Email Marketing

Any healthcare organization in the United States must abide by HIPAA regulations to protect patients’ protected health information (PHI). But in order to protect patient data, you need to have patients in the first place. That’s where an email marketing strategy comes in.

Email Marketing Works

Nine out of 10 internet users in the US rely on email, and many people prefer receiving brand communications via email.  The return on investment (ROI) is currently $42 for every dollar spent, which is up from $38 in 2018.  This makes sense because 59% of consumers say that email marketing influences their decision to make a purchase.

The issue for those of us in the healthcare field is the federally regulated and confidential nature of the provider-patient relationship.  Covered entities have additional restrictions and rules about how they can use email marketing, but it is a challenge worth tackling due to the incredibly high potential ROI.

Personalized Email Marketing Works Even Better

Healthcare is a competitive industry. In order to retain patients, healthcare organizations must prioritize proactive, personalized patient engagement throughout the entire patient journey.

Due to HIPAA regulations healthcare providers cannot use the standard marketing tools to send emails containing PHI.  However, personalized email marketing can be very powerful. Individualized messages perform up to three times better than generic blast emails.  By tailoring your messaging to a specific patient, you can obtain 5 to 8 times more ROI for your marketing spend.

In the healthcare field, personalizing your marketing emails can grow your business, reduce costs, and improve patient outcomes. For example, you could recommend additional tests or procedures based on a person’s risk factors to increase revenue, or you could send automatic pre-operation reminders (such as fasting before surgery) to decrease cancellations.  

Arguably both of these use cases would also save lives as they would help people receive the right treatment when they need it. Really, the sky’s the limit on uses for personalized email marketing in healthcare – but until now organization subject to HIPAA have barely been able to use it.

How to Maintain HIPAA Compliance While Taking Advantage of Personalized Email Marketing

HIPAA is no joke.  The maximum penalty is $1.5 million per year.  For a single violation, typical fines range from $100-$50,000 for each instance of wrongdoing.  In addition, your organization could be published on the US Department of Health and Human Services’ Breach Portal (known colloquially as the “wall of shame”).

To avoid potentially crushing fines and the embarrassment of being publicly called out for HIPAA indiscretions, adhere to the following guidelines when developing your personalized email marketing strategy.

  • Confirm recipients’ email addresses before you send any PHI. Send everyone on your email list a message asking them to confirm their identity before you send any marketing which includes personally identifiable information. A patient might have mistyped his or her email on your intake form. In order to avoid sending PHI to the wrong recipient, give people the chance to tell you about the mistake.
  • Use a “send from” address that is monitored by a real human. Do not send emails from “[email protected]” or any other email address that will not be read by someone on your team.  This is another way to ensure that you are emailing the right person by making it easy for someone to contact you if he or she is not the intended recipient.
  • Include an unsubscribe button. The CAN-SPAM Act of 2003 established the United States’ first national standards for sending any commercial email.  Per federal regulations, all marketing emails must include an “unsubscribe” button by default.
  • Include your physical address. The CAN-SPAM Act also requires that email marketing includes your physical postal address.
  • Sign a BAA with your vendor. If you use a third-party email marketing firm to send emails containing PHI, it must sign a business associate agreement (BAA) with you. However, in the email marketing space, most vendors will not sign a BAA, and those that will have restrictions on how you can use their services.  For example although some companies will sign a BAA, they often will not allow their customers to actually transmit any protected health information (PHI) via their platform because they do not actually secure the email messages.
  • Encrypt any and all email sent to patients which contains PHI. As a healthcare provider, you are no doubt already using a service to encrypt and send direct HIPAA compliant email to individuals, such as Paubox.  Marketing emails are beholden to the same encryption requirements, but you need to use a different tool. Since even names and email addresses can be considered personally identifiable health information, this de facto means encrypting all marketing emails. Emails must be end-to-end encrypted to guarantee that only the sender and recipient have access to the email’s contents, including in transit. In addition, any servers used to back up or store email containing PHI must be encrypted.
  • Choose the best HIPAA compliant email marketing solution. There are very few email marketing solutions available that adhere to all of these guidelines and also have a seamless recipient experience to view secure emails. That’s why the Paubox team has created our own solution, Paubox Marketing, powered by our HITRUST CSF certified Paubox Email API

Paubox Marketing lets recipients view marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient.  It allows you to segment and send secure email including PHI to increase engagement and build your business while remaining HIPAA compliant. Although you might see HIPAA as a roadblock to implementing an email marketing strategy, it doesn’t have to be.

Written by Hoala Greevy, CEO & Founder of Paubox