" HIPAA-compliant email marketing Archives - LuxSci

Posts Tagged ‘HIPAA-compliant email marketing’

What is HIPAA-compliant Email Marketing?

Monday, January 13th, 2020

Why does your organization need HIPAA-compliant email marketing? It’s simple. Businesses in the healthcare field (and those that process their data) have many of the same needs as other companies. They need to be able to get their messages out, so that they can help more people and drum up more business.

Whether it’s HIPAA-compliant bulk email or emails that are specific to the individual, the messages need to be sent in a way that abides by the regulations, both to protect the privacy of patients, and to avoid legal penalties.


Email marketing

When Should You Send HIPAA-compliant Email Marketing?

HIPAA-compliant email marketing is critical whenever your organization could potentially be sending electronic protected health information (ePHI). This is information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable means information that can be connected with the person. This includes identifiers like their name, address, birth date, email address, social security number and much more. Not only does the definition of ePHI cover people’s past, present and future health condition, but it also includes treatment provisions and billing details.

While anonymous health details or individual identifiers sent by themselves are not covered by the law, when the two are brought together you need to be careful and abide by HIPAA regulations. You will need a HIPAA-compliant email marketing service whenever you send ePHI, and it’s best to err on the safe side even if you think an email may not contain ePHI.

A good example of a borderline case would be a newsletter sent around to all of a clinic’s cancer patients. While the email may contain helpful information, it could also end up breaching the patients’ privacy and HIPAA regulations.

HIPAA emailing

This is because the emails are sent to an address, which is a personal identifier. If the message was only sent out to cancer patients rather than to many different people, then the email could be considered ePHI, since being a recipient of the message would effectively declare that the recipient was a cancer patient.

While this may sound like a stretch, it’s also important to consider that normal email isn’t secure. If a politician or a CEO’s email was intercepted and this information released, it could cause damage to their careers and take some agency away from their lives.

This is just one example of why it’s crucial to err on the safe side and use HIPAA-compliant email marketing for any promotional materials whenever there is even the slightest possibility of sending ePHI.

On the other hand, if you have a HIPAA-compliant email marketing solution that allows for the sending of ePHI in email messages, then you can leverage ePHI to send much more effective messages.  You have a much larger return on your effort. 

HIPAA-compliant Bulk Email Solution

Finding an appropriate service for HIPAA-compliant bulk email marketing can be challenging. Most of the common vendors aren’t HIPAA compliant at all. Others claim compliance, but still require you to not send anything sensitive via email (because they do not actually secure the email messages).  Finding one that can suit your business needs and can also protect the actual email messages is difficult.

Thankfully, LuxSci’s High Volume Secure Email has been designed to cater to both needs. Security and compliance are considered at every step of the way, while still delivering a top-quality product that fits right into your organization’s workflows.

Is Constant Contact HIPAA-compliant?

Monday, January 6th, 2020

In a perfect world, Constant Contact HIPAA-compliant marketing software would make it easy for your business to perfect its email marketing strategy, while still staying within the narrow lanes of HIPAA regulations.

Back on earth, it may be possible to use the software and remain HIPAA-compliant, but things aren’t so straightforward.

Constant Contact is renowned for its package of services, including:

  • Email templates that make it easy to design professional newsletters and other marketing materials.
  • Email marketing automation.
  • Marketing tools for ecommerce.
  • Contact management.
  • Analytic tools for tracking results.

It has a lot to offer, but is it a good choice for organizations in the health niche or those that process electronic protected health information (ePHI)? Can Constant Contact be a HIPAA-compliant marketing email solution?

Is Constant Contact HIPAA-Compliant?

A cursory search of the website seems to imply that Constant Contact is HIPAA-compliant. The company even has a page dedicated to business associate agreements (BAAs), which are a critical part of compliance whenever an organization may be sharing ePHI with another entity.

BAAs are formal agreements that set out how the two parties will share the data, what protection measures need to be in place, and who is responsible for what.

The BAA page states that Constant Contact will only sign their own BAA and won’t make changes to it “under any circumstances”. This isn’t necessarily unusual for a service provider, but it could make HIPAA compliance impossible for any organization that requires alterations to the agreement. To check if the BAA is right for your company, you will need to email the legal department listed in the above-linked page for a copy.

