Email marketing is a fantastic strategy to keep customers engaged and informed, from reminding patients about services to sharing practice updates.
Table of contents:
While email marketing has one of the highest rates of return, only about 25% of providers use it. Why? They feel like their hands are tied; most email marketing platforms don’t offer encrypted newsletters, so healthcare marketers cannot send personalized messages.
There are email marketing companies that solve the compliance question, but not all are created equal. Some have limited tools or are unnecessarily complicated. More importantly, many do not prioritize patient data privacy or leave it up to the covered entity to ensure HIPAA compliance.
Every healthcare organization must prioritize HIPAA compliance to avoid costly legal penalties. The right HIPAA compliant email marketing service will do this and more, making it seamless, safe and personalized to connect with patients.
Paubox took the time to evaluate email marketing services to help you find the perfect fit.
Related: HIPAA compliant email marketing: What you need to know
How we evaluated the top HIPAA compliance email marketing services
We looked at several factors to help determine what makes an email service stand out in the healthcare space.
HIPAA compliance
For healthcare companies, maintaining HIPAA compliance is one of the most necessary factors for email marketing. If a service is not HIPAA compliant, a healthcare company will be unable to send any personalized messages. First names, email addresses, health information, and any other protected health information (PHI) cannot be included in emails.
Making the matter more complicated, some companies claim to be HIPAA compliant but will still not allow you to send PHI.
When looking for a marketing service, we recommend checking for the following:
- Do they require a BAA? A business associate agreement (BAA) is a legally binding agreement between HIPAA covered organizations and their business associates. The BAA outlines permissible and impermissible disclosures and the liabilities of each party. They are required for HIPAA compliant organizations to send PHI in emails.
- Can you send PHI? Even though some companies will sign a BAA stipulating PHI is encrypted at rest, they may not protect PHI in transit - a requirement under HIPAA’s Security Rule. Because PHI could still become vulnerable to cyberattacks, some email marketing companies state that the healthcare organization is responsible for protecting PHI.
- Are the emails encrypted? HIPAA compliant marketing services will encrypt the data. For some, this means email recipients will open emails in another portal, while other companies, like Paubox, provide encryption without any additional steps for recipients.
Note: Popular companies, like Brevo, Mailchimp, and Mailerlite, are not HIPAA compliant and do not allow you to send PHI.
Before agreeing to work with any email marketing service, read the terms and conditions to ensure you get a service that fits your marketing goals and legal requirements.
User interface
Everyone wants a user interface they can understand - including marketers crafting email campaigns and recipients who receive email communication.
Templates can help streamline the creation process for companies. Meanwhile, others prefer to deeply personalize and craft each campaign. Wherever you stand, you’ll want a service with a minimal learning curve. We analyzed how smooth–or not–the process is for differing marketing services.
On the other hand, healthcare companies also want emails to be opened. When a recipient has to go through a multi-factor identification process or open new browsers, it will decrease the chance they’ll read the email. Ideally, you’ll want a straightforward system that makes email opening seamless.
We evaluated each platform to see how its interface can fit the needs of creators and recipients alike.
Customer service
At some point or another, you’ll likely have questions and need additional support. Some companies are happy to talk it out, while others would prefer you read articles and watch pre-recorded videos.
Having resources available is incredibly helpful, but it’s no replacement for having someone address your specific concern or challenge.
To evaluate each company, we looked at their customer support process and genuine reviews of interactions. Finding a company with a strong customer service ethos is particularly important for healthcare companies that handle sensitive information. You’ll want to work with a company with top-notch customer support in a tech emergency.
Reviews
Reviews say a lot about an email marketing service. We scour tech review website G2 for the most up-to-date reviews on products. We look for common pain points and the benefits of different services.
Checking reviews also helps to understand how established a company may be. Newer companies may not have as many reviews, which is not indicative of their quality. However, it may be a reason to use a more tested service.
Pricing
Lastly, and equally significant, is the cost structure of the email marketing service. Many companies offer supplementary services beyond email marketing, potentially increasing the overall expense. Some services may include extra users, a specific number of contacts, or technical support costs.
We recommend determining your “must haves” in a marketing service to assist in budgeting. Some healthcare organizations may prioritize automation, while others want additional data management services.
