Regulation of Medicine


HIPAA-Compliant Email Marketing

Executive Summary 

Although email marketing can be a valuable addition to your healthcare practice to improve patient outcomes and increase revenue, it does not come without risks. Healthcare providers must ensure that their practice complies with HIPAA when sending any marketing emails to patients to avoid any costly violations.  

Recommended Actions  
  • Ensure that your healthcare practice has a policy about the distribution of marketing emails to patients and ensure that all staff members are appropriately trained. 
  • Monitor state laws to make certain your practice follows any additional regulations for marketing communications. 
  • Ensure that your healthcare practice conducts annual HIPAA training for all employees and staff members. 

Email can be an effective marketing tool for your practice, but HIPAA privacy laws still apply. If your practice uses email for marketing products or services, here are some best practices to ensure that you are maintaining HIPAA compliance. 

Obtain written authorization from your patients. 

Obtaining their email on an intake form is not enough. Patients must give explicit permission to receive marketing emails. For example, your intake paperwork could include a marketing permission form that requests the patient’s signature to use their email to send marketing updates and informs them of their right to unsubscribe using the link in any email they receive from you. If you can, let them know how frequently they would receive emails from you. 

Only send encrypted, blind copy emails to patients. 

Email addresses are protected health information (PHI). That means it is important that patients who receive the emails cannot see who else did. A good way to do this is to blind carbon copy or “bcc” the recipients. Emails must also be encrypted to protect PHI. Systems such as regular Outlook or Gmail are not secure, which means your emails are vulnerable to hacking and interception by third parties. Office 365 is an example of a server that offers secure sending and encryption options for your emails. 

Maintain business associate agreements with third parties. 

If you are using a third-party service such as Mail Chimp to send your marketing emails, it is important to have a business associate agreement (BAA) with the service because it has access to your PHI and are considered a HIPAA business associate. 

Do not include patient information, including images, in your emails without specific consent from your patient. 

Any information that is considered PHI under HIPAA should not be used as marketing material in emails, unless that patient has agreed to let you use their information in marketing your services. For example, plastic surgery practices can find it useful to send patient before and after photos. You must have consent from your patient to use these photos for marketing. 

Make unsubscribing from your emails clear and easy for your patients.

Many marketing emails contain a link at the bottom to unsubscribe from them. A link within each email is an easy way to give your patients a way to unsubscribe whenever they wish. 

Lessons Learned  
  • Ensure that the BAA form your healthcare practice uses is up-to-date or use MagMutual’s sample BAA policy form found in the HIPAA Toolkit 
  • Maintain copies of authorization forms from your patients and keep those copies in the patient’s medical records. 
  • Consider implementing a marketing and fundraising policy within your healthcare practice. You can find a sample policy in the HIPAA Toolkit 
Potential Damages 

If a healthcare practice inappropriately discloses PHI or does not get the appropriate authorization from their patients consenting to marketing emails, the practice could face a HIPAA violation. Although the frequency of such violations is relatively low, violations can lead to costly financial penalties and fines.  


    1. If I want to include images of a former patient in my marketing email, I must get that patient’s consent.
    2. I should include a link at the bottom of every marketing email to allow patients to unsubscribe from them.
    3. I can simply copy my patient list into the “send” line in an email because it doesn’t matter whether the patients can see others’ names.


    Want to learn more?

    Interested in how MagMutual can help?

    View our products


    The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.