5 min read
HIPAA compliant email marketing: A legal guide for therapists
Caitlin Anthoney August 13, 2024
Therapists must understand the intersection of HIPAA and marketing laws to engage with their clients and maintain compliance. Understanding these regulations, obtaining necessary authorizations, and implementing best practices allow therapists to market their services effectively without risking legal penalties or damaging patient trust.
The legal foundation of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to ensure the privacy and security of protected health information (PHI). Specifically, PHI includes information on a client’s health status, treatment, or payment for healthcare services.
So, therapists must protect clients’ PHI, even in email marketing campaigns. Specifically, HIPAA’s rules for email marketing include the Privacy Rule and the Security Rule.
- HIPAA’s Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) regulates how healthcare providers, including therapists, can use and disclose client information. In email marketing, "A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information for marketing" (45 CFR § 164.508).
- HIPAA’s Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) outlines the administrative, physical, and technical safeguards therapists must implement to protect electronic PHI. Specifically, in email marketing, therapists must "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network" (45 CFR § 164.312(e)(1)).
Furthermore, HIPAA violations in email marketing can have legal consequences for therapists. The Office for Civil Rights (OCR), which enforces HIPAA, can impose fines ranging from $100 to $50,000 per violation, depending on the severity and nature of the breach, as outlined in 45 CFR § 160.404. In cases of willful neglect, penalties can reach up to $1.5 million per year. Non-compliance can also result in legal actions from clients, damage to the therapist’s reputation, and the loss of client trust.
Other email marketing laws for therapists
While HIPAA is the primary law governing the protection of PHI, other laws also impact email marketing practices, especially when therapists handle sensitive information or email clients across state or national borders. These laws include the CAN-SPAM Act, state privacy laws, and GDPR, among others.
The CAN-SPAM Act
The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM Act) explains the requirements for commercial messages and gives recipients the right to stop receiving emails. Under 15 U.S. Code § 7704(a), the law states, “All commercial email must include an easy and clear way to opt-out, and the opt-out requests must be honored within 10 business days.”
So, if a therapist sends a promotional email about a new group therapy session, the email must include a clear unsubscribe link and a valid postal address. Moreover, failure to include the link and postal address can result in penalties from the Federal Trade Commission (FTC).
State privacy laws
Different states in the U.S. have their own privacy laws that can impact how therapists conduct email marketing. For example, California’s California Consumer Privacy Act (CCPA) grants residents additional rights regarding their data.
Under the CCPA, clients must be informed about what personal information is collected and have the option to opt out of the sale of their personal information (California Civil Code § 1798.100 et seq.).
So, if a therapist sends a marketing email to clients in California, they must include a privacy notice that explains what data is collected, how it will be used, and an opt-out option.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union law that may apply to U.S. therapists if they have clients in the EU. The GDPR states, "Consent must be freely given, specific, informed, and unambiguous. It must be given by a clear affirmative act" (Article 4(11), GDPR).
Therapists must also understand the intersection of GDPR and HIPAA laws before sending marketing emails. Consent must be documented and state how the client’s data will be used, and how they can withdraw consent.
Telehealth laws
The 21st Century Cures Act promotes digital health technologies and integrates these into mainstream healthcare. While the Act focuses on telehealth and digital innovations, it also influences email marketing. Therapists can use this support to promote their telehealth services through email marketing,
The Ryan Haight Online Pharmacy Consumer Protection Act, 21 U.S. Code § 802 regulates the prescription of controlled substances, requiring an in-person or real-time video evaluation before prescribing.
So, when therapists use email to promote telehealth services that involve prescriptions, their marketing should not suggest or facilitate the prescription of controlled substances without appropriate evaluations.
Licensure requirements
Therapists must be licensed in the state where their patients are located when providing telehealth services. So, if a therapist licensed in California wants to market telehealth services to patients in Texas, they must be licensed in Texas as well.
Additionally, marketing emails should clarify the therapist’s licensure status to avoid misleading potential patients.
Telehealth parity laws
States with telehealth parity laws require insurance companies to cover telehealth services at rates equivalent to in-person visits. For example, California's Business and Professions Code § 2290.5 ensures equal coverage for telehealth.
Similarly, New York, Texas, Florida, Ohio, Washington, Colorado, Michigan, Pennsylvania, and Oregon have laws ensuring that telehealth services are reimbursed at the same level as in-person services.
Ultimately, email marketing campaigns should accurately reflect insurance coverage options and the parity laws in different states, ensuring equitable access to remote care.
Emergency protocols
Some states may require therapists to have protocols for handling emergencies during telehealth sessions. Specifically, these include:
- California Business and Professions Code § 2290.5
- New York New York State Department of Health Telehealth Regulations
- Texas Administrative Code Title 22, Part 30, Chapter 188
- Florida Statutes § 456.47
- Georgia Composite Medical Board Telehealth Rules
- Arizona Administrative Code R9-10-102
- Michigan Compiled Laws § 333.16221
- Tennessee Code Annotated § 63-6-220
Moreover, therapists who use marketing emails should also provide information on emergency protocols and how patients can access in-person care if needed.
Steps therapists must take for email marketing
1. Obtain client authorization: Therapists must obtain explicit client authorization before using their PHI for email marketing, as mandated by 45 CFR § 164.508. Additionally, the authorization form should detail how the client’s information will be used.
2. Use a HIPAA compliant email platform: Therapists must use an email marketing platform, like Paubox, which signs a business associate agreement (BAA) as described in 45 CFR § 164.308(b)(3). Furthermore, the platform must offer advanced encryption to protect PHI, adhering to 45 CFR § 164.312(e)(1).
3. Verify state licensure: Email marketing campaigns should only promote therapy services to clients where therapists are licensed to provide these services.
4. Provide opt-out options: Marketing emails must adhere to HIPAA and the CAN-SPAM Act (15 U.S. Code § 7704(a)), including a clear unsubscribe link in every marketing email.
5. Follow insurance and telehealth parity requirements: Therapists must verify that the telehealth services promoted in your emails are covered by insurance providers in the patient’s state. Additionally, they must comply with telehealth parity laws that require insurers to cover telehealth services at the same rate as in-person visits.
6. Include emergency protocols: Marketing emails should include emergency contact information so clients can get immediate help. For example, therapists can include a crisis hotline number or instructions on how to access emergency services in case of a mental health emergency.
7. Stay informed about relevant laws: Therapists must regularly review and update their email marketing practices to stay compliant with HIPAA, state privacy laws, and other relevant regulations like GDPR.
FAQs
Can therapists use email marketing?
Yes, however, therapists must use encrypted and secure email platforms, sign BAAs with these platforms, and stay informed about changes in relevant laws like HIPAA, the CAN-SPAM Act, and GDPR.
Do therapists need client authorization for marketing communications under HIPAA?
No, not all marketing communications require patient authorization. HIPAA provides exceptions for treatment-related communications, the provider’s health-related products or services, and case management or care coordination. However, the provider must obtain patient authorization if the marketing involves using PHI for purposes that don’t fall under these exceptions.
How do secure email solutions ensure compliance with HIPAA and other privacy regulations?
Paubox email adheres to the security standards and encryption protocols specified by HIPAA regulations to safeguard protected health information (PHI).
Additionally, Paubox offers features such as secure message delivery and data loss prevention to further enhance compliance with HIPAA and other privacy regulations. These measures help ensure that sensitive information is protected during transmission and storage.
Read also: HIPAA Compliant Email for Mental Health Professionals
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.