Regardless of your preferences, ensuring the safety and reliability of technology should be a top priority. Keep in mind that email marketing represents an investment; choosing a service that meets your requirements and boosts growth can justify a higher expense.
The Top 7 HIPAA compliant email marketing services
1. Paubox
Paubox is a HIPAA compliant email encryption and marketing solution focusing on the healthcare industry. With a dedicated focus on HIPAA compliance and usability, Paubox is one of the few services that doesn’t require recipients to take extra steps to see personalized information. This leads to the most effective email marketing campaigns; viewers can safely open emails with information relevant to their specific needs.
Founded in: 2015
How it works: Email marketers can use a simple, drag-and-drop email builder, preset layouts, or their own HTML. Paubox allows for dynamic text, so emails can safely include patient names, medical conditions, medications, etc. while staying compliant with HIPAA regulations. Marketers can efficiently create drip campaigns and segment the audience. All emails sent are automatically encrypted for seamless HIPAA compliance.
How it stacks up on:
- User interface: Easy for recipients to open. No additional portals; patients simply view the email as usual, and everything is automatically encrypted. A portal option is available automatically for viewers whose email does not support encryption.
- HIPAA compliance: Paubox is the best email service for HIPAA compliance and ease of use. Paubox marketing is designed for healthcare, meaning compliance is always the top priority. Paubox is also HITRUST CSF certified.
- Will sign a BAA: Yes
- Allows you to send PHI: Yes
- Provides encryption: Yes
- Customer service: Paubox is known for excellent customer service. Not only do they offer a help center with straightforward guides, but they also offer US-based phone and email support by experts.
- Reviews: The go-to source for technology reviews, G2, rated Paubox as a 4.9/5 overall, demonstrating that customers are overwhelmingly satisfied. Paubox has over 290 5-star reviews that focus on the product’s affordability, effectiveness, and customer support.
- Pricing: Paubox offers the following pricing options based on the number of contacts your organization has.
- 100 contacts: free
- First 10,000: $199/month
- 10,000-20,000: $489/month
- 20,000-50,000: $969/month
- 50,000+: custom pricing
What makes Paubox unique:
- Focus on healthcare: With a focus on healthcare compliance and marketing, Paubox can ensure organizations meet HIPAA requirements while building an audience and marketing their service or product.
- Easy to personalize: Paubox’s technology allows for audience segmentation and easy-to-build campaigns, allowing organizations to craft specific and personalized emails while maintaining HIPAA compliance.
Why Paubox is number 1: While many companies offer marketing services, none offer as much security, peace of mind, and ease of use as Paubox. With a sleek and intuitive interface, organizations can focus on marketing efforts that have a high return on investment without legal concerns or complex steps.
2. Eloqua (Oracle)
Founded in: 1999
How it works: The process involves several compliance and security steps. Initially, entities enter into a BAA with Eloqua if they handle PHI. Eloqua supports this with a HIPAA Advanced Data Security Add-on, introducing features like the Authenticated Portal, which enhances secure communications.
The recipient’s journey starts with an opt-in procedure where they expressly agree to receive healthcare marketing communications. This consent is captured through a subscription to a dedicated HIPAA email group. This mechanism enforces the secure handling of PHI. Upon opting in, Eloqua automatically sends a welcome email that guides recipients to set a password for a personal secure portal where they can access PHI content.
Rather than directly receiving PHI content via email, recipients are notified through an initial email that secure content is available in their secure portal.
How it stacks up on:
- User interface: Eloqua receives the most criticism regarding its interface. While it can be made HIPAA compliant, it requires several additional steps for companies to send PHI and for recipients to view it. This friction can prevent email marketing campaigns from being successful. The multi-step process also creates room for error; employees may forget a step or complete it improperly, which could jeopardize security.
- HIPAA compliance: Eloqua can be configured for HIPAA compliance. However, since Eloqua serves a variety of industries, their service isn’t automatically compliant. It requires users to have a data security add-on.
- Will sign a BAA: Yes
- Allows you to send PHI: Yes
- Provides encryption: Yes
- Customer service: Oracle has generally favorable customer reviews. They offer Oracle Support with guides and a unique platform for additional assistance. Oracle also has a customer community where companies using the service can share insights, ask questions, and discuss the product.
