Is Your Healthcare Email Marketing HIPAA Compliant?
Is your email marketing HIPAA compliant? Do you have adequate encryption at every step? Are you sure?
Remember, even a patient’s email address could be considered PHI if linked to a health condition or treatment.
If you are suddenly feeling a little uneasy, I promise you are not alone. Most healthcare marketers are unaware that seemingly innocuous patient email marketing campaigns are yet another area where you could inadvertently run afoul with HIPAA regulations, or, even worse, suffer a breach.
To understand this complex topic better, I recently interviewed Dean Levitt for our podcast. Dean is an established email marketing expert who co-founded the email marketing platform Mad Mimi in 2007, which GoDaddy later acquired. Today, Dean is VP of Marketing at Paubox, which offers HIPAA-compliant email encryption and security solutions for healthcare organizations, including inbound security, data loss prevention, and workflow automation, ensuring secure email communications.
(Note: The content of this blog and our podcast are not legal advice. Always seek appropriate legal counsel surrounding HIPAA topics.)
During our interview, Dean shared his first-hand expertise in email marketing data encryption, especially as HHS and FTC regulations continue to tighten around patient privacy.
Listen to the full podcast interview or read the summary below to discover:
- Email Marketing Best Practices for HIPAA-Compliance
- HIPAA-Compliance Requirements for Email Communications
- The Importance of Data Encryption
- The Implications of Tracking Technologies
Understanding Email Marketing Best Practices for Ensuring HIPAA-Compliant Communications
Establishing HIPAA-compliant email communications begins with transparent disclosure and explicit consent. From the moment someone interacts with your healthcare organization, you must inform them of your communication methods (e.g., email, phone, text message) or obtain explicit consent before contacting them.
Dean clarified, “For basic communications (that do not contain PHI), it's enough to say, ‘We're going to be sending you email, phone calls, and text messages.' However, if the organization intends to send marketing communications (that contain PHI), explicit authorization is required and must have its own signature and date stamp.”
To ensure HIPAA compliance in your email communications, include verbiage that notifies patients about how your organization collects, transmits, and stores protected health information in the following places:
- Notice of Privacy Practices
- Digital patient forms (e.g., intake, consent, etc.)
- Patient portals
- Email disclaimers
- Billing statements
- Telemedicine platforms
- On-site signage
Once you have permission to communicate with your patients electronically, you must ensure all PHI data is encrypted.
Dean recommended encrypting all email communications, whether they contain PHI or not, “Get all your emails encrypted if you're a covered entity or a business associate. Paubox encrypts all emails by default—if all your emails are encrypted, then any PHI included in an email, whether accidental or deliberate, you're safe, you're compliant.”
Dean also stressed the importance of encrypting emails that are at rest: "It's not just about encrypting the sending of the email. It's equally important to encrypt the email data stored on your servers.”
Dissecting HIPAA-Compliance Requirements for General Health vs. Patient Education vs. Marketing Communications
The differences between general health, patient education, and marketing communications are often nuanced and can leave a lot to chance, especially when protecting patient privacy.
To avoid HIPAA violations, Dean recommended obtaining explicit consent for all electronic communications and added that this consent also protects your organization from potential CAN-SPAM violations.
"If you've got a general newsletter and anyone can infer anything about the recipient, consider that newsletter to contain PHI. Remember, an email address is PHI; a name is PHI; a location is PHI; even the city someone lives in is PHI, so that general newsletter might be just about seasonal healthcare or general fitness tips. But if you're leveraging something like location or a name to include, like dear patient Dean, your email contains PHI."
The Importance of Data Encryption in Email Marketing
As we continued our discussion, Dean brought up an essential point about the importance of data encryption in email marketing.
He explained, “Some companies will sign a Business Associate Agreement (BAA) only for the storage of PHI—but not for the transmission or sending of PHI. If you’re using any third-party service email marketing platform and they are willing to sign a business associate agreement, triple-check that it covers the transmission of PHI, not just the storage of PHI.”
What Is a BAA?
A business associate agreement is a legally binding contract between a covered entity (e.g., healthcare organization) and a business associate (e.g., third-party vendor) that outlines the business associate’s responsibilities for protecting protected health information (PHI). A BAA is required if a business associate or its subcontractors could potentially access PHI.
