Be Safe, not Sorry: HIPAA-Compliant Email Marketing for Private Practice
Ready to email your patients? Make sure you've taken these HIPAA precautions before you launch your first digital marketing campaign.
Subscribe
Get the latest news and tips directly in your inbox by subscribing to our monthly newsletter
Few tech inventions have endured the way email has. We’ve been checking our virtual inboxes for decades, and the basic concept hasn’t really evolved—you send emails; you get emails. According to this email marketing stats infographic, 95% of online consumers use email, and 91% of them check their accounts once a day. If we surveyed those email-checkers, they’d probably tell us that the bulk of their received messages look a lot like the snail mail taking up the most space in their physical mail boxes: offers, ads, and junk. But that’s not a bad thing—not if those marketing plays work, anyway. Another stat on the email marketing stats infographic: For every $1 spent on email marketing, businesses get a $44.25 average return on investment. So, if you’re not doing it already, you should probably add email to your clinic’s marketing toolkit. For good measure, here are a few more convincing reasons:
- It’s relatively cheap to do, with very little upfront investment. Many email marketing tools have free or low-cost plans based on the number of emails sent—and such packages are ideal for small businesses.
- It’s easy. Most email marketing programs have turnkey templates to quickly get you started with things like newsletters.
- It allows you to maintain relationships with patients and create brand awareness (think monthly newsletters, holiday cards, and birthday notes).
Convinced? Perfect. Now, before you get started crafting a winning email marketing strategy, it’s crucial you establish a compliant foundation. Yes, I’m talking about HIPAA. Unfortunately, that’s all it takes to cause many providers to shy away from email marketing altogether. But I just convinced you that email marketing is a great way to engage patients and drive sales. So, what to do? Well, the key to HIPAA-compliant email marketing is getting permission.
Looking for more great advice on how to market effectively—and compliantly? Download our free modern marketing e-book.
Before I launch into my HIPAA advice, allow me to issue a blanket CYA: While I’m quite experienced in researching, deciphering, and writing about HIPAA rules and regulations—as well as the associated legalese—I am not a lawyer, nor do I have any HIPAA certifications. So please, if you have specific questions about HIPAA rules, regulations, and laws, feel free to ask them in the comments section below—but be advised, I may recommend (scratch that, I am recommending) that you speak to a legal professional or certified compliance expert (like Rick Gawenda of Gawenda Seminars or Tom Ambury of the PT Compliance Group).
Furthermore, keep in mind that we’re talking about email marketing. So, leave the PHI out of it, and stick to communication that is appropriate and relevant to large groups of readers—like sharing great content that speaks to, say, a segment of patients who are runners or a segment of patients who participate in aquatic therapy. Part of that content might involve promoting your clinic’s wellness services or upcoming events. Remember, the rules for sending PHI via email are far more strict than those governing other types of patient-provider email communications. As Luxsci states:
- Any service—as well as its associated web interface—that you use for composing, sending, monitoring, and managing these messages and their corresponding campaigns must have a signed HIPAA Business Associate Agreement with you.
- The messages you send must be secure and encrypted in transit to every recipient.
Still, the HIPAA rules around marketing—especially since the introduction of the 2013 HIPAA omnibus ruling—are murky at best. (Luxci boils it down like this: “If [the emails] are generic marketing or informational materials that are sent out to a wide array of people...not PHI. If they are more specific like ‘suggested rehab plans’ or ‘test results’ or ‘appointment followup surveys or information,’ then they will probably be PHI.” See what I mean about murky?) That’s why, rather than deconstruct the rules on a case-by-case basis, I recommend that you simply include a marketing communications opt-in form as part of your intake packet. That way, there’s no question as to whether you can use your patients’ email addresses for marketing purposes.
Within the form, clearly explain the types of communications you will send. If patients hesitate to opt-in, explain how those communications will benefit them. And if patients still choose not to opt in, respect that decision and don’t press the issue. After they become more comfortable with you and your practice, you could always bring it up again later. For example, if during treatment you mention a wellness event that your clinic is hosting, and the patient seems interested in attending, you could mention that you plan to send out an invitation to your email list—and ask if they’d like to opt in.
On the flipside, you are actually legally required to provide a clear avenue for your opt-ins to unsubscribe at any time. Unsubscribe links typically appear at the bottom of any marketing communications. You absolutely must—and I cannot emphasize this point enough—comply with any unsubscribe requests you receive.
In addition to an opt-in form, I recommend verifying that your email software vendor understands HIPAA and works with you to ensure compliance. Also, check out the HIPAA-compliant email marketing advice from Etna Interactive. Finally, remember that the email addresses you collect are considered PHI. Thus, you must handle them accordingly. That means no selling or disclosing them unless expressly allowed under HIPAA law.
Now that you’re hip to HIPAA, it’s time to ignite your email marketing efforts. HIPAA requires a lot of precautions, but you shouldn’t completely shelve email out of fear. Take the necessary precautions—like you do for everything involving HIPAA—and reap the benefits of email. It’s better to be safe—and put in whatever legwork you need to make it work—than to avoid it altogether and be sorry you missed out on potential business.