HIPAA Compliant Email Marketing
The rules for HIPAA compliant email marketing are complex, subject to multiple exceptions, and can be interpreted in a number of ways depending on the purpose of the marketing email, its content, and whether it even qualifies as a marketing email under HIPAA. Regardless of how the rules are interpreted, the platform used to send HIPAA compliant marketing emails must meet specific security requirements.
According to §164.508 of the HIPAA Privacy Rule, a covered entity (or business associate “where provided” by §160.102) must obtain a valid HIPAA authorization “for any use or disclosure of Protected Health Information (PHI) for marketing”. This standard could be interpreted by some sources as implying that covered entities must obtain a valid HIPAA authorization from every intended recipient before sending a marketing email that disclosures their email address.
However, this is not the case. Some forms of marketing are not covered by HIPAA, some marketing emails are exempt from the definition of marketing under HIPAA, and some types of marketing emails do not use or disclose PHI (although, in some cases, a disclosure of PHI may be inferred). To further complicate HIPAA compliance for email, some states require patients to affirmatively opt-in before they are contacted for any type of marketing activity by email.
What Forms of Marketing are Not Covered by HIPAA?
When HIPAA was passed in 1996, Congress instructed the Secretary for Health and Human Services (HHS) to make recommendations “with respect to the privacy of certain health information”. The recommendations were subsequently adopted as the basis for the HIPAA Privacy Rule. At the time, nearly all marketing was direct business-to-consumer marketing and other forms of marketing (inbound marketing, relationship marketing, etc.) were not considered.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Consequently, the HIPAA marketing rules only apply to direct business-to-consumer marketing. Other forms of marketing are not covered by HIPAA unless a response to (for example) an inbound or relationship marketing activity qualifies as a direct marketing communication. Even then, the communication may not be covered by the rules for HIPAA email marketing if it is exempt from the definition of marketing under HIPAA or does not disclose PHI.
When is Marketing Not Marketing under HIPAA?
The definition of marketing under HIPAA appears in §164.501 of the HIPAA Privacy Rule. This standard states “marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” However, there are multiple exceptions to the definition including:
- Refill reminders and communications about medications and medical equipment currently prescribed for the individual.
- For treatment of a patient by a healthcare provider – including appointment reminders sent directly to the patient (see “consent” below).
- For case management or care coordination purposes and related functions that do not fall within the definition of treatment.
- To recommend alternative treatments, therapies, healthcare providers, or care settings (subject to the provisos discussed below).
- To describe a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity.
The exceptions have provisos inasmuch as covered entities cannot receive remuneration from third parties for marketing communications about refill reminders and medications beyond the cost of making the communication. They can also not receive any form of remuneration for communications about alternative treatment and health care options. To do so may breach various fraud and abuse regulations such as the Anti-Kickback and Stark Law regulations.
Is There a Disclosure of PHI in the Marketing Email?
One of the most complex issues regarding the rules for HIPAA compliant email marketing is whether there is a disclosure of PHI in the marketing email or in the activity of sending a marketing email. Clearly, if a marketing email is being sent for a non-exempted purpose, and it contains PHI relating to a patient who is not the recipient of the email, it is necessary to obtain a valid HIPAA authorization from the patient whose PHI is disclosed in the email.
In cases in which marketing emails do not contain a patient’s PHI, it could be argued that no PHI is being disclosed, and the communication is not covered by the rules for HIPAA compliant email marketing. However, if (for example) a clinic sent an email to its database advising recipients of a new paid-for service being offered, it could be inferred that the email addresses of the recipients qualified as PHI because the sender of the email is a healthcare service.
Is Authorization, Consent, or Opt-In Required?
Due to uncertainties about inferred disclosures of PHI, covered entities can request a HIPAA authorization from a patient to be included in HIPAA compliant email marketing activities. Alternatively, they can request written consent or an affirmative opt-in. As mentioned previously, some states require an affirmative opt-in before patients can be contacted for any type of marketing activity. This may be in addition to a HIPAA authorization form.
With regards to consent, it is a requirement of §164.510 that consent is obtained before sending emails containing PHI to personal representatives about a patient’s health care or payment. However, if a patient initiates contact with a healthcare provider by email, HHS guidance states “the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual” and no further consent is necessary.
HIPAA Compliant Email Marketing Platforms
Unless a patient has requested email communications via a non-compliant email service, or a covered entity hosts its own email server and has configured it to comply with the safeguards of the HIPAA Security Rule, marketing emails – including those exempted by the HIPAA definition of marketing – must be sent via a HIPAA compliant email marketing platform. This is to ensure the confidentiality and integrity of PHI in transit between the covered entity and the recipient.
HIPAA compliant email marketing platforms ensure the confidentiality and integrity of PHI in transit by encrypting the content of emails to ensure that, if they are intercepted on route to the recipient, the content is indecipherable, unreadable, and unusable. The platforms also include features such as access controls and audit logs to ensure accountability, and may also support data loss prevention policies to block inadvertent or deliberate disclosures in marketing emails.
Training Email Marketers to be HIPAA Compliant
Implementing a HIPAA compliant email marketing platform does not guarantee marketing emails will be HIPAA compliant. Workforce members also need to be trained on how to use the email marketing platform in compliance with HIPAA if (for example) a user interaction is required to encrypt emails before they are sent. It is also important users are told not to include PHI in the subject line of marketing emails if the email metadata is not going to be encrypted in transit.
Note: Most HIPAA encrypted email marketing services only encrypt the content of emails. The email metadata – i.e., the “from”, “to” (including “cc” and “bcc”), “date”, “time”, and “subject” fields – are not encrypted to support the delivery of emails. When email metadata are encrypted, it can delay the delivery of emails. It may also prevent email filters being able to determine whether emails contain spam – increasing the risk emails are rejected or delivered to a junk folder.
Depending on the capabilities of the HIPAA compliant email marketing platform, it may be necessary to instruct members of the workforce to always use the BCC function when sending mass marketing emails and to double check the address(es) of the recipient(s). The misdelivery of emails accounts for approximately 8% of HIPAA data breaches notified to HHS’ Office for Civil Rights each year. In 2022, HHS’ Office for Civil Rights received 64,592 HIPAA data breach notifications.
Other Considerations for HIPAA Compliant Marketing Emails
There are many other considerations for HIPAA compliant marketing emails – including when a marketing email is sent for an exempted purpose (i.e., to recommend an alternative treatment), and the email contains a form for interested parties to complete and return by email. In such cases, the HIPAA compliant email marketing platform or an appropriate plug-in must be configured to ensure the content of the returned email is safeguarded if it contains PHI.
In addition to the requirements for HIPAA compliance and state laws requiring affirmative opt-ins, covered entities must also be familiar with the requirements of the Federal Trade Commission (FTC) and Food and Drug Administration (FDA) – particularly the FTC’s Can-SPAM Act and INFORM Consumers Act (where applicable). The FDA’s regulatory oversight applies to the marketing of dietary supplements, foods, drugs, devices, and other health-related products.
Covered entities with questions about whether their email marketing activities comply with HIPAA are advised to speak with a healthcare compliance professional. Those with questions about HIPAA compliant email marketing platforms are advised to speak with a selection of email service providers who are willing to enter into a Business Associate Agreement and who will offer a free trial of their platform to test in your own environment.