If your vendor does not cover the transmission of PHI, your organization’s emails are not encrypted and, therefore, not HIPAA-compliant. This leaves your organization vulnerable to HIPAA non-compliance penalties and fines.
The Implications of Tracking Technologies
A series of federal data privacy crackdowns complicates how healthcare organizations can market their services online and via email.
The Federal Trade Commission (FTC) and Health and Human Services (HHS) are tightening regulations on tools that capture potentially identifiable information about a person (e.g., unique identifiers).
This information is considered protected data and can include things such as email addresses, IP addresses, or geographic location information that can be tied to an individual.
Dean explained the idea of tracking technologies further: “A hospital service page is an unauthorized part of the website because a log-in is not required to access the content. However, Google Analytics or Meta Pixel still captures a user’s geographic location and IP address. So, the HHS and FTC now consider pages about cancer treatments or AIDS medication to contain PHI.”
Putting PHI Into Perspective
“Let’s say a person (patient or non-patient) signs up and receives your general email newsletter. If they click on a newsletter link and it is tracked, their email address, geographic location, or IP address can be tied to information about receiving a mammogram (for example), and well, now you’ve got PHI,” Dean says.
The bottom line is that when it comes to healthcare, if there's anything that can potentially identify someone, it is safest to assume it's PHI.
Get HIPAA Compliant with Paubox
Paubox is a leading option for HIPAA-compliant email for two reasons.
- Paubox removes the risk of human error (a big contributor to HIPAA violations).
Paubox encrypts all emails by default, so there's no chance of an employee making a mistake. - Paubox emails are read in the inbox.
Most HIPAA-compliant email providers require portals, and the adoption of these portals is incredibly low—especially when it comes to email marketing. Paubox emails are opened directly in the inbox like any other email, sent like any other email straight from your Google Workspace or Microsoft email account, and opened like any other email.
If you’re looking for a bulletproof solution for HIPAA-compliant email marketing, inquire directly to Paubox.
If you need a comprehensive healthcare marketing strategy, Healthcare Success can help. We can leverage the Paubox software and create a cohesive brand story through website design, content marketing, paid search, social media, email marketing, and more.
Podcast Transcript
Interviewer: Stewart Gandolf
Guest: Dean Levitt, VP of Marketing at Paubox
Today, I'm interviewing Dean Levitt, the VP of marketing for Paubox and an established expert in the field of email marketing. Dean, tell me a little about your background.
I'm VP of marketing at Paubox, which is a HIPAA compliant email platform. I've been involved in email and email marketing in particular since way back in 2007 when I co-founded an email marketing platform called Mad Mimi. Back in 2014, GoDaddy acquired Mad Mimi, at which point I helped build out GoDaddy email marketing.
At the highest level, I would love just to understand what the rules are around emails to patients?
First of all, you need to get permission to email your patients, and this should be done the moment someone interacts with your healthcare organization, whether it's in the Notice of Privacy Practices, whether it's in the patient intake. Get their permission to email them.
The second thing is, if you're going to be including any PHI, then that email must be encrypted. And so when I say it's actually easy to solve the problem rather than worrying about it, just get all your emails encrypted if you're a covered entity or a business associate. Paubox encrypts all emails by default, and that's simply the easiest thing to do. If all your emails are encrypted, then any PHI that's included in an email, whether it's inadvertent or deliberate, you're safe, you're compliant.
Ensure that your emails are encrypted at rest as well. So it's not just about encrypting the sending of the email, it's also about encrypting the storage of that information in the email on your own servers. It’s not that difficult if you're working with Google Workspace or Microsoft 365, they will sign a business associate agreement, and they'll ensure that your storage is compliant as well. And probably the main advice is to just work with services that make it easy.
Let's drill down a little bit and the notice of privacy practices. That's a long document typically, it's something that people, when they come into the office, fill out in depth. And so it's not just a paragraph within as well, it's not something you have to draw their attention to specifically, they sign that little document, and we're good. Is that correct in terms of the notification?
Yes, and no. So for basic communication, it's enough to just say, we're going to be sending you email, phone calls, and text messages, and then when you sign the overall document, you consent that you read it and received it, that covers it, and that's for basic communication.
If you're going to be doing marketing communication, you need explicit authorization.
And where would that typically be taken? As a separate document or how does that typically work?
It can be in the same document, but it needs to be its own section in the document. It warrants its own acknowledgment, a specific signature, and a date as well.
