Is your email marketing violating HIPAA privacy laws?

Compliance basics

Ninety-two percent of online adults use email, and we love the convenience of communicating with our doctors, dentists and other healthcare providers via email.

But if your organization is a “covered entity” or a “business associate” of a covered entity, you need to make sure your communications with patients comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The law protects patient privacy and regulates how patient information must be handled.

These requirements apply to health insurance companies, health plans (like HMOs), doctors, clinics, hospitals, psychologists, nursing homes, pharmacies, dentists and chiropractors — among others. “Business associates” of covered entities must also comply with certain HIPAA regulations.

But people love their email: Seventy-three percent of millennials prefer to interact with brands via email (and the percentage of older people who prefer this channel is even higher). However, the confidential nature of the healthcare provider-patient relationship can cause problems for email marketers.

Here are a few things to keep in mind.

Remember the HIPAA privacy basics

Emailing your patients as a group could violate HIPAA, particularly if the email addresses are visible to other recipients. (Of course you should not be displaying recipients’ email addresses anyway, just as a matter of email etiquette, but this kind of gaffe can have major legal consequences in the healthcare environment.)

Consider how many people use their name as their email (e.g., JaneSmith AT gmail DOT com), and you begin to see how sending a simple email might violate their HIPAA privacy.

HIPAA Privacy Stethoscope
Photo: weiss_paarz_photos Flickr via Compfight cc

Many popular email services might not be secure

Any correspondence and attachments subject to HIPAA would need to be encrypted before sending if your email service is not secure.

Free email services such as Yahoo, Hotmail or Gmail may not be considered secure as required by HIPAA compliance standards, so be sure to verify with your particular email provider prior to utilizing.

A safer option may be to choose a secure email provider, such as Microsoft Office 365 from GoDaddy’s Business Premium, for your organization or practice. (You can find a comparison of HIPAA-compliant providers here).

Remember, in any event, you can’t control which email service patients use, so what’s a responsible healthcare provider to do? Get authorization before emailing.

Patients can authorize healthcare organizations and providers to use unencrypted emails

Yes, patients can authorize healthcare organizations to use unencrypted emails, but you should make sure they understand the risks first. Most practices use a consent form to explain the potential risks to patients.

What about marketing emails like newsletters, links to blog posts, event announcements and the like? HIPAA privacy laws may still apply to certain aspects of your communication so marketers must exercise caution.

Dos and don’ts for HIPAA-compliant email marketing

  1. Don’t email to your patient list in a way that makes others’ email addresses visible to recipients.
  2. Don’t use confidential patient information to personalize a marketing email. (e.g., “There’s a new ointment available for that embarrassing rash you had before!”)
  3. Don’t breach confidentiality by sending appointment reminders, anniversary emails or birthday emails without the patient’s consent.
  4. Do have people proactively subscribe to topic-specific newsletters, such as “The Psoriasis Pseries,” so they self-identify as members of the audience. You could also have a single “email updates” subscriber list (separate from your patient email database) if maintaining topic-specific newsletters is too much work for your small organization.
  5. Do comply with other applicable regulations relating to marketing communications.

If you’re still confused, keep it simple: Start a blog, and invite people to subscribe to your updates. That way, any emails you send to your list will be wholly independent of your patient database, and will likely include people who have no affiliation with your organization (except that they like your content).

The above content should not be construed as legal advice. Always consult an attorney regarding your specific legal situation.

Image by: mikecogh via Visual Hunt / CC BY-SA

Kerry Gorgone
Kerry O’Shea Gorgone is a speaker, writer, attorney and educator. She hosts the weekly Marketing Smarts podcast for MarketingProfs, and is also a contributing writer for numerous sites, including Huffington Post, Mark Schaefer’s {grow} blog, Social Media Explorer, Entrepreneur, Spin Sucks, and MackCollier.com. Follow her on Twitter @KerryGorgone.