The detailed guide to HIPAA compliant email marketing

Welcome to the definitive guide on HIPAA compliant email marketing for healthcare providers and business associates.

This guide provides practical tips and best practices so healthcare professionals can secure their marketing emails and meet HIPAA regulations.

We'll cover how to create HIPAA compliant marketing emails, what to look for in a HIPAA compliant email marketing solution, effective email encryption methods, potential HIPAA violations and fines, and an added FAQ section to address common concerns.

In this guide:

• When do marketing emails have to be HIPAA compliant?
• HIPAA compliance and marketing
• Which kinds of marketing emails need to be HIPAA compliant?
• Requirements for HIPAA compliant email marketing 
• How to handle authorization
• What to look for in a HIPAA compliant email marketing solution
• How to evaluate an email marketing solution
• How to set up HIPAA compliant email marketing
• Creating an effective HIPAA compliant email marketing campaign
• The HIPAA compliant email marketing checklist
• 12 healthcare email marketing templates
• HIPAA violations and fines
• The relevance of CAN-SPAM
• FAQs

When do marketing emails have to be HIPAA compliant?

A marketing email must meet HIPAA compliance standards when it includes protected health information (PHI) and is sent by any entity governed by HIPAA regulations. 

PHI represents any information that can identify an individual and connects directly to their health status, the medical care they receive, or their payment details for healthcare services.

The organizations required to uphold the standards set by HIPAA include healthcare providers, health plans, and healthcare clearinghouses, as well as the business associates who offer them supportive services.

Go deeper:

• What is HIPAA?
• What makes email marketing HIPAA compliant?

HIPAA compliance and marketing 

The HIPAA Privacy Rule defines Marketing as communications that serve "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service…" When communicating for marketing purposes, you need a secure email marketing platform, like Paubox, that encrypts emails both in transit and at rest.

Most popular email marketing platforms, like MailChimp, aren't fully HIPAA compliant and don't secure email newsletters in transit, even if they secure patient data at rest. Always double-check that sending PHI is covered by the business associate agreement (see FAQs below).

Go deeper: Top 12 HIPAA compliant email services

Which kinds of marketing emails need to be HIPAA compliant?

The main types of marketing emails sent that need to be HIPAA compliant include: 

• Emails marketing health-related products or services directly to patients
• Emails that are sent in exchange for direct or indirect remuneration from a third party
• Emails sent by a covered entity to individuals promoting other products or services available through the covered entity that require sharing PHI without prior authorization

It is recommended that any email sent by a covered entity or business associate meets the standards for HIPAA compliance, whether or not it contains PHI. As a practice, it reduces the likelihood of a violation through human error. 

Emails marketing health-related products or services directly to patients

Emails promoting health-related products or services target patients who might benefit from them. For example, a healthcare provider might inform patients about a new wellness program, medical device, or special discount on health checkups. 

Emails that are sent in exchange for direct or indirect remuneration from a third party

These are emails sent by healthcare providers or their business associates on behalf of third parties like pharmaceutical companies to promote specific products.

Emails to individuals promoting other products or services that require sharing PHI without prior authorization

Marketing emails promoting products or services unrelated to the patient's current treatment may involve sharing the patient's PHI with third parties. For example, a health plan might share a list of its members with a company selling health supplements. HIPAA requires explicit written authorization from patients before sharing their PHI for this purpose.

Go deeper: Communications that must remain HIPAA compliant

Requirements for HIPAA compliant email marketing 

For a marketing email sent by a covered entity or business associate to be HIPAA compliant, the provider needs to:

1. Secure the recipient's explicit written consent before sending the email
2. Choose an email service provider that offers encryption and signs a business associate agreement (BAA)
3. Manage your email lists carefully, and only send emails to those who have given consent; update these lists regularly to remove opt-outs
4. Limit the amount of PHI used in marketing email
5. Train staff on HIPAA compliance
6. Add an easy opt-out option in every marketing email

How to handle authorization

The Department of Health and Human Services explains, "Except as discussed below, any communication that meets the definition of marketing is not permitted, unless the covered entity obtains an individual's authorization."

A few steps necessary to consider when receiving consent include: 

1. Clearly explain the purpose of the marketing emails and how the recipient's information will be used, ensuring patients understand what they are consenting to
2. Secure written consent that explicitly outlines any direct or indirect remuneration involved, emphasizing that giving consent is not a condition for receiving care
3. Check that the patient understands the consent they are giving by offering additional information and answering any questions they may have
4. Keep detailed records of who has consented, what they have agreed to, and the date of consent
5. Store all consent forms securely, using encryption and restricting access to authorized personnel only

Go deeper: What is marketing consent in healthcare?

Exceptions to the authorization requirements for marketing emails

There are exceptions to authorization requirements. All emails must be HIPAA compliant, but some types of email content are considered "opt-out" rather than "opt-in."

