may be possible to use the software and remain HIPAA-compliant, but things aren’t so straightforward.

Constant Contact HIPAA compliant

Constant Contact is renowned for its package of services, including:

  • Email templates that make it easy to design professional newsletters and other marketing materials
  • Email marketing automation
  • Marketing tools for ecommerce
  • Contact management
  • Analytic tools for tracking results

Constant Contact has a lot to offer, but is it a good choice for organizations that want to send electronic protected health information (ePHI)? Can Constant Contact be a HIPAA-compliant marketing email solution?

Is Constant Contact HIPAA-Compliant?

A cursory search of the website seems to imply that Constant Contact is HIPAA-compliant. The company even has a page dedicated to business associate agreements (BAAs), which are a critical part of compliance whenever an organization may be sharing ePHI with another entity.

BAAs are formal agreements that set out how the two parties will share the data, what protection measures need to be in place, and who is responsible for what.

The BAA page states that Constant Contact will only sign their own BAA and won’t make changes to it “under any circumstances.” This isn’t necessarily unusual for a service provider, but it could make HIPAA compliance impossible for any organization that requires alterations to the agreement. To check if the BAA is right for your company, you will need to email the legal department listed in the above-linked page for a copy.

If you think you may have found the HIPAA-compliant email marketing service you were looking for, reading on may crush your dreams. It states that you:

Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.

This section is a little confusing, because HIPAA makes no mention of “highly sensitive PHI.” The law doesn’t generally differentiate between HIV results and eczema diagnoses, treating all breaches of PHI equally. This is the first red flag that Constant Contact may not be a good option for HIPAA compliance.

The BAA says that you should avoid using the service if you “have such information to send.” While the whole paragraph isn’t exactly straightforward, the only safe assumption is that Constant Contact is not HIPAA-compliant for sending PHI in email. Although the company will sign a BAA, it acknowledges that its services are not designed to secure PHI, and using them could put the data at risk.

A final major factor in this consideration is that Constant Contact does not have the ability to encrypt emails containing PHI. HIPAA requires, among many other things, that all ePHI be encrypted during transmission. This is probably why Constant Contact recommends against using their bulk emailing service for the actual sending of HIPAA-compliant emails.

Constant Contact HIPAA-Compliant Alternatives

If you are looking for a HIPAA-compliant email marketing service that is suitable for the health sector, you don’t have to despair. LuxSci provides HIPAA-compliant solutions that are built with the regulations in focus.

From our email marketing service to our secure forms, we offer solutions that can bring your company results without violating HIPAA regulations. We also keep our BAA process as straightforward as we can, to avoid the confusion that comes with some other providers.

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business! A well-thought-out marketing strategy can help you outshine your competition, but providers must keep compliance in mind when considering email marketing for healthcare.

Many organizations have substantial email lists of their clients and wonder how they can utilize them to increase patient engagement. Marketing professionals may strongly suggest email communications, but it is essential to understand the HIPAA restrictions around email marketing for healthcare before starting a campaign.

So, do healthcare marketing emails have to be HIPAA-compliant? It’s an important question to ask and one that’s not precisely clear-cut because the answer is dependent on the context.

Does the Marketing Email Contain Protected Health Information?

Email marketing for healthcare is subject to HIPAA regulations if the emails contain “protected health information” that is “individually identifiable.” The term “protected health information” refers to any data relating to a person’s health, treatment, or payment information, whether in the past, present, or future.

Under this definition, some examples of PHI may include:

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked to the individual. There is a long list of identifiers that include:

  • Names
  • Addresses
  • Birthdays
  • Contact details (like email addresses)
  • Insurance details
  • Biometrics

The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual,” so this concept is all-encompassing.

Do Your Marketing Emails Need to Comply?

If both conditions are met, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t, your organization may be safe. Before you rush to start an email campaign, you need to be careful. The edges of HIPAA can be blurry, and it is best to proceed cautiously.

Let’s take this example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it could use this information not just to help mothers-to-be but also to bring in new business. The clinic then sends out an email to all expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Each email address is also considered individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could violate HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA. This approach wouldn’t single out the women who were pregnant (though it might single you out as a former patient of that clinic and could also imply things about past/present/future medical treatments). It might seem unlikely, but these situations occur all the time. 

Even if most of your organization’s emails don’t include PHI, sending them in a HIPAA-compliant manner is wise. It is easy to make a mistake and accidentally include ePHI in a marketing email. When you consider the high penalties of these violations, ensuring that all of your emails are sent securely is a worthwhile investment.

How Can You Make Email Marketing for Healthcare HIPAA-Compliant?

If your healthcare organization sends out marketing emails, it is crucial to ensure that they are sent in a HIPAA-compliant manner. The best approach is to use an email marketing platform designed specifically for health care, such as LuxSci’s HIPAA-Compliant Secure Marketing platform.

Your organization must sign a HIPAA Business Associate Agreement with any service provider you work with. Using the appropriate encryption, access controls, and other security mechanisms is essential to protect ePHI. Be sure to vet your email provider thoroughly, and remember signing a BAA is not enough to ensure compliance.