- Reviews: On G2, Eloqua earned a 3.9/5 from users. Based on 611 customer reviews, many say the company is not user-friendly and expensive. Some also complain that Eloqua is difficult to integrate into existing systems and requires a steep learning curve. Once learned, some say it’s a streamlined process to integrate and manage campaigns.
- Pricing: Eloqua requires potential clients to contact their sales team for pricing information. G2 found their most basic plan is $2,000/month, and their sales plan is $4,000/month.
Why it’s number #2: Eloqua earns this ranking because of its focus on HIPAA compliance. While Eloqua is HIPAA compliant, it’s not intuitive for healthcare companies or recipients. There are better email marketing services for organizations looking for a streamlined and seamless process.
3. Cured
Founded in: 2018
How it works: Cured requires clients to sign a BAA to send PHI. The company is HITRUST certified, showing an added layer of security to its platform. Once an email is drafted and follows the suggested HIPAA compliance guidelines, the email will be end-to-end encrypted. For viewers to open it, they will have to use multi-factor authentication. Cured stresses its platform is compliant but does not detail how recipients will view emails.
How it stacks up on:
- User interface: Cured is designed to be user-friendly with a straightforward design. Campaign creators can segment data and automate emails. The platform also leverages AI to assist in writing subject lines. Recipients must use multi-factor authentication to open emails, which could lead to friction and result in lower open rates.
- HIPAA compliance: In an article, Cured details how they achieve HIPAA compliance through encryption, server security, and user authentication. Cured is also HITRUST certified.
- Will sign a BAA: Yes
- Allows you to send PHI: Yes
- Provides encryption: Yes
- Customer service: Cured does not have any ratings regarding their customer service. Their website states that staff will assist customers with set-up, implementation, data services, and team training.
- Reviews: As a relative newcomer, Cured has no reviews on G2. We could not find any reviews regarding Cured, but the company promises a sleek interface with data collection and automation possibilities.
- Pricing: Cured offers customized pricing for email marketing services. To receive specific information, companies must request a demo and describe their specific email marketing needs.
Why Cured is #3: Cured offers HIPAA compliant email marketing but is a very new company with limited reviews and success stories. While they detail their process online, it’s difficult to assess if customers can easily navigate and utilize the service. Furthermore, Cured recently announced they were acquired by Innovaccer.
4. ActiveCampaign
Founded in: 2003
How it works: Once ActiveCampaign signs a BAA with a healthcare organization, the organization can immediately start crafting marketing emails. While ActiveCampaign will sign a BAA, they do not offer any additional tools for HIPAA compliance. For that reason, we do not recommend sending any PHI with ActiveCampaign. The company requires users to ensure their emails are HIPAA compliant.
How it stacks up on:
- User interface: Recipients of ActiveCampaign emails will receive a regular, unencrypted email. This allows recipients to easily open emails, which can result in a higher open rate. The tradeoff is that to maintain HIPAA compliance, healthcare organizations may not be able to send any personalized information, including names, treatment or health information, or anything else that could identify the patient or their medical condition.
- HIPAA compliance: While signing a BAA is a requirement for HIPAA, it’s insufficient to fulfill HIPAA compliance. Marketing services must provide encryption and allow you to send PHI securely. One of their plans offers “HIPAA compliance” but does not specify how they meet the regulations.
- Will sign a BAA: Yes
- Allows you to send PHI: No
- Provides encryption: No. In a request for further information on ActiveCampaign’s encryption, they responded that HIPAA compliance is the user’s responsibility.
- Customer service: ActiveCampaign offers 24/7 live chat and email support for customers. They also provide a support center with various guides and access to training videos and webinars to help clients adjust to the platform. Many positive reviews state that customer support is friendly and helpful.
- Reviews: On G2, ActiveCampaign has an astonishing 10,830 reviews and has obtained a 4.5/5 rating. Many state that ActiveCampaign is easy to automate and manage. Other positives include being user-friendly and having a straightforward interface. Conversely, some say that it’s slow, expensive, and time-consuming.
- Pricing: ActiveCampaign offers 4 plan levels. Note that only their enterprise level offers “HIPAA compliance.” Each plan comes with a variety of benefits.
- The lite plan: $29/month for up to 1,000 contacts with a 10x contact email send limit.
- Plus plan: $49/month for up to 1,000 contacts. Offers 3 users and a 10x contact email send limit and is designed for small businesses.
