" secure email marketing Archives - LuxSci

Posts Tagged ‘secure email marketing’

How to Use ePHI to Segment and Personalize Email Marketing Campaigns

Tuesday, June 1st, 2021

Segmentation and personalization are powerful marketing tactics that are widely used across all industries. It is well-documented that marketers who send emails that are segmented and personalized experience much higher open and click rates. However, when healthcare marketers want to use these tactics, they must be aware of HIPAA! Any message that contains ePHI must be protected. In the past, these regulations made it difficult to send bulk marketing messages beyond generic office newsletters. However, using ePHI to segment and personalize marketing campaigns is possible!

To leverage patient data and create highly engaging and effective email campaigns that do not compromise security, marketers must use a HIPAA-compliant email marketing solution. We will walk you through how to use ePHI to segment and personalize healthcare marketing emails and improve your patient engagement.

how to use ephi to segment and personalize emails

How to Use ePHI to Segment Email Lists

Every campaign starts with identifying the target audience. When you use segmentation, you simply break down your email list into smaller subsets based on shared characteristics. The benefit of segmenting a list based on shared data is that you can adjust your messaging to speak more directly to that group of customers. When you are using a HIPAA-compliant marketing solution, you can segment your list using any data that you have from your patients (make sure you obtain appropriate permissions and opt-ins first!), including ePHI.

Ways to Segment lists using ePHI

Some examples of ways you can break down your lists using ePHI include:

  • Demographic characteristics
    • Gender
    • Age
  • Geographic location
  • Primary care provider
  • Date of last visit
  • Reason for last visit
  • Sensitive medical information
    • Medical conditions
    • Treatment history

The possibilities are only limited by the data that you collect.

How to Use ePHI to Personalize Emails

Once you have identified who the email is going to, the next step for sending an engaging email is to personalize the content for that audience. Much like segmentation, the possibilities for personalizing emails are only limited by the data that you collect. Anything that you can do to make the email feel like it’s a 1:1 communication instead of a generic blast email will increase the likelihood that it will be opened and engaged with by your target.

How to Personalize Emails with ePHI

The most common way to personalize an email is by using the person’s name in the subject line or email greeting. However, personalization can go much deeper when you also segment the list with ePHI. When you narrow down your list, it is much easier to create campaigns that appeal to the audience with relevant content and targeted promotions. A good example would be offering free breast cancer screenings for women during October. Men would be unlikely to engage with that email, because the subject matter is not relevant to them. By sending the email to only women of a certain age bracket, you are likely to increase the response rate and not irritate others on your list by sending them unnecessary information.

Other ways you can personalize emails with ePHI include:

    • Using a unique “From” name (e.g. saying the email is from Dr. Jones, who is the patient’s PCP, instead using the name of the medical practice or billing department).
    • Providing program recommendations based on past behavior (recommending a support group for a specific condition).
    • Automating workflows based on behavior triggers (appointment reminders, pre- and post-op instructions, prescription refills, etc.).
    • Customizing the content based on data.

Segmentation and Personalization Example

Say we are auditing some patient data and realize that in our patient population, men at risk for diabetes are much less likely to schedule up a follow up appointment. As a result, this group is becoming much sicker than they otherwise would with early intervention. How can we reach this population? By using ePHI to segment and personalize an email campaign just for them.

First, we create a segment based on the pattern we observed: men who are over 40 with elevated A1C levels at their last test.

Then, the marketing team can create personalized content like blogs, white papers, or guides designed specifically to influence the segment’s behavior. One email in the campaign might look something like this:

“Dear [first name],

During your last visit on [last appointment date], your A1C levels were elevated, which indicates that you are at a higher risk of developing diabetes. Download our guide with nutritional advice and example meal plans designed to help control your blood sugar.”

Perhaps the nutritional guide mentioned in this email example has a call to action that invites readers to schedule a free consultation with a dietician to learn more about dietary changes they can make to prevent diabetes.

Likewise, by segmenting the audience, you can create personalized offers that are more likely to drive the behavior you want. In this example, maybe you offer discounted rounds of golf to anyone who joins a men’s diabetes support group.

Use Personalization Tags for Scalability

Best of all, with email marketing, you can create these emails at scale. You do not need to write individual emails to each of the patients that falls into this segment. You can use personalization tags to automatically pull in the information you have uploaded to the platform. As you see in the example above, where it says “[first name]” and “[last appointment date]” the platform will pull in the corresponding information tied to each unique email address, saving you time and improving your email performance. This is an advanced technique, but most email marketing platforms include this capability. Once again, make sure you are using a HIPAA-compliant platform before uploading any medical information.