If you think you may have found the HIPAA-compliant bulk email service you were looking for, reading on may crush your dreams, because it states that you:

Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.

This section is a little confusing, because HIPAA makes no mention of “highly sensitive PHI”. The law doesn’t generally differentiate between HIV results and eczema diagnoses,  treating all breaches of PHI equally. This is the first red flag that Constant Contact may not be a good option for HIPAA compliance.

It then goes on to say to avoid use the service if you “have such information to send”. While the whole paragraph isn’t exactly straightforward, the only safe assumption is that Constant Contact is not HIPAA-compliant for sending PHI in email. Although the company will sign a BAA, it acknowledges that its services are not designed to secure PHI, and using them could put the data at risk.

A final major factor in this consideration is that Constant Contact does not include any facility to ensure that your bulk email messages are actually encrypted when sent.  As HIPAA requires, among many other things, that all ePHI be encrypted during transmission, this is probably why Constant Contact recommends that you NOT use their bulk emailing service for the actual sending of bulk sensitive email.

Constant Contact HIPAA-Compliant Alternatives

If you are still looking for a HIPAA-compliant bulk email or marketing service that is suitable for the health sector, you don’t have to despair. LuxSci provides HIPAA-compliant solutions that are built with the regulations in mind from the ground up.

From our email marketing service to our secure forms, we offer solutions that can bring your company results without falling foul of HIPAA regulations. We also keep our BAA process as straightforward as we can, to avoid the confusion that comes with some other providers.

Is Marketo HIPAA-Compliant?

Wednesday, October 23rd, 2019

If you’re in the healthcare sector and considering marketing-automation software, you may be wondering, “Is Marketo HIPAA-compliant?”

Marketo features a holistic range of marketing tools that aim to bring results for its users. Its offerings include:

  • Email marketing
  • Lead management
  • Mobile marketing
  • Customer base marketing
  • Consumer marketing
  • Account-based marketing
  • Revenue attribution

Together, these tools can help to streamline and maximize a business’s marketing processes, bringing in more clients and boosting sales. While Marketo offers a great range of tools, it isn’t suitable in every scenario.

Is Marketo HIPAA Compliant?

The short answer is no. While there are many aspects that seem like they would make Marketo HIPAA-compliant, such as 2048-bit certificates, and third-party security assessments, one critical component is missing – Marketo makes no mention of business associate agreements (BAAs).

BAAs are at the core of HIPAA compliance. If ePHI is shared between companies without one of these agreements in place, it’s an immediate HIPAA violation. This is true, regardless of whether every other aspect of the relationship falls completely within the guidelines. 

BAAs are essential because they legally lay out how data will be shared and processed between the two entities, as well as where the responsibility falls.

No matter where we looked on the Marketo website, we couldn’t find any mention of BAAs. We checked through the privacy policy, legal section and even conducted a site-search, but nothing showed up.

Without any indications of the company’s willingness to sign a business associate agreement, we can only assume that the answer to our question of “Is Marketo HIPAA-compliant?” is a strong no.

The company makes things confusing because its Healthcare Marketing Solutions page features references to medical organizations like Boston Children’s Hospital and GE Healthcare.

Despite this seeming conflict, it’s most likely that Marketo does not offer HIPAA-compliant services. If the company did go to the effort of making its platform HIPAA-compliant, it would make sense for it to market these efforts, or at least have some mention of BAAs on its website

The safest assumption is that Marketo probably provides solutions that don’t involve ePHI to the healthcare companies mentioned above. This could include services that don’t need to be HIPAA compliant, marketing email for other purposes, and related offerings.

Marketo HIPAA-Compliant Alternatives

If you were looking for a HIPAA-compliant bulk email solution, or some other software that makes marketing easier, we’re sorry to be the bringers of bad news. At least you can take solace in the knowledge that you won’t get caught in a HIPAA violation for using non-compliant software.

So what are your alternatives? Is Mailchimp HIPAA-compliant?

Unfortunately, MailChimp’s popular platform will also get you in trouble with regulators if it touches your ePHI.

If you’re out of ideas for automating and streamlining your marketing processes, you don’t need to give up hope just yet. At LuxSci, we offer both HIPAA-compliant bulk email and HIPAA-compliant marketing email services.

