" HIPAA-compliant email marketing Archives - LuxSci

Posts Tagged ‘HIPAA-compliant email marketing’

HIPAA-Compliant Email Marketing: FAQ

Tuesday, November 21st, 2023

Email is an essential channel for most marketers. However, HIPAA regulations raise many questions for healthcare marketers who need to execute email marketing campaigns without violating patient privacy.

HIPAA is a complicated law that offers a lot of guidance but does not require the use of any specific technologies to protect patient privacy. The ambiguity causes a lot of confusion for marketers trying to integrate email into their marketing strategy. This article addresses some frequently asked questions about HIPAA-compliant email marketing and offers advice for securing patient data and futureproofing your marketing.

Do generic practice newsletters need to be protected?

Some marketers assume practice newsletters do not contain health information and, therefore, do not fall under HIPAA requirements. However, this assumption is often incorrect. Many are surprised to learn that protected health information can be implied from seemingly benign information.

In this way, many generic email newsletters often indirectly contain PHI because they are sent to lists of current patients. Email addresses are individually identifiable and combined with the email content; it may imply that they are patients of the practice. For example, say you send a “generic” newsletter to the patients of a dialysis clinic. An eavesdropper may be able to infer that the recipients receive dialysis. Therefore, the email reveals information about an individual’s health treatment, is PHI, and should be secured in compliance with HIPAA regulations.

In some cases, it can be complicated to determine what is PHI and what is not. Using a HIPAA-compliant marketing solution is best to avoid ambiguity and ensure security.

How Do I Find a HIPAA-Compliant Email Marketing Vendor?

Unfortunately, using broadly popular email marketing platforms is not recommended. Many of these platforms were designed for e-commerce businesses and are not secure enough to meet HIPAA requirements. We do not recommend using a solution not specifically equipped to meet the healthcare industry’s unique security and compliance needs. To determine if your email marketing provider is compliant, they must meet three broad criteria at a minimum.

  1. The vendor must sign a Business Associate Agreement outlining how they plan to secure your data and what they will do in the event of a breach.
  2. Encrypt data at rest when it is stored in their systems.
  3. Encrypt email messages and data in transit as it is sent to the recipients.

 

email marketing vendor comparison

Not all vendors will be up to the task. Carefully vet your email marketing vendors to ensure they are taking steps to secure data and protect patient privacy.

What is an Email API?

API is an acronym that stands for “Application Programming Interface.” An email API gives applications (like CRMs, CDPs, or EHRs) the ability to send emails using data from the application. Email APIs also return campaign data to the platform or dashboards so you can assess the effectiveness of your marketing efforts. Trigger-based transactional or marketing emails are ideal for sending with an email API. In this situation, emails are sent when pre-determined conditions in the application are met. Healthcare organizations may use email APIs to send appointment reminders using electronic health records system data about a patient’s upcoming appointment.

Email APIs enable the automation of common email workflows. However, they are not interchangeable with email marketing platforms. Email APIs do not include the contact management systems standard in most email marketing platforms because all that data lives within the application they connect to. In addition, email API tools typically do not include drag-and-drop editor tools or other design features that help your emails stand out.

Does HIPAA permit providers to send unencrypted emails with PHI to patients?

Encryption is an addressable standard under the HIPAA Security Rule, but that does not mean it is optional. The HIPAA Privacy Rule does not explicitly forbid unencrypted email. Still, it does state that “other safeguards should be applied to protect privacy reasonably, such as limiting the amount or type of information disclosed through the unencrypted email.”

In addition, the Department of Health and Human Services also states that “covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” Some organizations use waivers to inform patients of the risks and acquire permission to send unencrypted emails.

However, we do not recommend this approach for several reasons:

  1. Keeping track of waivers over time and recording status changes and updates is challenging.
  2. Signed waivers do not insulate you from the consequences of a HIPAA breach.
  3. And finally, using waivers to send unencrypted emails doesn’t eliminate your other HIPAA obligations like data retention and disposal. Using a HIPAA-compliant solution is more manageable and eliminates ambiguity.

