HIPAA-Compliant Email Marketing

Many medical practices are hesitant to try out email marketing, and for good reason–the consequences of a HIPAA violation are serious, but the laws are not clear-cut on what is acceptable and what is not. With so much open to interpretation, practices are left wondering if it’s even worth the risk to reach out to patients via email.

It is possible to create an email marketing strategy that will keep your practice on the right side of HIPAA laws. Of course, we would recommend that you consult with an expert on HIPAA laws before diving into risky territory, but these tips should help you stay on the right track.

1. Emails with patient health information (PHI) must be encrypted.

Email is generally not a secure means of communication. Any message that you send is vulnerable if you don’t take the proper precautions. You won’t be able to simply send messages to patients via a free email address from Google, Yahoo, or other major providers like you would do with your personal emails. This is where encryption comes in. Encryption protects your emails from being read by anyone other than the intended recipient if the email is intercepted while in transit. Even something as simple as a name and email address can be considered PHI in certain contexts, so the best practice is to encrypt all emails you send out. You can choose to manually encrypt each email your practice sends out, or use a HIPAA-compliant automated service. Many email clients, like Apple Mail and Microsoft Outlook, allow you to manually encrypt emails. However, that does require diligence on the part of employees sending out the emails; one slip-up could put you at risk of a violation. If you’d rather not take that risk, you can use a service that will automate email encryption for you.

2. Not all email marketing services are HIPAA-compliant.

Don’t assume that just because you’re paying for a service, it’s automatically secure enough to comply with HIPAA guidelines. In fact, many services are not–even the ones designed for use on a corporate level. When choosing an email marketing service, it is important to make sure that the service will cover all of the necessary security measures before moving forward. Always make sure to ask whether an email marketing service has the capabilities to offer HIPAA-compliant email. When in doubt, work with an expert on HIPAA law to help determine whether or not an email marketing service will meet the right standards. As with your website hosting service, be sure to get a signed Business Associate Agreement (BAA) with your email provider to clearly spell out responsibilities.

3. Never send emails to patients who have not requested communication by email.

You may request patients’ email addresses on your sign-in forms, but unless they have indicated that they wish to receive emails from your practice, you should avoid that means of communication. One way to do this is to add a question about communication preferences on your practice’s sign-in forms (“How would you like to hear from us?”). Patients could then check off “Email” and provide an email address if they prefer to be contacted by email. You could even take it a step further and add another question that says, “What types of email communication do you wish to receive?” Options could include “appointment reminders,” “newsletters,” or “condition-specific health tips.” It’s best not to discuss matters like test results over email–those conversations are best done over the phone.

Another option is to add a signup form on your website. Patients can then opt into your marketing communications if they wish, including newsletters and condition or procedure-specific emails. According to HIPAA guidelines, you should not send this type of information if the patient did not request it, but you are allowed to send information this way if the patient expressly asks for it. HIPAA policy also states that if a patient initiates email communication, “the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.” However, even when the patient requests email communication, you still need to take the appropriate measures to ensure communication is as secure as possible.

4. Make sure patients who sign up are aware of the risks of email communication.

Even if you do everything you can to ensure email security on your end, there is a good chance that your patients’ email services are not secure enough to prevent potential breaches. It is important that they understand this risk before entering into email communication with your practice. The best practice is to include a disclaimer both upon signup and at the bottom of each email message. If a patient initiates communication via email and you feel that he or she may not be aware of the risks, it is appropriate to inform the patient of those risks and then let the patient decide whether or not to continue email communication.

Ultimately, a successful email marketing strategy in healthcare comes down to doing what is best for the patient. Only email the patient if he or she requests it, and do everything you can to keep the communication secure. These practices will keep you on the right side of HIPAA laws and keep your patients happy.