- Professional plan: $149/month for up to 2,500 contacts. Offers 5 users, 12x contact email send limit, and is designed for medium businesses that want to experiment.
- Enterprise plan: starts at $29/month for up to 2,500 contacts. Offers 5 users, 15x contact email send limit, and other perks, such as “HIPAA compliance.”
Why ActiveCampaign is number 4: ActiveCampaign earns this spot because it’s highly trusted and reliable for marketing campaigns. Simple to use and easy for recipients, this can be a good option for organizations that do not intend to send PHI but need HIPAA compliance when storing contacts. We would not recommend using this service for organizations that would like to send personalized emails.
5. Constant Contact
Founded in: 1995
How it works: Healthcare organizations can request a BAA from Constant Contact. Companies can start marketing campaigns from there using Constant Contact’s simple drag-and-drop email builder. Marketers can also use AI technology to craft messages and automate tasks.
How it stacks up on:
- User interface: Constant Contact has a sleek user interface that many companies appreciate. Constant Contact does not encrypt emails, meaning recipients open emails as usual.
- HIPAA compliance: While Constant Contact can be configured for HIPAA compliance when used correctly and in conjunction with a signed BAA, the platform has limitations. Constant Contact emphasizes that its service should not be used for transmitting highly sensitive PHI due to its design limitations. Although the platform offers robust security features conducive to general email communication, it falls short in encrypting emails containing PHI. Therefore, while Constant Contact can be part of a HIPAA compliant solution under specific conditions, it is not inherently HIPAA compliant for all types of email marketing involving PHI.
- Will sign a BAA: Yes
- Allows you to send PHI: No
- Provides encryption: No
- Customer service: Constant Contact provides several ways for customers to receive support. With multiple locations in the US, customers can speak to experts to address specific needs. Constant Contact also provides a Knowledge Base with step-by-step guides and tutorials and a User Community for individuals to connect with other customers for support.
- Reviews: On G2, Constant Contact has a 4/5 rating. Many state that the user interface is easy to use. Others say the templates make it quick to create campaigns. Conversely, some customers have been unhappy with the designs and describe Constant Contact as limited and expensive.
- Pricing: Constant Contact has 3 plan options to choose from, each with additional features and customization options:
- Lite: starts at $12/month, depending on the number of contacts. This plan also offers 1GB of storage, 1 user, and 10x number of contacts.
- Standard: starts at $35/month, depending on the number of contacts. This plan offers 10GB of storage, 3 users, and 12x numbers of contacts.
- Premium: starts at $80/month, depending on the number of contacts. This plan includes 25GB of storage, unlimited users, and 24x number of contacts.
Why Constant Contact is #5: Constant Contact earns this spot because of its straightforward interface and design options. Important to note, however, is that Constant Contact healthcare emails cannot be personalized in any way. Even though Constant Contact signs a BAA with companies, that is not sufficient to meet HIPAA requirements. If a healthcare company chooses to work with Constant Contact, it will be responsible for any HIPAA violations. We recommend working with a marketing service that is HIPAA compliant, as this can offer the best return on investment for healthcare marketing.
6. Infusionsoft by Keap
Founded in: 2001
How it works: Keap provides a 14-day trial for potential users to learn about their email services. Their services allow you to opt into HIPAA security, allowing companies to sign a BAA with Keap. It doesn’t, however, allow healthcare organizations to send PHI. Once the BAA is signed, companies can use one of Keap’s templates to start a marketing campaign.
How it stacks up on:
- User interface: Keap is a straightforward solution with pre-designed templates that are easy to use. When Keap emails are sent out, they are easy for recipients to open because Keap does not encrypt emails. They also use segmentation to help companies automate and personalize emails when possible.
- HIPAA compliance: Although Keap signs a BAA, companies cannot send PHI through their platform. Keap does not add any additional layers of security, such as encryption, which is necessary to keep PHI secure.
- Will sign a BAA: Yes
- Allows you to send PHI: No
- Provides encryption: No
- Customer service: Keap has strong customer service reviews. They offer an onboarding program where users can receive one-on-one coaching sessions on resources and tools provided by Keap. Outside of this process, Keap offers 24/7 chat and phone support, a help center, and an academy with courses and live events.
- Reviews: On review site G2, Keap has over 1400 reviews. They are rated as 4.2/5. Many state that Keap is effective at automating campaigns and is user-friendly. It received positive reviews for campaign management and customer service. Conversely, some believe the system has a steep learning curve.