So these are general health knowledge, is that marketing? And this is not tied to the patient specifically, so is that marketing, or is that patient education, and how would that qualify?
General health emails could be considered patient education part of treatment, but there are some things to dive in there. Marketing is about promoting a service that isn't part of the treatment, in which money is also going to be exchanged.
For example, general patient information is not considered marketing, but if I'm going to say, well, there's this third-party medical practice in our neighborhood that offers something that's related to the treatment we've done, and it's going to cost an additional $50 for that appointment, that's absolutely marketing, and you're going to need authorization for that.
It's also marketing if in this general newsletter, you're advertising a service that isn't necessarily covered by the plan that you have, the health plan with that healthcare organization, with that covered entity. There's some gray area, but in general, patient education and treatment emails are not marketing, and you don't need explicit authorization. It’s a good practice to get consent to receiving these emails anyways.
Then from the CAN-SPAM perspective, you're also covered. If you are a customer of that healthcare organization, then apart from a few details, CAN-SPAM isn't also a concern because consent is implied.
So say I'm going out and I now have an optional weight loss add-on that you can buy at our practice, that would be considered marketing if it's cash, but if it's through insurance, it's not generally speaking.
Right. If it's for remuneration and if it's an additional cost, it can be a gray area, but let's say the safest way is to assume that's considered marketing and to get that authorization.
There is one more thing I'd like to just raise there when it comes to this general newsletter, which is that it is not always clear what is and isn't PHI in the context of a general newsletter. So again, better safe than sorry is probably the best practice.
If you are, say, a cardiologist, if you're a cancer clinic, then a general newsletter might imply that you're receiving treatment for something specific, and there again, it becomes highly subjective, and you might actually be considered to be sending PHI. If someone can infer, well, Dean Levitt, who received this email from this clinic that specializes in this kind of treatment, even if it's a general newsletter that's not specific to my actual treatment, it has a lot of implications as to the type of treatment I might have been receiving that could and has been in the past considered to be PHI.
So then at the very minimum, if you don't have a premium service like Paubox, you are going to be looking for someone who signs a BAA for your email service provider, is that correct?
Yes, and you're going to need to make sure. Some companies will sign a BAA only for the storage but not the sending of PHI, so if you are using any third-party service email marketing platform and they are willing to sign a business associate agreement, triple-check that it also covers the transmission of PHI and not only the storage of PHI. There are a number of email newsletter platforms whose BAAs only cover the storage of PHI but not the transmission of PHI, which means the actual emails you're sending themselves are not encrypted. Whereas with Paubox, our bread and butter is encrypting emails.
Going back to the notice of privacy practices, let's say you're mainstream and you want to be safe, and so now you have thousands of patients, do you have to start all over with patient one or can you send them a notice or do you just start rebuilding before you can use anybody?
You do, actually. It might not be what anyone really wants to hear. You will need to go back and get that authorization, which is why you should, even if you have no plans to do marketing initiatives today or this year, start getting that permission right now. There's no time like the present in order to get that authorization, whether you think you're going to need it immediately or not.
I want our readers and subscribers and clients to be aware of these things (about emailing PHI), not the panic, but to also take this stuff seriously. And I'm trying to get the reasonable person's standard here, like where do you need to fall?
If you've got a general newsletter and anyone can infer anything about the recipient, I'd say consider that newsletter to contain PHI. Remember, an email address is PHI, a name is PHI, location is PHI, and even the city someone lives in, so that general newsletter might be just about seasonal healthcare or general fitness tips. But if you're leveraging something like location, if you're leveraging a name to include, like dear patient Dean, then your email contains PHI.
Let's go back to the provider sending out a general health newsletter. If they have an opt-in where people can opt-in that are not patients, that now means you're just offering a newsletter to the public, right?
The answer to that is maybe, and that's the problem. I keep hinting at this Google Analytics illustrative point, and I think this might be a really good time to point it out. So one of the things that both the FTC and HHS have been cracking down on is the use of tools that capture data around the person. So the question is, well, on the hospital homepage, that's an unauthorized part of the website, there's no login, there's no real information, but Google Analytics or a Meta Pixel is capturing things like location and IP address. So that's been considered to be PHI, not necessarily on the homepage, but if that person visits a page about cancer, a page about AIDS medication, then that's been ruled to be PHI.
And that's why the AHA and all these hospitals are currently in legal battles with the HHS around this stuff. Think about this, there's a patient or a non-patient who signs up and is receiving your general email newsletter, and they click on a link, that click is tracked, and that click is tied back to an individual who signed up and if they clicked a link around receiving a mammogram, well, you've now got PHI.
So we can say, well, the HHS and the FTC are cracking down on these very tangential identifiers, and they're probably going to be cracking down on that email as well in the future. The bottom line is, when it comes to healthcare, and if there's anything that can identify someone, assume it's PHI.
Are there class action lawsuits about email or are there big breaches being publicized or is the FTC even involved for non-providers or the OCR? What's going on with email today?
If I remember right, roughly 20 to 25% of all breaches are email-based. And this is what I gleaned off looking at 2022 and 2023's breaches from the wall of shame from the OCR, many of those are phishing, but many of them are simply mistakes, inadvertent inclusion of PHI in email.
Now even if you follow all best practices, breaches happen because employees do things that aren't really correct. But if you followed all the basics correctly, if you've behaved appropriately, if your emails are encrypted in storage, if your emails are encrypted in transmission, if you've got the appropriate policies and procedures in-house, if you've trained your employees on this stuff, then your liability is going to be lessened even if there is a breach anyways.
What about one-on-one communication with patients, is that a special class? Are there any special rules with one-on-one relationships or, tell me about that?
The rules around one-to-one email communication are almost the same. If you are a covered entity or a business associate and you're sharing PHI, that PHI must be encrypted at rest and in transmission.
Google has come out saying it's going to be making things a lot harder for its Gmail customers for deliverability, they're reacting to spam. So give us a sense of deliverability issues for Google, and I think Yahoo as well also is cracking down just as a way of stopping so many promotional emails.
I don't think it's that big of a deal, and I'll share why. First of all, the rules only apply to people who send about 5,000 emails or more a day, so it's definitely around big senders. However, I think still that's them slowly working their way towards applying these rules to everyone. If you're already a regular email marketer, you should be doing these things anyway, and if you haven't been doing these things, it's probably already been impacting your deliverability.
Give me an example of a really good HIPAA compliant email platform and what makes Paubox compliant?
Paubox is, hands down, the best option out there for HIPAA compliant email for two very clear reasons. One, Paubox encrypts all emails by default, so there's no chance of an employee making an inadvertent mistake. A lot of alternatives require the user to take extra steps to actually encrypt that email. Actually a huge amount of HIPAA violations come from human error. Paubox removes the risk of human error.
And the second thing is that Paubox emails are read in the inbox, which is almost unique. So most HIPAA compliant email providers require portals and the adoption of portals is nightmarishly low, especially when it comes to email marketing. Who's going to send a personalized email marketing message that requires your recipient to go to a portal, log in, and receive a two-factor authentication just to read a marketing email? It's ridiculous.
Paubox emails are opened directly in the inbox like any other email, they're sent like any other email straight from your Google Workspace or Microsoft email account, and they're opened like any other email.
All right, that was great. So Dean, I really enjoyed this, I was truly asking questions that I've been curious about for a long time, so I do appreciate your time. Is there anything we missed, anything that is really important that our audience should know about the whole topic of email marketing?
Email marketing is powerful because you've got a lot of scope for personalization. I think a lot of healthcare organizations are terrified of personalizing their communication because they're worried about HIPAA compliance, but the fact is, you've got HIPAA compliant email newsletter platforms like Paubox out there. Go ahead and send highly relevant personalized email marketing because doing it safely is pretty straightforward if you use a HIPAA compliant email service.
Other ways of reaching out to people include sending postcards or letters and texts, any comments on those?
For sure. I think the next real frontier in healthcare marketing is HIPAA compliant texting. It's already broadly here, but it's very, very challenging right now, but it is definitely worth mentioning. Paubox is working on two very important features, one is HIPAA compliant texting, and we're running pilots around that right now, and it should be available very soon.
Paubox has also released HIPAA compliant forms - it allows you to capture things like patient authorization online. The form handles the data in a HIPAA compliant way, and it can feed into things like email marketing and text messaging, drip campaigns, and marketing automation. So all of these things go hand in hand and as long as the entire ecosystem is HIPAA compliant, well, you've got a marketing engine.