Regulation of Medicine
HIPAA-Compliant Email Marketing
April 17, 2020
MagMutual has seen some recent claims involving HIPAA violations with practices using email marketing. Email can be an effective marketing tool for your practice, but HIPAA privacy laws still apply. If your practice uses email for marketing products or services, here are some best practices for areas of higher risk:
- Obtain written authorization from your patients that they agree to receive marketing emails from your organization. Obtaining their email on an intake form is not enough. Patients must give explicit permission to receive marketing emails. For example, your intake paperwork could include a marketing permission form that requests the patient’s signature in order to use their email to send marketing updates and informs them of their right to unsubscribe using the link in any email they receive from you. Try to inform them about how frequently they would receive emails from you.
- Only send encrypted, blind copy emails to patients. Email addresses are considered protected health information (PHI). This means it is important that patients who receive the emails cannot see who else did. A good way to do this is to blind carbon copy or “bcc” the recipients. Emails must also be encrypted to protect PHI. Systems such as regular Outlook or Gmail are not secure, which means your emails are vulnerable to hacking and interception by third parties. Office 365 is an example of a server that offers secure sending and encryption options for your emails.
- Maintain business associate agreements with third parties. If you are using a third-party service, such as Mail Chimp, to send your marketing emails, it is important to have a business associate agreement (BAA) with them because they have access to your PHI and are considered a HIPAA business associate.
- Do not include patient information, including images, in your emails without specific consent from your patient. Any information that is considered PHI under HIPAA should not be used as marketing material in emails, unless that patient has agreed to let you use their information in marketing your services. For example, plastic surgery practices can find it useful to send patient before and after photos. You must have consent from your patient to use these photos for marketing.
- Make unsubscribing from your emails clear and easy for your patients. Many marketing emails contain a link at the bottom to unsubscribe from them. A link within each email is an easy way to give your patients a way to unsubscribe whenever they wish.
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.