When do I need special opt-in to send HIPAA compliant email marketing?

Did you know you need informed consent from your patients before sending marketing communications?

Navigating authorizations in HIPAA compliant email marketing centers around obtaining explicit, informed consent from patients before sending marketing communications. 

When is an email considered marketing? 

According to the HHS, the Privacy rule defines marketing as, “making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”.” When it comes to email if its purpose is to promote a product or service, it is a marketing email. The Privacy Rule provides that if a communication is classified as marketing, prior explicit authorization from the patient is needed before it can be sent. 

Examples of marketing emails that require patient authorization

Third party product promotions: 

• Emails promoting products not directly related to the patient's treatment plan, such as nutritional supplements from third parties that pay the provider to promote them. 

Affiliate marketing programs: 

• Emails with affiliate links or codes where the provider receives a kickback or commission. 

Sponsored content: 

• Marketing emails are sent on behalf of an insurance company or new insurance product where the provider receives compensation for each patient that signs up. 

Cross marketing from partners: 

• Emails marketing services from partner healthcare facilities or specialists where there is a financial agreement in place between entities. 

Healthcare package promotions: 

• Promotional offers include a variety of health services or treatments that are offered in conjunction with financial incentives. 

How to classify marketing emails

Define the purpose of the email:

• Is the intention to promote or recommend the use of a product or service?

Analyze the content:

• Does the email explicitly or subtly encourage the purchase or use of a product or service?

Check for financial remuneration:

• Is the healthcare provider receiving any financial benefit from third parties for sending this email?

Check for the TPO exception: 

• Does it involve management of treatment, care coordination, or billing without marketing content?

Patient authorization:

• Has the patient provided explicit authorization to receive marketing communications as defined by HIPAA? 
  
  

Treatment authorizations, when authorization is not required 

The HHS provides, “the [Privacy] Rule generally prohibits a covered entity from using or disclosing protected health information unless authorized by patients, except where this prohibition would result in unnecessary interference with access to quality health care or with certain other important public benefits or national priorities.” The communications that benefit the quality of care can be summarized into the treatment, payment, and operations (TPO) related communications. These communications are exempt because they are necessary for the effective delivery of healthcare and the management of healthcare services. Unlike with marketing communications patients do not need to provide consent to receive TPO related emails. 

Email marketing without patient authorization

If an email is deemed a marketing email, prior authorization is generally required from patients. There are however exceptions to when an email can be sent without patient authorization. These include: 

• Communication not involving financial remuneration: If an email does not result in direct financial gain for the healthcare provider it can be exempt from the authorization requirement. 
• Face to face communications: When the marketing occurs in a face to face encounter between provider and patient. 
• Promotional gifts of nominal value: The marketing involves providing a promotional gift of nominal value, ie the worth is small or insignificant.

What qualifies as 'general health information' in bulk emails?

General health information is information that improves the recipient's knowledge about health related topics without being directly tied to promoting specific products or services. These communications include wellness tips, general health news information about disease prevention and new medical research findings not promoting a specific product or service. 

Bulk emails containing general health information that do not promote specific products or services can be sent without individual patient authorization. These emails must be educational and not be veiled attempts to solicit business in any way. This includes communication about topics like seasonal allergies or general care tips. 

How to properly request and document patient consent

• Be clear on the nature of the email. Explain the type of marketing message, the company behind it, etc. 
• Inform patient that their consent is being obtained for marketing communications. 
• Consent forms should be distinct from general treatment or healthcare operation forms. 
• Design a consent form that is easy to understand and includes specific information about marketing emails. 
• The form should state that the patient agrees to receive marketing emails. 
• Store consent securely whether they are on paper or digital. 
• Make use of HIPAA compliant forms through services like Paubix. 
• Periodically reconfirm consent with the patients especially if there are signs of changes in marketing strategies or products promoted. 

Related: Top 7 HIPAA compliant email marketing services

FAQs

What is HIPAA?

Health Insurance Portability and Accountability Act of 1996 is a law that sets the standards for protecting sensitive patient information. 

What is considered PHI?

Protected health information includes identifiable health information used, maintained, stored, or transmitted by covered entities. 

What is consent?

A patient's informed agreement to a medical procedure or involvement in a study. 

What are authorizations? 

Detailed documents that grant covered entities permission to use or disclose PHI. 

Can providers share patient information with third party marketers?

They can if they have explicit consent from the patient but it can be ethically questionable if not done for internal marketing purposes.