Can patients exercise their right of access by receiving PHI via unencrypted email?

Yes, but they must be fully informed of the risks and sign waivers acknowledging them. The caveats in the previous answer apply. It’s always better to utilize an encryption tool to protect patient data.

Is Microsoft 365 or Exchange 365 encryption sufficient for marketing emails?

Microsoft 365 can be configured with Office Message Encryption (OME) to comply with HIPAA. However, the program is not well-suited to send marketing emails. OME primarily relies on portal pickup encryption, in which the message is stored securely on a server and requires the recipient to log in to the portal to read the email. If you are a marketer trying to increase engagement, the portal adds a barrier to access that many will not cross. Light-PHI marketing messages are best sent using TLS encryption. TLS-encrypted messages arrive in the recipient’s inbox just like a regular email and do not require a user to log in to read the message.

TLS versus Portal Pickup email encryption

In addition, Microsoft 365 is not configured to send high volumes of email. If you plan to send large marketing campaigns, you could unintentionally disrupt regular business communications by sending all the messages through the same infrastructure. You should separate your business and marketing email sending to protect your IP reputation and achieve your desired sending throughput.

What are common email marketing use cases for healthcare?

Email marketing in healthcare is not restricted to boring practice newsletters. When you utilize tools that enable the use of PHI in your targeting and personalization efforts, the sky is the limit. With consumer preferences shifting toward digital communications, marketers willing to utilize the email channel and tactics like segmentation and personalization can see better results.

Email is an excellent way to communicate with patients. A sampling of ways that healthcare marketers can use email include:

  • engaging patients in their healthcare journey
  • educating patients about their healthcare conditions and treatments
  • improving attendance and scheduling
  • retaining patients
  • increasing preventative procedures
  • collecting data on the patient experience
  • improving patient satisfaction

Conclusion

HIPAA can be difficult to understand, but choosing the right tools and adequately vetting your vendors makes it easy to execute HIPAA-compliant email marketing campaigns. If you are interested in learning more about LuxSci’s easy-to-use, Secure Marketing platform, please contact our sales team.

What is HIPAA-Compliant Email Marketing?

Tuesday, September 26th, 2023

If you are one of the 92% of Americans with an email address, you are likely familiar with email marketing. It is a tried and true marketing strategy that delivers a superior return on investment compared to other digital channels. However, when healthcare organizations want to utilize these strategies, out-of-the-box solutions are not a good fit. Healthcare organizations must utilize email marketing platforms specifically designed to meet HIPAA’s unique privacy and security requirements.

When Do You Need a HIPAA-Compliant Email Marketing Platform?

Healthcare organizations are required to use a HIPAA-compliant email marketing platform because their messages often contain electronic protected health information (ePHI). This includes information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable information includes identifiers like a patient’s name, address, birth date, email address, social security number, and more. By default, every email marketing communication includes the patient’s email address and is, therefore, individually identifiable. Not only does the definition of ePHI cover people’s past, present, and future health conditions, but it also includes treatment provisions and billing details. This information is often contained in email marketing messages.

While the law does not cover anonymous health details or individual identifiers sent by themselves, you must be careful and abide by HIPAA regulations when the two are brought together. You will need a HIPAA-compliant email marketing service whenever you send ePHI. As we will see, even if you think an email may not contain ePHI, it is still best to be cautious.

Types of HIPAA-Compliant Email Marketing Communications

An excellent example of an email blast that must comply with HIPAA is a newsletter sent to a clinic’s cancer patients. At first glance, the email doesn’t contain any specific PHI. It doesn’t mention Jane Smith’s chemotherapy treatments, other specific patients, or their medical information. However, upon closer look, it may violate HIPAA regulations.