- Pricing: Keap offers 3 basic plans. Each plan allows you to increase the number of contacts and users as needed.
- Pro plan: starts at $159/month and includes email marketing, marketing, sales and workflow automation, landing pages and online sales, and more. This initially includes 1500 contacts and 2 users.
- Max plan: starts at $229/month and includes everything in the pro plan plus advanced lead optimization, enhanced landing pages and sales tools, e-commerce tools, and advanced reporting. This plan initially allows for 2500 contacts and 3 users.
- Ultimate plan: starts at $279/month and includes everything in the max plan plus premium CRM and sales management, custom user access controls, and more. This plan initially includes 2500 contacts and 3 users.
Why Infusionsoft by Keap is #6: Keap offers many great tools to simplify email marketing campaigns. While it has many benefits, including its user-friendly onboarding process and additional services, it is not ideal for healthcare organizations. For email marketing to be most effective, it needs to be personalized. HIPAA compliant organizations would be unable to personalize emails with Infusionsoft.
7. Salesforce Marketing Cloud
Founded in: 2000
How it works: Companies who work with Salesforce can sign a BAA before crafting email campaigns. While Salesforce does not offer email encryption, they do have a guide on using their products more generally in a HIPAA compliant way. Their guide does not speak specifically to Salesforce Marketing Cloud, so we suggest not sending personalized health information in email campaigns.
How it stacks up on:
- User interface: SFMC has various features to make email campaigns effective. The platform is described as a 360 ecosystem leveraging AI for cloud-based digital marketing. The product allows for audience segmentation, personalized messages, campaign performance tracking, and optimization strategies. That platform creates a unified profile of customers and combines data across different Salesforce platforms to help campaign managers.
- HIPAA compliance: While Salesforce does outline using their products and remaining HIPAA compliant, they are vague regarding their process and security measures. They list other services that are compliant but do not include their email marketing. For this reason, we would advise against sending PHI.
- Will sign a BAA: Yes
- Allows you to send PHI: No
- Provides encryption: Not for all products
- Customer service: Salesforce provides a help center and documentation page, which provides tutorials, sample code, developer guides, and more. Once a company signs up for the marketing cloud, individuals can access additional support. Many say the support center is helpful but sometimes has delayed responses.
- Reviews: According to G2, Salesforce Marketing Cloud has a 4/5 rating. Some state that the service provides significant opportunities for customization but can be a challenging learning curve. Automation is also a highlight, as users can operate on multiple platforms and take recipients through a multi-step process. Lastly, while Salesforce has many great features, they come at a cost. Many find that Salesforce is one of the more expensive options for email marketing.
- Pricing: Salesforce Marketing Cloud provides 3 different marketing services. Once a service is chosen, users can purchase data products if needed.
- Marketing cloud personalization: starting at $108,000/year, this provides organizations with web and email personalization, segmentation, rule-based decisions, and product and content recommendations.
- Marketing cloud engagement: starting at $1,250/month, this includes email marketing, content creation, and robust analytics.
- Marketing cloud account engagement: starting at $1,250/month, this includes lead nurturing and scoring, engagement history dashboard, and campaign reporting and insights.
Why Salesforce Marketing Cloud is #7: While Salesforce has many great features and attributes, they remain murky on what HIPAA regulations they do or do not follow. While signing a BAA is one step to meet requirements, it is far from enough. Salesforce’s whitepaper on the issue is vague and could lead to a false sense of confidence for companies. Salesforce does not describe how they encrypt emails or store their data, suggesting that HIPAA compliance may not be a top priority. Furthermore, Salesforce Marketing Cloud provides complex and sophisticated designs, which could be helpful for larger organizations but could leave some feeling frustrated and overwhelmed.
Related: Can Salesforce CRM be HIPAA compliant?
The takeaway
It´s clear that many different email marketing services are available, but few fit the specific needs of healthcare organizations.
For healthcare, data requires the utmost security. Yet health is also deeply personal, and forgoing personalization can weaken a company´s marketing strategy and prevent forming strong relationships with patients and clients.
Paubox understands the importance of data security, personalization, and making emails easy for recipients to open. With excellent reviews, competitive pricing, and fantastic customer service, Paubox is a top option.