Paubox blog: HIPAA compliant email made easy

Can email marketing be HIPAA compliant?

Written by Dean Levitt | September 30, 2024

There are numerous possibilities for email marketing in healthcare, but before we list them, let's briefly discuss HIPAA compliant email marketing. 

According to Boston-based Litmus, email marketing has the highest return on investment out of all the marketing channels, with a $36 return for every dollar spent, though other sources put this even higher. 

Jordan Holmes, VP of Sales at Paubox, says, "Healthcare providers aim to deliver more education and better experiences to their patients, and email marketing is a tool that can significantly aid in this effort. It's a method that makes a lot of sense in the context of healthcare, where the focus is on adding value and enhancing patient education and experience."

 

Can email marketing be HIPAA compliant?

Yes, but very few email marketing platforms offer true HIPAA compliant newsletters and marketing automation. Some email marketing platforms try to hide the ball somewhat by claiming they are HIPAA compliant and are even willing to sign a business associate agreement (BAA). However, in reading the fine print, you'll note the BAA covers the storage of PHI but not its sending. They pass the buck and gently recommend that covered entities simply avoid including PHI in any email content.

That means no personalization and a whole lot of room for human error.  

"The unique aspect of a HIPAA compliant solution in email marketing is the ability to segment the audience, identify the value being provided, and ensure important messages reach the relevant segment of patients," Holmes says. "The key is to start where you can drive value and then expand to more patient segments."

 

Email marketing is most effective when personalized

"Many healthcare providers are achieving high open rates, up to 70 percent or more, by driving value, segmenting their audience, and personalizing messages in a way that resonates with patients, thereby enhancing their experience. Email marketing in healthcare is not just about communication; it's also about education. Patients living with various conditions appreciate regular information that helps them lead healthier lives."

Therein lies the challenge with healthcare email marketing - personalization. Personalization means the inclusion of PHI in bulk emails and, therefore, requires encrypting the emails.

Most marketing platforms are unwilling to take on the responsibility of secure email marketing and the business associate agreement. 

Paubox leverages our background in secure, HIPAA compliant email and applies it to email marketing with impressive results. 

Paubox analyzed the email marketing results of 104 healthcare organizations across two million recipients and found an average open rate of 54.76% - more than double Campaign Monitor's benchmark for healthcare emails.

We believe the We believe the fundamental difference in open rates is personalization. Paubox Marketing allows for the inclusion of PHI, even in subject lines. 

 

Personalization means higher relevancy

Personalization increases email open rates thanks to higher relevancy.

In another Paubox study that looked at 14.5 million emails sent by 121 healthcare marketers, we found the click-through rate of drip campaigns (automated marketing) to be a whopping 9.26%, again attributable to high relevancy and personalization.

If you're convinced about the efficacy of email marketing and would like to personalize emails as a covered entity, you'll need to keep a few things in mind to remain HIPAA compliant.

 

HIPAA compliance and email marketing

The first thing to keep in mind is this: be HIPAA compliant. And it's actually not all that difficult. 

First, make sure your email marketing platform is HIPAA compliant. You'll need to sign a business associate agreement, but make sure you read it and are entirely clear on what that BAA covers. 

The business associate agreement must include coverage for both storage and transmission of PHI. Some email platforms have a BAA that only covers storage, which is a good start.

The compliance, they claim, comes from the ability to include PHI in the customer details, the way a CRM might. It's helpful because you can use this PHI to create lists and run segment campaigns. It's unhelpful in that you can't actually personalize the campaigns; you've gone to the trouble of segmenting, which seems superfluous to me.

These platforms place the onus on the healthcare marketer to ensure the emails include no PHI and don't violate HIPAA. While that sounds feasible - just avoid names and diagnoses - it's not that easy.

Even a message as simple as informing patients that healthcare operations are delayed or canceled can be considered PHI.

 

"When in doubt, it's probably PHI." 

Lawyer Stephen Kaplan has served companies in a regulatory compliance and privacy role since 2002, including acting as the Privacy Officer for multiple organizations. In his role as CLO, CCO, and CPO for Health Plan One, L.L.C., and as a consultant, he advises on and assists with the development and implementation of the entity's data privacy policies and practices, working across business groups to drive data privacy excellence.

Kaplan says, "When in doubt, it's probably PHI." 

When clients ask whether something is PHI or not, he tells them to treat everything like PHI. "Get everything encrypted. Get all your modalities of communication secured and encrypted through something like Paubox. We really need to assume that what we're going to send needs consent, that what we're going to send is PHI and should be protected."

 

Secure transmission and secure storage

Healthcare email marketing requires secure transmission as well as storage.

Paubox is one of the only truly HIPAA compliant email marketing tools. Paubox secures PHI in transmission, and you can safely send PHI. Personalization is the key to effective patient communication and successful marketing.