Now you know how to use ePHI to Segment & Personalize emails- what’s next?

It’s important to find a vendor that will allow you to use these techniques without violating HIPAA. Many of the most common vendors like Constact Contact and Mailchimp are only quasi-compliant at best. Do your research, sign a BAA, and ask the right questions to ensure you can send ePHI in any email you send.


Secure Bulk Email: The Solution to HIPAA Violations You Didn’t Know You Were Making

Tuesday, May 7th, 2019

If you send emails for marketing purposes, appointment reminders, or any other business transactions, it’s easy to get complacent and think that there is no way that you could be violating HIPAA. Unfortunately, HIPAA laws are incredibly complex and there are a number of unexpected violations that you can make without even realizing it. Using a secure bulk email service is the best way to avoid costly and damaging HIPAA penalties.

HIPAA laws are designed to protect the privacy of individuals and they often play out in ways that aren’t immediately intuitive. They are further complicated because the lines between compliance and non-compliance aren’t always clear. Given the costs of a violation, it’s important that every healthcare provider and business associate errs on the safe side.

How Can Bulk Emails Violate HIPAA?

There are a variety of common situations where healthcare providers can unwittingly leak their patients’ information in a way that violates HIPAA. The following are just a couple of scenarios that are not just compliance issues, but would also have serious ramifications for those who were affected:

Is a Harmless Newsletter Really Harmless?

Let’s say your healthcare organization wants to send out a newsletter to a certain subset of its patients. Surely something so innocent wouldn’t need to be encrypted, right? Unfortunately, this isn’t always the case.

If your company were to email some helpful resources on depression, you might not see any need to send it to all of your patients. You may decide that it’s best to only send it to those who have previously sought out treatment for mental health issues. After all, what can be wrong with sending information to those who are most likely to find it useful?

Such a simple situation could easily have far-reaching consequences. The email connects the patient to the health condition, and it could give away far more information than the patient would be comfortable with. The targeted nature of the email insinuates that the patient has a mental illness, one which is a personal struggle that still carries a strong stigma in our society.

If this information was sent in an insecure manner, it could be accessed by other people, which could take a dramatic toll on the patient’s life. If the patient were a high-powered CEO and the information leaked, it could be personally difficult and also cause stock prices to plummet. A celebrity could see themselves as the center of a scandal, another famous person being hounded by the paparazzi in the grips of a mental breakdown.

Even normal people can face a range of negative consequences, such as if a patient’s spouse finds out that they were receiving treatment without their knowledge, or if a business partner discovers the information and decides not to move forward on the next project.

If your organization had sent out an email like this with the best intentions, it could still be culpable. These intentions don’t matter to the patient, especially if they have gone through a tough ordeal because of the email. In the eyes of HIPAA, the intentions don’t matter either. A violation is a violation.

An Appointment Reminder Can’t Hurt, Can It?

Let’s say a young woman from an extremely conservative background schedules an appointment with an OB-GYN. Under the laws of our society, she should have every right to see whichever kind of medical professional she needs. Her family and community may not see things the same way.

If the message weren’t sent in a secure way, it’s easy to imagine how the details of her appointment could be intercepted by those around her who disapprove. Perhaps they wouldn’t let her go. Maybe she would be shunned by her community or even worse.

No matter what the result, it is clear that there are some vulnerable people who have a strong need to have even their most subtle information protected. Sure, many of us may not care if such an appointment was made public, but that’s not the point. HIPAA laws are for everyone and need to be able to protect the most vulnerable as well.

What Do HIPAA Laws Actually Say About Secure Bulk Email?

The situations mentioned above are focused on the potential human cost of sending health information in an insecure manner. They demonstrate that HIPAA regulations aren’t just the result of a frustrating bureaucracy. Instead, they are important for protecting people.

Now that we’ve gotten that out of the way, we’ll look at the specifics of what the regulations say. This will help you to understand what does and does not constitute a violation, as well as the gray area that lies in between.

When it comes to bulk emailing, the main concern is over electronic Protected Health Information (ePHI). This information needs to be guarded by adequate security measures whenever it is acquired, processed, sent or stored.

In essence, ePHI is any electronic information that is individually identifiable and that pertains to someone’s physical or mental health, their healthcare and treatments, or any payment-related information. It doesn’t matter whether this data is from the past, present or future. As far as HIPAA laws are concerned, it’s all ePHI.

