Over the past 12 months, I've travelled across the country speaking, networking, and meeting lots of folks in the HIPAA industry.
These interactions yielded deep insight into the challenges organizations face when it comes to HIPAA compliance and email. It also revealed that there is ample opportunity here, the likes of which keep me up at night.
In this post, I will outline two of the insights I've gleaned from the industry, hiding in plain sight:
Table of Contents:
A cursory glance into the U.S. healthcare space quickly tells us that it's the fastest-growing sector of the U.S. economy, employing over 18 million workers. We also see that spending in healthcare is $3.9 trillion, or 18% of the nation's gross domestic product (GDP).
What would be missed however, is that HIPAA regulations entangle more than just the healthcare sector. For example, the Bureau of Labor Statistics (BLS) considers health insurance and pharmaceuticals as distinct categories, apart from healthcare.
However, all three categories fall under HIPAA compliance regulations. As our HIPAA industry research reveals, today more than 22 million Americans are required to be HIPAA compliant in the workplace. By 2022, this is forecast to climb to nearly 26 million employees.
Here are the macro trends driving the HIPAA industry today:
Now that we've covered the size and macro trends driving HIPAA, let's move on and uncover the unmet need percolating beneath it.
Many enterprise healthcare organizations take a prohibitive stance on even sending banal email announcements to their customer base. In effect, email marketing in U.S. healthcare barely exists, even in 2019. Let's look at an example that explains why this is so.
Let's say a division of a large healthcare provider, like the Kaiser Bariatric Center of San Francisco (they are not a Paubox customer, this is merely an example), has a list of 5,000 past, present, and potential patients.
To keep top of mind, they want to send an email newsletter to their list, wishing them a happy Thanksgiving. Somewhere in their byzantine corporate structure, someone in Kaiser's legal department intervenes and stops the email from being sent.
Their reasoning would be that merely the "To:" and "From:" fields would represent protected health information (PHI), thereby triggering HIPAA compliance requirements. They would argue that if the email newsletter can't be sent in a secure, HIPAA compliant manner, it can't be sent.
Let's dive in a bit more to understand why their legal department could take such a stance in this hypothetical example. Let's say the beginning of the email would look like this:
From: Kaiser Bariatric Center of San Francisco <KP-Bariatric-SSF@kp.org> To: Jane Doe <janedoe55@gmail.com> Subject: Wishing you a Happy Thanksgiving!
Since the sender is coming from the Kaiser Bariatric Center, we can infer a medical condition. And since the recipient field uses a person's name and email address, we can tie a medical condition (i.e., the sender's name and email) to them.
It may sound overly conservative. It may even sound absurd. But that's the state of email marketing and HIPAA compliance today.
To solve this problem, we have developed Paubox Marketing, our HITRUST CSF certified email marketing solution.
Paubox Marketing allows healthcare providers to send properly encrypted marketing messages which contain PHI directly into the recipients' email mailboxes. We sign a business associate agreement (BAA) with our partners, and we encrypt PHI both at-rest and in-transit, both of which are HIPAA requirements.
Read on to learn more about why these features differentiate Paubox Marketing from our competitors' products.
As we've previously covered, a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a BAA.
If you are a covered entity entrusting PHI to a third party like an email marketing vendor, then a BAA is required by law.
Read more: HIPAA Compliance and Healthcare Email Marketing: What You Need to Know
In the email marketing space, the majority of vendors will not sign a BAA with their customers. In fact, the following email marketing companies will not sign a BAA:
Of the remaining prominent email marketing vendors, we found four that will sign a BAA:
More on why these solutions still won't work for your healthcare marketing needs below.
When it comes to HIPAA compliant email, there are two more high-level HIPAA requirements to keep in mind:
Let's take a look at why this is important. In our research, we discovered it pays to read the fine print. Let's use Constant Contact as an example. In their HIPAA Knowledge Base, we can see that while the company will sign a BAA, Constant Contact does not allow its customers to actually send PHI via their platform:
[You] Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.
In a nutshell, even having a BAA in place with Constant Contact does not allow a healthcare organization to effectively market to its client base.
To the best of our knowledge, the same limitation is true with Infusionsoft and Salesforce Marketing Cloud.
On the other hand, Oracle Eloqua can be used in a HIPAA compliant manner for email marketing and automation. However, it is difficult to use and configure, and most importantly, it requires recipients to log into a secure portal to read their messages which decreases open rates.
This is in contrast to Paubox Marketing which will: 1) Sign a BAA; 2) Encrypt email both in transit and at rest; and 3) Allow your patients to read their emails directly from their inbox with no extra steps.
Healthcare providers are only now realizing the power and potential of email marketing to their patients and potential patients. This basic business strategy and key to patient engagement has been missing from many healthcare organizations because of the lack of a real solution - until now.
After twelve months of diligent research and listening to customer feedback, I'm happy to say we intend to fulfill this unmet need in the market with Paubox Marketing, which allows you to segment and send secure emails using your patient data to drive more engagement and results.
All while staying HIPAA compliant.
Related Items: