If you work in the medical field, you might have heard of the terms "protected health information" or "electronic protected health information" and wondered what is the difference between them. The answer is subtle, as we'll explain in this post.
Protected health information, or PHI, according to HIPAA regulations is identifiable health information that a covered entity or a business associate uses, maintains, stores, or transmits as a part of healthcare services. PHI isn’t just related to medical records or individually identifiable health markers, but can be anything that identifies a patient and is used during the course of his or her care. Any personal detail linked to someone’s health condition automatically becomes PHI. For example, patient name or email alone can be considered PHI if it is associated with a healthcare provider, such as in a marketing email coming from your practice.
The Security Rule explains both the technical and non-technical protections that covered entities must implement to secure ePHI.
In regards to HIPAA compliant email, covered entities must take reasonable steps to protect ePHI while it is transmitted electronically, all the way to the recipient’s inbox. Encryption is a method of converting a plain text electronic message into encoded text. When information is encrypted, it is unlikely that anyone other than the designated recipient can decrypt (translate) the message in order to read it. Encryption is the best safeguard for managing the confidentiality, integrity, and availability of ePHI as described above.
Cloud storage services qualify as business associates even if they never access or view the ePHI that they store. Most mainstream email marketing solutions will not sign a business associate agreement (BAA), which is a nonstarter for healthcare providers. This includes such well known platforms such as Mailchimp, HubSpot, and Salesforce Pardot, among many others. For more details on which platforms are safe and effective for healthcare providers to use, we have analyzed the HIPAA compliance of the top 20 email marketing tools here.
In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing. Although you might see storing and sending PHI electronically as a roadblock to implementing an email marketing strategy, it doesn’t have to be.