HIPAA compliance and security are our main focuses at LuxSci, so all of our services are designed with the regulations in mind at every step of the way. By partnering with LuxSci and using our marketing services carefully, your organization can significantly reduce its risks of HIPAA violations.

Email Open and Click Tracking for Everyone

Tuesday, April 2nd, 2019

Have you ever sent an email message and then wondered:

  • Did they open your email message?  
  • Did they click on any of the links that you included?  
  • Which links?  
  • Was the message forwarded on and opened by other people?  
  • When did they read it?

Typical email marketing platforms, like LuxSci’s Spotlight Mailer, include features that expose this information for the email marketing campaigns sent through them.   However, not all email marketing systems include email open and click analysis.  And, what about sending email via other means, e.g., through WebMail, Outlook, iPhone, API, basic SMTP relaying, etc.   Most outbound email systems that are not explicitly geared towards email marketing do not provide any means to learn the answers to these important questions.

With LuxSci’s new email open and click tracking options, LuxSci will add codes to your messages so that you can gather then answers to such business critical questions for any messages sent through LuxSci:

  • WebMail
  • API
  • SMTP Relaying — i.e., Outlook, Mac Mail, iOS, Android, and other all programs that connect via SMTP

Open and click tracking is included as a standard feature with LuxSci email hosting, LuxSci high volume secure sending, and LuxSci smart hosting.


When LuxSci email open tracking is enabled, LuxSci adds a small image to the end of the HTML part of every message sent to every recipient.  When the recipient opens this message, that image is requested from LuxSci’s servers and we record the “email open” event.   This includes the date/time it was opened, the recipient of that message, and the IP address / physical location where the message was opened.

When LuxSci email click tracking is enabled, LuxSci modifies the links in all HTML parts of every message sent to every recipient.  When the recipient clicks on any of these links, they are taken first to LuxSci.  We record the click event. This includes the URL clicked, date/time it was clicked, the recipient of that message, and the IP address / physical location where the link was clicked.  Then, LuxSci redirects your recipient to the actually intended web address.  This happens so fast that most people never notice the tracking.


Open and/or click tracking can be enabled in LuxSci on an account-wide, domain-wide, or per-user basis; you can customize its usage to match your business needs.

To enable account-wide, for all messages sent by all users in your account, go to:

  • Account Settings > Email
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”

To enable domain-wide, for all messages sent by all users whose email addresses belong to a specific domain, go to:

  • Account Settings > Domains
  • Click on the domain in question (if you have multiple in your account).
  • Click on “Outbound Email Settings” on the left
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”

To enable for all messages sent by a specific user, go to

  • Your user outbound email settings:
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”


Once you have enabled open or click tracking and have sent some messages, you can look and see what has happened. Did anyone open the messages? Who clicked on what links? When?

There are several ways to dig into this juicy data.

User-Level Reports

Login to you LuxSci Account and go to your Reports area. From there, open up the menu area on the left for “Sent Email – From WebMail” or “Sent Email – From SMTP Server,” depending on which messages you are interested in. Next, you can look at the “Message Opens” and “URL Clicks” reports to see what has been opened and clicked. Note that you can export data using the “Download CVS File” button on the upper right of the page. Also, Open and Click details are also available in the “Delivery Status” reports via the “Advanced” reporting tab.

Account-Level Reports

As an account administrator, you can view reports covering sending across all users in your account. Go to your Account Reports area. Then, open the “Sent Email” menu on the left and you can find reports analogous to the user-level ones, described above, but inclusive of the sending from all users.

API Reports

If you would like to integrate email open, click, and other deliverability information into our own database or application, your can use LuxSci’s REST API. The API provides all of the functionality of the user and account user interface reports, but through programmable queries and filters.


When open or click tracking are enabled, images and/or links are added to your email email messages that reference luxsci.com.  If you would like to customize this so that your own domain name is used for these images and links, LuxSci offers “Private Labeling.”  Customers with Private Labeling can customize many aspects of LuxSci, including the look of the WebMail interface and the domain name used for these links and images.  If you already have Private Labeling enabled, then your configured secure domain name will be automatically used with open and click tracking.

Want to learn more about HIPAA-compliant email marketing and reporting? Contact us.