1. Treatment communications: Communications about a patient's treatment or recommending alternative treatments, therapies, healthcare providers, or care settings are not considered marketing under HIPAA.
2. Communications about health-related products or services: Communications about health-related products or services provided by the healthcare organization or that are included in the patient's treatment plan or benefits do not require explicit authorization. Examples include a newsletter about managing a specific health condition or information about services offered by the covered entity.
3. Case management or care coordination: Communications related to case management or care coordination, or to direct or recommend alternative treatments, healthcare providers, or care settings, are not considered marketing and do not require explicit pre-send authorization.

What to look for in a HIPAA compliant email marketing solution

When choosing a HIPAA compliant email marketing solution, prioritize ease of setup and use for both you and your staff. Ensure that your email service is convenient for your patients as well. Patients should not have to log into portals or complete extra steps to read their emails. 

Any service chosen needs to encrypt emails in transit. Encryption during transmission protects sensitive information from being intercepted by unauthorized parties. Also, emails stored on servers should be encrypted, adding an extra layer of security in case of data breaches or unauthorized access.

The marketing services available should be both innovative and easy to use. Choose a service that supports automated email campaigns and automated workflows, including trigger-based emails like welcome messages. Look for advanced audience segmentation and targeted email lists based on behavior and demographics. Dynamic content can further personalize your messaging and improve engagement.

While there's no official HIPAA certification, HITRUST certification means that a company has taken extensive measures to ensure the security of sensitive data. Working with HITRUST-certified vendors can lower insurance premiums and minimize legal liability.

We recommend Paubox for HIPAA compliant email, but here are some other questions to ask before making your decision.

• Is it easy to set up and use for you and your staff?
• Can recipients view the email in their inbox without the need for portals or extra steps?
• Is the email encrypted in transit?
• Is all contact data encrypted at rest?
• Are marketing services like segmentation, dynamic lists, and marketing automation available? 
• Will the email platform sign a business associate agreement with your organization?

How to evaluate an email marketing solution

Before signing up to an email marketing solution, consider the following:

• HIPAA compliance: Is the company HIPAA compliant and focused on healthcare marketing?
• Usability and integration: How easy is it to integrate the service into existing marketing platforms and CRM systems?
• Customer service: What customer support options (phone, email, chat) are available?
• Encryption system: Does the service automatically encrypt emails in transit and at rest?
• Reviews and reputation: What are the reviews of the service from other healthcare organizations?
• Data breaches: Has the company ever experienced a data breach?
• Pricing structure: How does the company price its service, and what is included in the various tiers?

How to set up HIPAA compliant email marketing 

Setting up HIPAA compliant email marketing with Paubox Marketing is simple and efficient. Start by signing up for free and adding your first 100 contacts. You can securely store and use PHI to personalize your messages.

Use the free templates and the intuitive drag-and-drop builder to create your first email. No experience is necessary, and you can get complimentary design help if needed.

Track your results in real-time with the analytics reporting tool to see who is engaging with your emails. Paubox Marketing makes it easy to keep your marketing effective and compliant.

Creating an effective HIPAA compliant email marketing campaign

Start by choosing a HIPAA compliant email marketing platform like Paubox Marketing, which ensures secure handling of PHI. First, gather explicit written consent from your patients to receive marketing emails explaining how their data will be used. 

Next, segment your email list based on patient demographics, treatment history, or engagement levels to tailor your messages effectively. Use the platform's customizable templates and drag-and-drop builder to create visually appealing and personalized emails that resonate with your audience. 

Regularly update your content to keep it fresh and informative, and always include an easy opt-out option to respect patient preferences. Finally, leverage the platform's analytics tools to track open rates, click-through rates, and other key metrics, allowing you to refine your strategy based on real-time feedback. 

The HIPAA compliant email marketing checklist

We've created a HIPAA compliant email marketing checklist to guide you through the necessary steps. While the high-level steps are outlined below, each step includes several sub-tasks to ensure full compliance. 

Download the HIPAA compliant email marketing checklist here:

The right HIPAA compliant email marketing service will assist with the more complex tasks like setting up DKIM and SPF records.  

12 healthcare email marketing templates

We showcase 12 impactful email examples that you can
incorporate into your marketing strategy.

HIPAA violations and fines

Failing to send HIPAA compliant marketing emails isn't just a bad practice—it's a violation of the law. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights enforces severe penalties for such violations. Civil penalties for breaches that fall under reasonable cause can range from $100 to $50,000 per breach. However, cases involving willful neglect can result in fines from $10,000 to $50,000 per violation and often lead to criminal charges.

