Is Your Email Marketing HIPAA Compliant?

Is Your Email Marketing HIPAA Compliant?

Have you considered email marketing for your private practice but wonder if your email marketing is HIPAA compliant? It’s important that you recognize the need for compliance, but it should not deter you from moving forward with email marketing.

Email marketing is a powerful way to grow your practice and be seen as the industry expert in your specialty. And here’s why email marketing is still one of the most successful ways you can grow your practice.

  • 95% of online consumers use email and of those, 91% check their email at least once per day.
  • For every $1 spent on email marketing there is a $44.25 average return on investment.
  • It’s relatively inexpensive to do with very little up-front cost.
  • Most Email Service Providers have very user friendly templates making it easy to use.
  • And most importantly, it allows you to maintain relationships with people who follow you, and convert them to paying clients.

That said, as a private practice owner in the medical community, you have an obligation to ensure that your email marketing campaigns are HIPAA compliant.

What is HIPAA?

HIPPA is defined as the Health Insurance Portability and Accountability Act of 1996 is United States legislation that provides data privacy and security provisions for safeguarding medical information.  This essentially means that health care professionals have a responsibility to safe guard their client’s personal and health related information and protect their right to privacy.

Why, and how, does this relate to email marketing? The answer here is simple. The main component to an actual, or potential client receiving information from you, is their name and email address. This needs to be protected in the event that you and/or your email service provider is hacked and that information gets out in to the general public for consumption.

While this is usually enough to make many private practice owners shy away from this form of marketing, it really doesn’t have to. Like anything else you do in your practice and in life, it’s all about following the rules. Once you know the rules of the game, following them to the winners circle is relatively easy.

Here’s what you need to know to ensure your email marketing is HIPAA compliant.


HIPAA Requires Getting Permission.

To ensure you are compliant with your email marketing efforts means getting permission. And there are a few ways you can accomplish this with great ease.

  • Make sure your opt-in form on your website lets the client know that they are opting in to marketing materials that will be delivered to them from you.
  • Make sure your sign-up sheet in your office lets the client know that they are opting in to marketing materials that will be delivered to them from you. This is a quick and easy one sentence add on that may look something like this.

“By signing up for our newsletter you agree to receive emails from our office for the purpose of marketing our practice”

  • Your emails will automatically have this statement at the bottom of the emails they receive from you.

“You are receiving these emails because you have opted-in to receive emails from our office for the purposes of marketing.”

  • Your emails have the ability for your subscribers to Unsubscribe at any time. This is a link at the bottom of every email that looks something like this.

“If you wish to unsubscribe, please click here.”


HIPAA Requires Email Address Encryption.

Something as simple as a name and an email address can be considered Personal Health Information (PHI), so the best way is to ensure that all emails you send out for marketing purposes are encrypted. Many of the big companies like Apple Mail and Outlook offer the ability to manually encrypt emails before they go out, but keep in mind this is a pretty labor intensive approach. There are easier options which we’ll get to in a moment, but know that encryption is a component to HIPAA compliance when thinking about email marketing.


HIPPA Requires Removing PHI From Email Content

This should be the easiest part of your compliance efforts. When you think about it, you are merely marketing your practice for the sole purpose of growth. This should not include any specific information about any of your clients and their conditions or personal information. We are really talking about emails that serve a very broad subject matter. Some topics can include:

  • Upcoming events in your practice. (i.e. workshops, social events, open houses, etc.)
  • Promotional text talking about your practice and its specialty services

That said, your emails should not include test results, or results of a survey you’ve taken.


HIPAA Requires A Business Associate Agreement

There are a number of Email Service Providers out there who have some great programs that make your email marketing efforts a breeze. But, you’ll want to ensure that you can receive a signed Business Associate Agreement with them to ensure that you are HIPAA compliant. What this essentially does, is ensure that, in the even that your email service provider is hacked, that they will protect the identity of your clients as if it is their own and will accept full responsibility on your behalf. They will also ensure that emails are encrypted for you.

You’ll want to make sure they offer this before you sign up. There are many out there, but two I know of for sure are Luxsci’s Spotlight Mailer and Clinical Contact.


Is your email marketing HIPAA compliant? If not, don’t let it stress you out or even deter you from getting started in the first place. Email marketing is an incredibly powerful way to grow your private practice. Just follow the rules like you do with everything else in life and watch the fruits of your labor show up when you look at your full docket of clients that stream in as a result.

We’d love to hear about how you’re using email marketing in your practice and your tips to ensure compliance with HIPAA. Please comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *