" HIPAA-compliant email marketing Archives - LuxSci

Posts Tagged ‘HIPAA-compliant email marketing’

5 Questions to Find the Right HIPAA-Compliant Email Marketing Platform

Tuesday, June 15th, 2021

If you are subject to HIPAA regulations- think twice before sending off that marketing email blast to your customers. If your emails contain ePHI, stop and make sure you are using a HIPAA-compliant email marketing platform before sending.

Not all email marketing platforms were designed with HIPAA compliance in mind. In fact, it can be difficult to figure out which vendors will allow you to send HIPAA-compliant emails on their platforms. We created this list of five questions to help you screen potential vendors for compliance.

hipaa compliant email marketing

1.    Is your email marketing platform HIPAA-compliant and HITRUST certified?

It’s a simple question, but if the vendor does not mention anything about HIPAA or HITRUST certification on their website, it’s a good indicator that they are not secure enough to be compliant. As you probably know, HIPAA regulations can be onerous, and many companies do not have the time, expertise, or desire to update their technology. On the other hand, if they have taken the time and spent the money to invest in the serious security steps needed for HIPAA compliance, you should be able to find something about it in their marketing.

2.    Will the vendor sign a Business Associate Agreement?

If you are sharing ePHI with a vendor (including lists of patient names and email addresses), you must have a BAA in place that outlines their responsibilities to protect your ePHI. If a vendor will not sign a BAA with you, it is an obvious sign that you cannot use their platform for HIPAA-compliant email marketing.

However, even if a vendor will sign a BAA, it does not mean that you can use their platform and comply with HIPAA. Read the fine print! Some companies have very restrictive BAAs that severely limit the functionality of the platform and prevent you from sending emails. We call these vendors “quasi” compliant. The only comply with HIPAA, if you abide by strict rules that prevent you from actually using their solution.

For an example, take Constant Contact. They will sign a BAA. However, they explicit state in their BAA that you:

“Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.”

Constant Contact does not encrypt outbound emails, making it a poor choice for a HIPAA-compliant email marketing vendor. Depending on your email use cases, you could be unable to send any emails on their platform. Even worse, if you mistakenly send emails that contain ePHI you will be held liable for violating HIPAA, not Constant Contact, because you violated the terms of the BAA.

3.    Does the email marketing platform protect data at rest and in transit?

Encryption is an addressable standard as part of the HIPAA Security Rule. Encryption is highly recommended to protect ePHI in all digital communications.  Many email marketing platforms have adopted encryption methods that are secure enough to protect ePHI while it remains in their systems. However, that’s not enough to comply with HIPAA. You should specifically ask about their ability to encrypt outbound emails. Data in transit is extremely vulnerable to malicious actors, and therefore you need to encryption to protect emails containing ePHI. If a vendor does not provide encryption for outbound marketing emails then you should not consider using them.

4.    How does the email marketing platform encrypt emails?

If a vendor says that they do encrypt outgoing messages, it’s important to consider these additional questions.

  • How are they encrypting those emails?
  • Do the encryption methods match your email use cases?

As a marketer, you want your emails to directly reach the recipient with as little friction as possible. If the recipient has to login to another platform to read the email, it’s unlikely to be read. A good HIPAA-compliant email marketing platform will use TLS encryption to send marketing messages directly to inboxes that support it. Emails sent with TLS encryption appear just like any other message directly in the recipient’s inbox.

However, there may be scenarios when you need to use more secure encryption methods. We recommend finding an email marketing vendor that is flexible and will let you select the right method of encryption for any type of message. For example, you may want to use a portal-based encryption method to send highly sensitive messages. Either way, make sure your vendor can support your needs with the right type of email encryption.

5.    Does the platform allow you to send ePHI in the body of your emails?

Finally, the most important question to ask is: can I include highly sensitive patient information in an email? If you cannot, you can’t use the full power of the email marketing platform to create targeted, personalized and relevant messages. At best, you can only send generic office newsletters. If you want to create the types of marketing emails that will drive ROI and improve patient engagement, utilize your patient data for personalization and segmentation.

HIPAA-Compliant Email Marketing Platforms

LuxSci’s Secure Marketing platform was built from the ground up with HIPAA compliance in mind. If you would like to learn more about how to create compliant email marketing campaigns utilizing ePHI, please let us know.

 

 

How to Use ePHI to Segment and Personalize Email Marketing Campaigns

Tuesday, June 1st, 2021

Segmentation and personalization are powerful marketing tactics that are widely used across all industries. It is well-documented that marketers who send emails that are segmented and personalized experience much higher open and click rates. However, when healthcare marketers want to use these tactics, they must be aware of HIPAA! Any message that contains ePHI must be protected. In the past, these regulations made it difficult to send bulk marketing messages beyond generic office newsletters. However, using ePHI to segment and personalize marketing campaigns is possible!

To leverage patient data and create highly engaging and effective email campaigns that do not compromise security, marketers must use a HIPAA-compliant email marketing solution. We will walk you through how to use ePHI to segment and personalize healthcare marketing emails and improve your patient engagement.

how to use ephi to segment and personalize emails

How to Use ePHI to Segment Email Lists

Every campaign starts with identifying the target audience. When you use segmentation, you simply break down your email list into smaller subsets based on shared characteristics. The benefit of segmenting a list based on shared data is that you can adjust your messaging to speak more directly to that group of customers. When you are using a HIPAA-compliant marketing solution, you can segment your list using any data that you have from your patients (make sure you obtain appropriate permissions and opt-ins first!), including ePHI.

Ways to Segment lists using ePHI

Some examples of ways you can break down your lists using ePHI include:

  • Demographic characteristics
    • Gender
    • Age
  • Geographic location
  • Primary care provider
  • Date of last visit
  • Reason for last visit
  • Sensitive medical information
    • Medical conditions
    • Treatment history

The possibilities are only limited by the data that you collect.

How to Use ePHI to Personalize Emails

Once you have identified who the email is going to, the next step for sending an engaging email is to personalize the content for that audience. Much like segmentation, the possibilities for personalizing emails are only limited by the data that you collect. Anything that you can do to make the email feel like it’s a 1:1 communication instead of a generic blast email will increase the likelihood that it will be opened and engaged with by your target.

How to Personalize Emails with ePHI

The most common way to personalize an email is by using the person’s name in the subject line or email greeting. However, personalization can go much deeper when you also segment the list with ePHI. When you narrow down your list, it is much easier to create campaigns that appeal to the audience with relevant content and targeted promotions. A good example would be offering free breast cancer screenings for women during October. Men would be unlikely to engage with that email, because the subject matter is not relevant to them. By sending the email to only women of a certain age bracket, you are likely to increase the response rate and not irritate others on your list by sending them unnecessary information.

Other ways you can personalize emails with ePHI include:

    • Using a unique “From” name (e.g. saying the email is from Dr. Jones, who is the patient’s PCP, instead using the name of the medical practice or billing department).
    • Providing program recommendations based on past behavior (recommending a support group for a specific condition).
    • Automating workflows based on behavior triggers (appointment reminders, pre- and post-op instructions, prescription refills, etc.).
    • Customizing the content based on data.

Segmentation and Personalization Example

Say we are auditing some patient data and realize that in our patient population, men at risk for diabetes are much less likely to schedule up a follow up appointment. As a result, this group is becoming much sicker than they otherwise would with early intervention. How can we reach this population? By using ePHI to segment and personalize an email campaign just for them.

First, we create a segment based on the pattern we observed: men who are over 40 with elevated A1C levels at their last test.

Then, the marketing team can create personalized content like blogs, white papers, or guides designed specifically to influence the segment’s behavior. One email in the campaign might look something like this:

“Dear [first name],

During your last visit on [last appointment date], your A1C levels were elevated, which indicates that you are at a higher risk of developing diabetes. Download our guide with nutritional advice and example meal plans designed to help control your blood sugar.”

Perhaps the nutritional guide mentioned in this email example has a call to action that invites readers to schedule a free consultation with a dietician to learn more about dietary changes they can make to prevent diabetes.

Likewise, by segmenting the audience, you can create personalized offers that are more likely to drive the behavior you want. In this example, maybe you offer discounted rounds of golf to anyone who joins a men’s diabetes support group.

Use Personalization Tags for Scalability

Best of all, with email marketing, you can create these emails at scale. You do not need to write individual emails to each of the patients that falls into this segment. You can use personalization tags to automatically pull in the information you have uploaded to the platform. As you see in the example above, where it says “[first name]” and “[last appointment date]” the platform will pull in the corresponding information tied to each unique email address, saving you time and improving your email performance. This is an advanced technique, but most email marketing platforms include this capability. Once again, make sure you are using a HIPAA-compliant platform before uploading any medical information.

Now you know how to use ePHI to Segment & Personalize emails- what’s next?