Every email in this campaign contains a personal identifier- the patient’s email address. In this example, only cancer patients received the newsletter, which also tells you personal medical information. A hacker could infer that anyone who received this email has cancer, which is ePHI and protected under HIPAA. If you use a medical condition to create a segment of email recipients, the email campaign must comply with HIPAA.

Sometimes, it can be challenging to identify if an email contains ePHI. If you sent the same practice newsletter to a list of all current and former medical clinic patients, it may or may not contain ePHI. Even if the newsletter contained benign info about the practice’s operating hours or parking information, if the practice is centered around treating a specific condition like cancer or depression, it may be possible to infer information about the recipients regardless of the message.

There are a lot of gray areas, and it can be difficult to determine if an email contains PHI. We recommend using HIPAA-compliant email marketing for any promotional materials to reduce the risk of violations.

The Benefits of Using a HIPAA-Compliant Marketing Platform

After reading this, you may think the answer is to avoid sending PHI in email campaigns. However, by keeping your communications bland, generic, and broadly targeted, you miss out on significant opportunities to engage your patients.

Using a HIPAA-compliant email marketing solution, you can leverage ePHI to send much more effective messages. In the above example, cancer patients actively receiving treatment at your clinic are much more likely to be interested in your business updates. Targeted emails receive much higher open and click rates than those sent to a general list.

Results of leveraging PHI

Sending the right information to your patients at the right time is an effective patient engagement strategy. Think about it using an e-commerce example- when a retailer sends you product recommendations based on past purchases; they use your data to influence future purchasing decisions. By utilizing patient data to create highly relevant and personalized campaigns and offers, you receive a better return on investment in your efforts.

What is Required for HIPAA-Compliant Email Marketing?

Finding the right HIPAA-compliant email marketing platform can be challenging. Most of the common vendors aren’t HIPAA-compliant at all. Others claim compliance and will sign BAAs to protect your information at rest but still will not enable you to send PHI via email. Finding a provider that suits your business needs and protects the email messages requires careful vetting.

Generally speaking, a HIPAA-compliant email platform must meet three broad requirements:

  1. The vendor will sign a Business Associates Agreement that outlines how they will protect your data and what happens in case of a breach.
  2. The vendor protects the data at rest using appropriate storage encryption, access controls, and other security features.
  3. The vendor protects messages in transit using an appropriate level of encryption with the proper ciphers.

Thankfully, LuxSci’s Secure Marketing email platform has been designed to meet the healthcare industry’s unique needs. Our platform was built with both security and compliance at the forefront. With Secure Marketing, organizations can send fully HIPAA-compliant email marketing messages to the right patients at the right time and receive a better return on their marketing investment.

How to Engage Patients with Email Marketing

Tuesday, February 1st, 2022

Email marketing is one of the most effective ways to communicate with patients. However, health care providers have long avoided it because of HIPAA concerns. In this article, we will provide a few examples of how to use email marketing to engage patients and increase ROI.

engage patients

Don’t Forget About HIPAA!

A quick reminder- the following use cases assume that an organization is utilizing a HIPAA-compliant email marketing platform. Most major email marketing platforms (like Mailchimp and Constant Contact) cannot encrypt outgoing emails and are not HIPAA-compliant. Do not upload ePHI to a marketing platform without first signing a Business Associate Agreement and thoroughly vetting the vendor. Just because a vendor will sign a BAA, it does not mean including sensitive data in emails is permitted. Choosing a platform designed for HIPAA compliance (like LuxSci’s Secure Marketing) is highly recommended to help reduce risks.

Now that’s out of the way, let’s dive into some examples of how ePHI can be utilized in email marketing campaigns to improve patient engagement.