Civil penalties are structured in tiers based on the level of negligence and the nature of the violation:

1. Tier 1: For violations where the entity was unaware and could not have reasonably avoided the breach, fines range from $100 to $50,000 per violation, with an annual cap of $1.5 million.
2. Tier 2: For violations due to reasonable cause but not willful neglect, fines range from $1,000 to $50,000 per violation, with an annual cap of $1.5 million.
3. Tier 3: For violations resulting from willful neglect that are corrected within a specified period, fines range from $10,000 to $50,000 per violation, with an annual cap of $1.5 million.
4. Tier 4: For violations resulting from willful neglect that are not corrected, fines are $50,000 per violation, also capped at $1.5 million annually.

In addition to civil penalties, HIPAA violations can result in criminal penalties if the violations are committed knowingly. Criminal penalties are more severe and can include both fines and imprisonment, depending on the nature and intent of the violation:

1. Tier 1: For knowing violations, individuals can face fines of up to $50,000 and up to one year in prison.
2. Tier 2: For violations committed under false pretenses, fines can increase to $100,000 and imprisonment for up to five years.
3. Tier 3: For offenses committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, fines can reach $250,000 and imprisonment for up to ten years.

Go deeper:

• Understanding HIPAA violations and breaches
• Examples of HIPAA violations: The high price of unprotected data

The relevance of CAN-SPAM

Healthcare emails that are purely transactional or related to treatment, payment, or operations without marketing intent typically do not fall under CAN-SPAM but must comply with HIPAA.

However, when a healthcare email involves marketing, it must comply with both sets of regulations. The Federal Trade Commission simplifies it as, "If the message contains only commercial content, its primary purpose is commercial, and it must comply with the requirements of CAN-SPAM."

For example, if you send an email promoting a new wellness program or medical service, the email must comply with CAN-SPAM by including an opt-out option, a truthful subject line, and a physical address.

At the same time, if the email contains any PHI, it must also comply with HIPAA requirements by securing the PHI and only sending it with the patient's consent.

Go deeper:

• What is the CAN-SPAM Act?
• Integrating CAN-SPAM and HIPAA into email marketing

FAQs

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law enacted in 1996 that sets standards for protecting sensitive patient health information and ensures patient privacy. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses.

What is the Privacy Rule?

The Privacy Rule is a component of HIPAA that establishes national standards for the protection of individuals' medical records and other personal health information. It requires appropriate safeguards to protect the privacy of personal health information and sets limits on the use and disclosure of such information without patient authorization.

Is separate consent necessary for marketing-related emails?

Yes, separate consent is necessary for marketing-related emails if they involve the use of PHI. Patients must provide explicit written authorization for their PHI to be used for marketing purposes.

What is a Notice of Privacy Practices?

A Notice of Privacy Practices is a document that healthcare providers and health plans must provide to patients. It explains how their PHI will be used and disclosed, their rights regarding their health information, and the provider's privacy practices and obligations under HIPAA.

Can an email header contain PHI?

No, an email header should not contain PHI. The email header, which includes the subject line, sender, and recipient information, should be free of any sensitive health information to avoid unauthorized disclosure. 

Do healthcare providers need to disclose which third parties are paying them to promote specific health-related products?

Yes, healthcare providers must disclose if a third party is paying them to promote specific health-related products. 

What are a patient's rights under HIPAA?

Under HIPAA, patients have the right to:

• Access their medical records and request copies.
• Request corrections to their medical records.
• Receive a notice of privacy practices.
• Request restrictions on certain uses and disclosures of their PHI.
• Receive confidential communications.
• File complaints if they believe their privacy rights have been violated.

What is a violation of CAN-SPAM?

A violation of CAN-SPAM occurs when a commercial email does not comply with the act's requirements. This includes failing to provide a clear opt-out mechanism, using deceptive subject lines, not including the sender's physical address, and continuing to send emails to recipients who have opted out.

What is a BAA?

A BAA is a contract between a HIPAA-covered entity and a business associate. It outlines the business associate's responsibilities for safeguarding PHI, ensuring compliance with HIPAA regulations, and detailing how PHI will be used and protected.

What are examples of PHI?

Examples of PHI include:

• Patient names and addresses
• Birth dates and Social Security numbers
• Medical records and health histories
• Test results and treatment information
• Insurance information and billing records

If a healthcare organization uses a foreign marketing agency that sends its emails, does the foreign marketing agency need to comply with HIPAA?

Yes, if a foreign marketing agency handles PHI on behalf of a U.S.-based healthcare organization, it must comply with HIPAA regulations. The agency must sign a BAA and ensure it implements the safeguards to protect PHI.

Do conduits need to comply with HIPAA?

Yes, conduits like email service providers that transmit PHI but do not store it long-term or have regular access must comply with HIPAA. 

Is Mailchimp HIPAA compliant?

Mailchimp is not inherently HIPAA compliant.