It’s important to find a vendor that will allow you to use these techniques without violating HIPAA. Many of the most common vendors like Constact Contact and Mailchimp are only quasi-compliant at best. Do your research, sign a BAA, and ask the right questions to ensure you can send ePHI in any email you send.

 

What is HIPAA-Compliant Email Marketing?

Tuesday, April 13th, 2021

Why does your organization need HIPAA-compliant email marketing? It’s simple. Email marketing is a tried and true marketing strategy that can deliver a major return on investment. Healthcare organizations can also benefit from email marketing, but they need to take steps to make sure their messages comply with HIPAA. 

HIPAA email marketing

When Should You Send HIPAA-Compliant Email Marketing?

A HIPAA-compliant email marketing platform is essential to use whenever your organization could be sending electronic protected health information (ePHI). This includes information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable information includes identifiers like a patient’s name, address, birth date, email address, social security number and much more. Not only does the definition of ePHI cover people’s past, present and future health conditions, but it also includes treatment provisions and billing details.

While anonymous health details or individual identifiers sent by themselves are not covered by the law, when the two are brought together you need to be careful and abide by HIPAA regulations. You will need a HIPAA-compliant email marketing service whenever you send ePHI, and if you think an email may not contain ePHI, it is still best to be cautious.

Examples of HIPAA-Compliant Email Marketing

A good example of an email blast that needs to comply with HIPAA is a newsletter sent to all of a clinic’s cancer patients. At first glance, you might think the email doesn’t not contain any specific PHI. However, upon closer look, it could end up violating HIPAA regulations.

Every email in this campaign contains a personal identifier- the patient’s email address. In this example, only cancer patients received the newsletter, which is also personal medical information. A hacker could infer that anyone who received this email has cancer, which is ePHI and protected under HIPAA. If you use a medical condition to segment email recipients, the email campaign must comply with HIPAA.

It can be difficult to determine if an email contains ePHI. If you sent the exact same newsletter to a list of all current and former patients of the medical clinic, it may or may not contain ePHI. There are a lot of gray areas and it can be difficult to determine if an email contains PHI. We recommend using HIPAA-compliant email marketing for any promotional materials to reduce the risk of violations. 

After reading this, you may be thinking that you should never use patient information to segment email lists. However, if you use a HIPAA-compliant email marketing solution, you can leverage ePHI to send much more effective messages. In the above example, cancer patients actively receiving treatment at your clinic are much more likely to be interested in your business updates. Targeted emails receive much higher open and click rates than those sent to a general list. Sending the right information to your patients at the right time is a very effective patient engagement strategy. 

HIPAA-Compliant Email Marketing Solutions

Finding the right HIPAA-compliant email marketing platform can be challenging. Most of the common vendors aren’t HIPAA-compliant at all. Others claim compliance and will sign BAAs to protect your information at rest, but still require you to not send anything sensitive via email.  Finding a provider that can suit your business needs and can also protect the actual email messages is difficult.

Thankfully, LuxSci’s Secure Marketing email platform has been designed to cater to both needs. Our platform was built with both security and compliance at the forefront. With Secure Marketing, send fully HIPAA-compliant email marketing messages to the right patients at the right time and receive a better return on your marketing investment.

Is Constant Contact HIPAA-Compliant?

Monday, January 6th, 2020

In a perfect world, using Constant Contact would make it easy for your business to perfect its email marketing strategy, while still staying within the narrow lanes of HIPAA regulations.

Back on earth, it may be possible to use the software and remain HIPAA-compliant, but things aren’t so straightforward.

Constant Contact HIPAA compliant

Constant Contact is renowned for its package of services, including:

  • Email templates that make it easy to design professional newsletters and other marketing materials
  • Email marketing automation
  • Marketing tools for ecommerce
  • Contact management
  • Analytic tools for tracking results

Constant Contact has a lot to offer, but is it a good choice for organizations that want to send electronic protected health information (ePHI)? Can Constant Contact be a HIPAA-compliant marketing email solution?

Is Constant Contact HIPAA-Compliant?

A cursory search of the website seems to imply that Constant Contact is HIPAA-compliant. The company even has a page dedicated to business associate agreements (BAAs), which are a critical part of compliance whenever an organization may be sharing ePHI with another entity.

BAAs are formal agreements that set out how the two parties will share the data, what protection measures need to be in place, and who is responsible for what.

The BAA page states that Constant Contact will only sign their own BAA and won’t make changes to it “under any circumstances.” This isn’t necessarily unusual for a service provider, but it could make HIPAA compliance impossible for any organization that requires alterations to the agreement. To check if the BAA is right for your company, you will need to email the legal department listed in the above-linked page for a copy.