Provider and Network Changes

Changing a healthcare provider can be a tedious task. Instead of relying on staff to call and mail notices to affected patients, use email marketing to engage patients. Suppose Dr. Smith is retiring, and a practice needs to inform his patients of the upcoming change. Using email is a highly effective way to do so. First, create a segment of Dr. Smith’s patients and send an email to them with directions on how to choose a new provider. Marketers could further segment this list by using the patient’s insurance and offering  suggestions of new providers who are in-network and are accepting new patients. By making it as easy as possible for Dr. Smith’s patients to continue care, it increases retention and keeps patients satisfied.

In a similar vein, when a new provider joins the practice, an organization can email all their current patients who are without a provider to encourage them to come in and seek care.

Events Marketing

Almost every health care system offers events that are specifically targeted to different patient populations. Some examples include parenting classes for new moms, nutrition classes for diabetics, and cancer support groups. When using a HIPAA-compliant email marketing program, an organization can use health care data to target these patient populations with personalized marketing messages to increase enrollment and engagement.

For example, let’s imagine that a healthcare organization is running a series of classes for new moms. To promote the classes, the marketing team can get a list of currently pregnant patients and send them emails about the upcoming series. Since these emails are highly relevant to this specific user group, it’s likely the campaign will perform well and increase enrollment. If this email was sent to the entire company email list, it may annoy patients who do not fall into this category, and many would unsubscribe. By only sending emails to relevant groups, it keeps patients interested rather than irritated by marketing messages.

Address Care Gaps

HIPAA-compliant email marketing can also be used to encourage vulnerable populations to seek follow up care. One campaign type  is screening reminders. Many screenings are recommended when certain age and demographic criteria are met. For example, mammograms are recommended when women reach their 40s. An organization could use email marketing to target patients who meet the demographic criteria with information about how to schedule their screening. It’s also possible to exclude women who have already had their mammogram. These highly targeted mailings can automate processes and improve patient health outcomes.

In addition, organizations can create campaigns in different languages to expand outreach efforts to marginalized patient populations. The possibilities for personalization are endless. Sending highly relevant and personalized email campaigns is a surefire way to engage patients.

Conduct Surveys and Gather Feedback

Using a HIPAA-compliant email marketing platform makes it easy to test messaging to increase response rates. Improving patient satisfaction is important to improve reimbursement rates from insurance companies and the federal government. Understanding areas to improve can help organizations deliver a better patient experience and increase profit.

Conclusion: Engage Patients with Email Marketing

These are just a few ways that health care systems can increase patient engagement with HIPAA-compliant email marketing. Healthcare organizations have access to troves of data that can be used to create highly relevant marketing campaigns. However, it’s extremely important to keep sensitive data protected. To successfully and securely engage patients without running afoul of HIPAA regulations, use a HIPAA-compliant email marketing platform.

5 Questions to Find the Right HIPAA-Compliant Email Marketing Platform

Tuesday, June 15th, 2021

If you are subject to HIPAA regulations- think twice before sending off that marketing email blast to your customers. If your emails contain ePHI, stop and make sure you are using a HIPAA-compliant email marketing platform before sending.

Not all email marketing platforms were designed with HIPAA compliance in mind. In fact, it can be difficult to figure out which vendors will allow you to send HIPAA-compliant emails on their platforms. We created this list of five questions to help you screen potential vendors for compliance.

hipaa compliant email marketing

1. Is your email marketing platform HIPAA-compliant and HITRUST certified?

It’s a simple question, but if the vendor does not mention anything about HIPAA or HITRUST certification on their website, it’s a good indicator that they are not secure enough to be compliant. As you probably know, HIPAA regulations can be onerous, and many companies do not have the time, expertise, or desire to update their technology. On the other hand, if they have taken the time and spent the money to invest in the serious security steps needed for HIPAA compliance, you should be able to find something about it in their marketing.

2. Will the vendor sign a Business Associate Agreement?

If you are sharing ePHI with a vendor (including lists of patient names and email addresses), you must have a BAA in place that outlines their responsibilities to protect your ePHI. If a vendor will not sign a BAA with you, it is an obvious sign that you cannot use their platform for HIPAA-compliant email marketing.