When HIPAA laws refer to “individually identifiable” information, there’s a long list of 18 separate identifiers, including a patient’s name, address, relevant dates, phone number, email address and much more. The final identifier is “any other characteristic that could uniquely identify the individual”, so pretty much anything that can be connected with a patient counts as individually identifiable information.

Of course, any email address that someone gives to their health provider is clearly an identifier. This means that any organization that processes HIPAA data needs to be extremely careful when sending unencrypted emails, making sure that they don’t include anything that could be related to the patient’s health.

HIPAA Privacy Rule & Informed Consent

Under HIPAA’s Privacy Rule, healthcare providers are allowed to use unencrypted email to communicate with their patients, but only when they take reasonable safeguards and limit the information that is disclosed. These communications should be in accordance with the HIPAA Security Rule, which can be viewed in the Regulation Text (p62).

According to the HIPAA Omnibus Final Rule (p70) the only situation where a healthcare provider can send a patient unencrypted ePHI is if the individual has been informed of the risk, but still chooses to have their information sent in an unencrypted manner. Healthcare providers will want to have this consent in writing so that they can maintain a permanent record as proof.

The HIPAA Privacy Rule also states that individuals must give written consent before their ePHI can be used for marketing. This means that messages about appointments or other transactional emails don’t typically need additional authorization, but messages which promote products or services which aren’t related to the patient’s core healthcare require consent.

What does all of this tell us? That a wide variety of information can be considered ePHI, and that there are many situations where it can be inadvertently sent. The penalties are enormous and can be incredibly damaging for the organization that is responsible, even if the violation was accidental.

What Are the Penalties for a HIPAA Breach?

It depends on just how negligent a healthcare provider’s actions have been. They can range from between $100 and $50,000 per violation or per record that has been violated. That’s right, in cases where the violation has been especially negligent, an organization may have to pay $50,000 for each non-compliant email that was sent.

Secure Bulk Email: The Solution that Protects Your Organization & Your Patients

As you can see, it’s easy to slip up and inadvertently face severe HIPAA penalties. From sending marketing materials to test results or even appointment reminders, there are so many pitfalls where you could be violating HIPAA.

LuxSci’s High Volume Email Sending Service can help to remove this burden from your organization, by giving you a wide variety of security options. In both of the scenarios at the start of this article, our bulk email service could have protected the individuals from having their ePHI exposed, as well as the companies involved from suffering the harsh HIPAA penalties that could follow.

You may think that the majority of your bulk email doesn’t need to be encrypted, and you may even be right. But it’s those few exceptional circumstances which can see your business fall on the wrong side of HIPAA regulations. Our bulk email service helps to prevent this by allowing you to implement the security that is best for both your organization and your patients.

Alternative bulk email providers simply don’t offer the security that is necessary for dealing with information that is as sensitive as ePHI. Organizations that use a service which isn’t HIPAA-compliant may be inadvertently violating the regulations.

You may think that you can get around the need for encryption by simply asking your patients for consent. Sure, it’s possible in some cases, but it still requires a lot of administration. Your organization would need to ask for and obtain consent, then keep permanent records. This can be a complex process where there are numerous opportunities for things to go wrong.

The Benefits of LuxSci’s High Volume Email Sending Service

The standout feature of LuxSci’s bulk email service is that it offers HIPAA compliance for large-scale sending. No other company offers a comparable service, which makes LuxSci the go-to option for organizations that take their HIPAA obligations seriously.

On top of this, we offer a flexible setup that allows your business to send its emails in a manner that suits both your needs and those of your patients. Our TLS Exclusive gives you the option to send emails to only those recipients whose email system supports TLS. This can be a great option for marketing campaigns, especially if you don’t want your non-TLS recipients to be forced to click through to a secure Escrow Portal.

As an alternative, our Escrow service allows anyone to access secure email messages, without any complicated steps or security compromises. With our bulk email service, you can configure your messages dynamically, without the need to adjust your settings for every message.

Another key feature of LuxSci’s service is its scalability. As your email needs grow, we can support you along the way, with the capacity for up to hundreds of millions of emails each month. Our dedicated infrastructure installations offer high availability and disaster recovery, giving your organization everything it needs for enterprise-level bulk emailing.

This makes our High Volume Email Service an excellent solution for your business. Not only can it be used to bring your current bulk email practices in-line with HIPAA regulations, but it can form a key part of your marketing campaigns, helping to grow your business well into the future.