Email is an essential channel for most healthcare marketers, but HIPAA compliance requirements can make it challenging to execute effective engagement campaigns without violating patient privacy.
HIPAA is a complicated set of regulations that while offering a lot of guidance, does not mandate the use of any specific technologies to protect patient privacy. This ambiguity causes a lot of confusion for marketers looking to integrate email into their healthcare engagement campaigns.
With this in mind, this article addresses some frequently asked questions (FAQs) about HIPAA-compliant email marketing and offers advice for securing patient data and future-proofing your marketing.
Frequently asked HIPAA compliant email marketing questions
Do Generic Newsletters Need To Be Protected?
What Is An Email API?
Does HIPAA Allow Healthcare Providers To Send Unencrypted Emails With PHI To Patients?
Can Patients Exercise Their Right Of Access By Receiving PHI via Unencrypted Email?
Is Microsoft 365 Sufficient For Marketing Emails?
What Are Common Email Marketing Use Cases For Healthcare?
How Do I Find a HIPPA-Compliant Email Marketing Vendor?
Do generic newsletters need to be protected?
Some marketers assume newsletters from a healthcare provider or supplier do not contain health information and, therefore, do not fall under HIPAA requirements. This assumption, however, is often incorrect, with many surprised to learn that protected health information (PHI) can be implied from seemingly innocuous information.
As a result, many generic email newsletters often indirectly contain PHI due to the very fact that they are sent to lists of current patients or customers. This is because email addresses count as individually identifiable data and when combined with the message therein, it’s pretty simple to infer that they are patients or customers.
Let’s say, for example, that you send a newsletter to the patients of a dialysis clinic. An eavesdropper could infer that the recipients receive dialysis. Consequently, as the email reveals information about an individual’s health treatment, it contains PHI and should be secured in compliance with HIPAA regulations.
For the fundamental reason that it can be difficult to determine what classifies as PHI, it’s safer to skip the ambiguity entirely and use a HIPAA-compliant email marketing solution to ensure security.
What is an email API?
An Application Programming Interface (API) is a collection of protocols, or rules, that enable different applications to communicate with each other. APIs are a crucial aspect of modern applications – as they spare developers the considerable effort of creating application features from scratch – they can just connect to the API of an existing application.
For example, how many websites have you used that utilize Google Maps? This is because they have connected their site to the Google Maps API – integrating it into their application and providing another feature for their users.
In the case of an email API, it is a way for applications, such as customer relationship management (CRM) platforms, customer data platforms (CDP) and electronic health record (EHR) systems, to connect to email service providers. This then allows marketers to send emails through the application, using the ePHI (electronic protected health information) collected and stored within the application.
Additionally, marketers can view and further utilize campaign data through the powerful dashboards and analysis tools found in CRM systems and similar applications. Trigger-based transactional or marketing emails are ideal for sending with an email API, whereby emails are sent when pre-determined conditions in the application are met. Healthcare organizations may use email APIs to send appointment reminders using electronic health records system data about a patient’s upcoming appointments, check ups or treatments.
As invaluable as email APIs are, however, especially for streamlining and automation communication workflows, they are no substitute for a comprehensive email marketing platform. Email APIs do not include the contact management systems standard in most email marketing platforms, as all the data resides within the application they connect to. Additionally, email API tools do not typically include drag-and-drop editor tools and other design features that enable you to make your emails stand out and boost patient engagement.
Does HIPAA allow healthcare providers and companies to send unencrypted emails with PHI to patients?
Encryption is an addressable standard, i.e., it must be implemented by the organization unless a risk analysis concludes that implementation is not reasonable and appropriate, under the HIPAA Security Rule. This does not mean it is optional. The HIPAA Security Rule does not explicitly forbid unencrypted email. Still, it does state that “other safeguards should be applied to protect privacy reasonably, such as limiting the amount or type of information disclosed through the unencrypted email.”
In addition, the Department of Health and Human Services also states that “covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” in response to this, some organizations use waivers to inform patients of the risks and acquire permission to send unencrypted emails.
However, we do not recommend this approach for several reasons:
- Keeping track of waivers over time and recording status changes and updates is challenging – and increases your administrative overhead.
- Signed waivers do not insulate you from the consequences of a HIPAA breach.
- Using waivers to send unencrypted emails doesn’t absolve you of your other HIPAA obligations, such as data retention and disposal. Subsequently, using a HIPAA-compliant email solution is more manageable and eliminates ambiguity.
Can patients exercise their right of access of receiving PHI voa unencrypted email?
Yes, but they must be fully informed of the risks and sign waivers acknowledging them; the caveats detailed in the above answer apply. Consequently, it’s always best to use an encryption tool to protect patient data.
Is Microsoft 365 with encryption sufficient for sending marketing emails?
Microsoft 365 can be configured with Office Message Encryption (OME) to comply with HIPAA. However, it is not well-suited for sending marketing emails. OME primarily relies on portal pickup encryption, in which the message is stored securely on a server and requires the recipient to log in to the portal to read the email. As a result, the portal adds friction to the marketing process that prevents optimal engagement and constrains ROI.
Marketing messages containing light-PHI, i.e. low-risk data, are best sent using Transport Layer Security (TLS) encryption. TLS-encrypted messages arrive in the recipient’s inbox just like a regular email and do not require them to complete an additional step.
Additionally, Microsoft 365 is not configured to send high volumes of email. If you plan on executing large scale marketing campaigns, you could unintentionally disrupt regular business communications by sending all the messages through the same infrastructure. Instead, you should separate your business and marketing email delivery activities to protect your IP reputation, i.e., the trustworthiness of your IP addresses and how likely it is your emails end up in a spam folder, and achieve your desired sending throughput.
What are the common email marketing use cases for healthcare?
Email marketing in healthcare is not restricted to boring general practice newsletters and other communications that fail to engage patients. When you successfully harness tools that enable you to use ePHI to better target and personalize your healthcare engagement campaigns – the sky is the limit. With consumer preferences shifting toward digital communications, marketers who know how to best utilize HIPAA-compliant email marketing – and tactics like segmentation and personalization – will prove more effective at reaching patients.
Examples of ways that healthcare marketers can use email include:
- Lead generation campaigns
- Promotions
- Verifications
- Order confirmations
- Notifications
- Upsell & cross-sell
- Collecting data on the patient experience
How do I find a HIPAA-compliant email vendor?
Using popular email marketing platforms, such as Mailchimp, is not recommended. Many of these platforms were designed for businesses, but are simply not secure enough to meet HIPAA requirements. We do not recommend using a solution not specifically equipped to meet the healthcare industry’s unique security and compliance needs. To determine if your email marketing provider is compliant, they must meet three broad criteria at a minimum.
- The vendor must sign a Business Associate Agreement (BAA) outlining how they plan to secure your data and what they will do in the event of a breach.
- Encrypt data at rest when it is stored in their systems.
- Encrypt data, i.e., email messages, in transit as sent to the recipients.
Not all vendors will be up to the task. Carefully vet your email marketing vendors to ensure they are taking steps to secure data and protect patient privacy.
Conclusion
Admittedly, HIPAA can be difficult to understand – but choosing the right tools and adequately vetting your vendors makes it far easier to successfully execute HIPAA-compliant email marketing campaigns.
As the most experienced HIPAA-compliant email provider, LuxSci specializes in providing secure and scalable communications for companies aiming to send hundreds of thousands – or millions – of emails. In light of this, we place security, compliance and personalization considerations front and center when building our solutions.
Interested in discovering how LuxSci’s secure healthcare communications solutions can transform your healthcare marketing and engagement efforts?
Contact us to learn more today!