However, even if a vendor will sign a BAA, it does not mean that you can use their platform and comply with HIPAA. Read the fine print! Some companies have very restrictive BAAs that severely limit the functionality of the platform and prevent you from sending emails. We call these vendors “quasi” compliant. The only comply with HIPAA, if you abide by strict rules that prevent you from actually using their solution.

For an example, take Constant Contact. They will sign a BAA. However, they explicit state in their BAA that you:

“Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.”

Constant Contact does not encrypt outbound emails, making it a poor choice for a HIPAA-compliant email marketing vendor. Depending on your email use cases, you could be unable to send any emails on their platform. Even worse, if you mistakenly send emails that contain ePHI you will be held liable for violating HIPAA, not Constant Contact, because you violated the terms of the BAA.

3. Does the email marketing platform protect data at rest and in transit?

Encryption is an addressable standard as part of the HIPAA Security Rule. Encryption is highly recommended to protect ePHI in all digital communications.  Many email marketing platforms have adopted encryption methods that are secure enough to protect ePHI while it remains in their systems. However, that’s not enough to comply with HIPAA. You should specifically ask about their ability to encrypt outbound emails. Data in transit is extremely vulnerable to malicious actors, and therefore you need to encryption to protect emails containing ePHI. If a vendor does not provide encryption for outbound marketing emails then you should not consider using them.

4. How does the email marketing platform encrypt emails?

If a vendor says that they do encrypt outgoing messages, it’s important to consider these additional questions.

  • How are they encrypting those emails?
  • Do the encryption methods match your email use cases?

As a marketer, you want your emails to directly reach the recipient with as little friction as possible. If the recipient has to login to another platform to read the email, it’s unlikely to be read. A good HIPAA-compliant email marketing platform will use TLS encryption to send marketing messages directly to inboxes that support it. Emails sent with TLS encryption appear just like any other message directly in the recipient’s inbox.

However, there may be scenarios when you need to use more secure encryption methods. We recommend finding an email marketing vendor that is flexible and will let you select the right method of encryption for any type of message. For example, you may want to use a portal-based encryption method to send highly sensitive messages. Either way, make sure your vendor can support your needs with the right type of email encryption.

5. Does the platform allow you to send ePHI in the body of your emails?

Finally, the most important question to ask is: can I include highly sensitive patient information in an email? If you cannot, you can’t use the full power of the email marketing platform to create targeted, personalized and relevant messages. At best, you can only send generic office newsletters. If you want to create the types of marketing emails that will drive ROI and improve patient engagement, utilize your patient data for personalization and segmentation.

HIPAA-Compliant Email Marketing Platforms

LuxSci’s Secure Marketing platform was built from the ground up with HIPAA compliance in mind. If you would like to learn more about how to create compliant email marketing campaigns utilizing ePHI, please let us know.

 

 

How to Use ePHI to Segment and Personalize Email Marketing Campaigns

Tuesday, June 1st, 2021

Segmentation and personalization are powerful marketing tactics that are widely used across all industries. It is well-documented that marketers who send emails that are segmented and personalized experience much higher open and click rates. However, when healthcare marketers want to use these tactics, they must be aware of HIPAA! Any message that contains ePHI must be protected. In the past, these regulations made it difficult to send bulk marketing messages beyond generic office newsletters. However, using ePHI to segment and personalize marketing campaigns is possible!

To leverage patient data and create highly engaging and effective email campaigns that do not compromise security, marketers must use a HIPAA-compliant email marketing solution. We will walk you through how to use ePHI to segment and personalize healthcare marketing emails and improve your patient engagement.

how to use ephi to segment and personalize emails

How to Use ePHI to Segment Email Lists

Every campaign starts with identifying the target audience. When you use segmentation, you simply break down your email list into smaller subsets based on shared characteristics. The benefit of segmenting a list based on shared data is that you can adjust your messaging to speak more directly to that group of customers. When you are using a HIPAA-compliant marketing solution, you can segment your list using any data that you have from your patients (make sure you obtain appropriate permissions and opt-ins first!), including ePHI.

Ways to Segment lists using ePHI

Some examples of ways you can break down your lists using ePHI include:

  • Demographic characteristics
    • Gender
    • Age
  • Geographic location
  • Primary care provider
  • Date of last visit
  • Reason for last visit
  • Sensitive medical information
    • Medical conditions
    • Treatment history

The possibilities are only limited by the data that you collect.

How to Use ePHI to Personalize Emails

Once you have identified who the email is going to, the next step for sending an engaging email is to personalize the content for that audience. Much like segmentation, the possibilities for personalizing emails are only limited by the data that you collect. Anything that you can do to make the email feel like it’s a 1:1 communication instead of a generic blast email will increase the likelihood that it will be opened and engaged with by your target.

How to Personalize Emails with ePHI

The most common way to personalize an email is by using the person’s name in the subject line or email greeting. However, personalization can go much deeper when you also segment the list with ePHI. When you narrow down your list, it is much easier to create campaigns that appeal to the audience with relevant content and targeted promotions. A good example would be offering free breast cancer screenings for women during October. Men would be unlikely to engage with that email, because the subject matter is not relevant to them. By sending the email to only women of a certain age bracket, you are likely to increase the response rate and not irritate others on your list by sending them unnecessary information.

Other ways you can personalize emails with ePHI include:

    • Using a unique “From” name (e.g. saying the email is from Dr. Jones, who is the patient’s PCP, instead using the name of the medical practice or billing department).
    • Providing program recommendations based on past behavior (recommending a support group for a specific condition).
    • Automating workflows based on behavior triggers (appointment reminders, pre- and post-op instructions, prescription refills, etc.).
    • Customizing the content based on data.

Segmentation and Personalization Example

Say we are auditing some patient data and realize that in our patient population, men at risk for diabetes are much less likely to schedule up a follow up appointment. As a result, this group is becoming much sicker than they otherwise would with early intervention. How can we reach this population? By using ePHI to segment and personalize an email campaign just for them.

First, we create a segment based on the pattern we observed: men who are over 40 with elevated A1C levels at their last test.

Then, the marketing team can create personalized content like blogs, white papers, or guides designed specifically to influence the segment’s behavior. One email in the campaign might look something like this:

“Dear [first name],

During your last visit on [last appointment date], your A1C levels were elevated, which indicates that you are at a higher risk of developing diabetes. Download our guide with nutritional advice and example meal plans designed to help control your blood sugar.”

Perhaps the nutritional guide mentioned in this email example has a call to action that invites readers to schedule a free consultation with a dietician to learn more about dietary changes they can make to prevent diabetes.

Likewise, by segmenting the audience, you can create personalized offers that are more likely to drive the behavior you want. In this example, maybe you offer discounted rounds of golf to anyone who joins a men’s diabetes support group.

Use Personalization Tags for Scalability

Best of all, with email marketing, you can create these emails at scale. You do not need to write individual emails to each of the patients that falls into this segment. You can use personalization tags to automatically pull in the information you have uploaded to the platform. As you see in the example above, where it says “[first name]” and “[last appointment date]” the platform will pull in the corresponding information tied to each unique email address, saving you time and improving your email performance. This is an advanced technique, but most email marketing platforms include this capability. Once again, make sure you are using a HIPAA-compliant platform before uploading any medical information.

Now you know how to use ePHI to Segment & Personalize emails- what’s next?

It’s important to find a vendor that will allow you to use these techniques without violating HIPAA. Many of the most common vendors like Constact Contact and Mailchimp are only quasi-compliant at best. Do your research, sign a BAA, and ask the right questions to ensure you can send ePHI in any email you send.