Demystifying PHI for healthcare marketers is key to sending impactful email marketing while remaining HIPAA compliant. PHI is protected health information. When in electronic form, it’s often referred to as ePHI.
PHI includes the personal and private patient information entrusted to organizations caring for those clients and patients. Leaked ePHI can be devastating if it gets into the wrong hands.
As a marketing professional, it’s vital to honor the personal nature of this data. Protecting PHI while communicating information of value is a core value in good healthcare marketing.
Learn how to keep PHI safe while also reaching out to your patients with personalized HIPAA compliant email marketing here.
Download: Healthcare’s Guide to HIPAA Compliant Email Marketing
Sensitive patient information getting into the wrong hands is a gross breach of trust and can devastate those whose information is leaked. That’s where HIPAA comes in. The spirit of the law is designed to safeguard the public from harm such as blackmail, fraud, reputation damage and the psychological damage of violating personal privacy.
In a nutshell, PHI is any characteristic that can uniquely identify individuals during the course of their care. There are 18 unique patient identifiers that HHS recognizes as PHI.
Can you see why a marketing professional would steer clear of personalized email messages?
The U.S. Department of Health and Human Services’ (HHS) Security Rule stipulates “appropriate administrative, technical and physical safeguards” must be in place to ensure “the confidentiality, integrity and availability of” ePHI.
Yes. Because a segmented list can indicate that the recipients have the condition discussed in the email. A segmented list falls under, “Any other characteristic that can uniquely identify an individual.”
To date, the vast majority of email marketing software products do not have the level of encryption needed to be HIPAA compliant. As an unencrypted email journeys to its destination, it can be intercepted and read in plain text by hackers and some government entities. Email messages must be encrypted to be secured and HIPAA compliant.
When email reaches the recipient’s inbox it is their responsibility to secure any PHI in their inboxes. The sender is not responsible for PHI at the recipient’s inbox. *This is important to note!
A great way to help patients improve their health through better treatment compliance is by sending email newsletters with advice, treatment options and encouragement for their specific condition. There are two ways to do this.
You must have a business associate agreement (BAA) with any vendor that has access to your patients’ personal information, and that includes email marketing providers.
A BAA is a signed document where the business associate takes on the responsibility of keeping your clients’ information safe and explaining how it will do so. In addition, it outlines the steps it will take in case of a breach.
Imagine the power of easily connecting with individuals and groups through email containing protected health information. This approach is a tremendous improvement for healthcare providers and a powerful asset for under-resourced employees. In the past, healthcare was at a considerable disadvantage because solutions that addressed issues of HIPAA compliance and security in email communication were either non-existent or provided a woefully inadequate user experience.
Finally, new technology has opened the door for frictionless email communications that are HIPAA compliant, provide maximum security and are HITRUST CSF certified.