If you think you may have found the HIPAA-compliant email marketing service you were looking for, reading on may crush your dreams. It states that you:

Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.

This section is a little confusing, because HIPAA makes no mention of “highly sensitive PHI.” The law doesn’t generally differentiate between HIV results and eczema diagnoses, treating all breaches of PHI equally. This is the first red flag that Constant Contact may not be a good option for HIPAA compliance.

The BAA says that you should avoid using the service if you “have such information to send.” While the whole paragraph isn’t exactly straightforward, the only safe assumption is that Constant Contact is not HIPAA-compliant for sending PHI in email. Although the company will sign a BAA, it acknowledges that its services are not designed to secure PHI, and using them could put the data at risk.

A final major factor in this consideration is that Constant Contact does not have the ability to encrypt emails containing PHI. HIPAA requires, among many other things, that all ePHI be encrypted during transmission. This is probably why Constant Contact recommends against using their bulk emailing service for the actual sending of HIPAA-compliant emails.

Constant Contact HIPAA-Compliant Alternatives

If you are looking for a HIPAA-compliant email marketing service that is suitable for the health sector, you don’t have to despair. LuxSci provides HIPAA-compliant solutions that are built with the regulations in focus.

From our email marketing service to our secure forms, we offer solutions that can bring your company results without violating HIPAA regulations. We also keep our BAA process as straightforward as we can, to avoid the confusion that comes with some other providers.

Is Marketo HIPAA-Compliant?

Wednesday, October 23rd, 2019

If you’re in the healthcare sector and considering marketing-automation software, you may be wondering, “Is Marketo HIPAA-compliant?”

Marketo features a holistic range of marketing tools that aim to bring results for its users. Its offerings include:

  • Email marketing
  • Lead management
  • Mobile marketing
  • Customer base marketing
  • Consumer marketing
  • Account-based marketing
  • Revenue attribution

Together, these tools can help to streamline and maximize a business’s marketing processes, bringing in more clients and boosting sales. While Marketo offers a great range of tools, it isn’t suitable in every scenario.

Is Marketo HIPAA Compliant?

The short answer is no. While there are many aspects that seem like they would make Marketo HIPAA-compliant, such as 2048-bit certificates, and third-party security assessments, one critical component is missing – Marketo makes no mention of business associate agreements (BAAs).

BAAs are at the core of HIPAA compliance. If ePHI is shared between companies without one of these agreements in place, it’s an immediate HIPAA violation. This is true, regardless of whether every other aspect of the relationship falls completely within the guidelines. 

BAAs are essential because they legally lay out how data will be shared and processed between the two entities, as well as where the responsibility falls.

No matter where we looked on the Marketo website, we couldn’t find any mention of BAAs. We checked through the privacy policy, legal section and even conducted a site-search, but nothing showed up.

Without any indications of the company’s willingness to sign a business associate agreement, we can only assume that the answer to our question of “Is Marketo HIPAA-compliant?” is a strong no.

The company makes things confusing because its Healthcare Marketing Solutions page features references to medical organizations like Boston Children’s Hospital and GE Healthcare.

Despite this seeming conflict, it’s most likely that Marketo does not offer HIPAA-compliant services. If the company did go to the effort of making its platform HIPAA-compliant, it would make sense for it to market these efforts, or at least have some mention of BAAs on its website

The safest assumption is that Marketo probably provides solutions that don’t involve ePHI to the healthcare companies mentioned above. This could include services that don’t need to be HIPAA compliant, marketing email for other purposes, and related offerings.

Marketo HIPAA-Compliant Alternatives

If you were looking for a HIPAA-compliant bulk email solution, or some other software that makes marketing easier, we’re sorry to be the bringers of bad news. At least you can take solace in the knowledge that you won’t get caught in a HIPAA violation for using non-compliant software.

So what are your alternatives? Is Mailchimp HIPAA-compliant?

Unfortunately, MailChimp’s popular platform will also get you in trouble with regulators if it touches your ePHI.

If you’re out of ideas for automating and streamlining your marketing processes, you don’t need to give up hope just yet. At LuxSci, we offer both HIPAA-compliant bulk email and HIPAA-compliant marketing email services.

HIPAA compliance and security are our main focuses at LuxSci, so all of our services are designed with the regulations in mind at every step of the way. By partnering with LuxSci and using our marketing services carefully, your organization can significantly reduce its risks of HIPAA violations.

LUXSCI