What is HIPAA Compliant Email Marketing?

HIPAA compliant email marketing is a complex issue. Many email marketing tools are not HIPAA compliant, so they cannot be used to market to patients. To provide healthcare organizations guidance on choosing the right email marketing tool, HIPAA compliant email marketing is discussed.

HIPAA Compliant Email Marketing: What Are the Rules?

Email marketing allows you to contact several patients at a time to promote your services. This can include a newsletter, email blast regarding a new product, or changes to your services. However, when sending emails to patients, you must ensure that your communications are HIPAA compliant. HIPAA compliant email marketing requires healthcare organizations to consider the following.

Patient Authorization to Receive Emails.

Before emailing patients for any reason, you must receive their consent to communicate with them in this manner. It is therefore recommended that providers have patients sign email consent forms upon becoming a patient. However, for HIPAA compliant email marketing, patients must explicitly consent to receive marketing communications via email, which can be included as a clause within the email consent form. Additionally, patients must have the ability to opt-out of marketing emails (even if they consent to receiving other forms of email communication) and unsubscribe should they no longer wish to receive marketing emails. This will allow you to send patient appointment reminders, newsletters, and other promotional information.

HIPAA Compliant Email Marketing

Patient Authorization to Use PHI.

Patient testimonials and reviews can add validity to your business. Even when you receive authorization to send patients email marketing communications, should you want to include protected health information (PHI) in your email communications, such as a patient testimonial or review, you need written consent to do so.

Inform Patients of Risk.

There are instances in which you may be emailing with patients outside of for marketing purposes. When using email to communicate with a patient, such as if a patient requests copies of their medical records via email, you must inform them of the risk of using email for this purpose.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

HIPAA Compliant Email Marketing: Choosing the Right Vendor

Now that you understand how email can and cannot be used, we’ll discuss email vendors. Not every email marketing vendor is HIPAA compliant, in fact many popular tools such as HubSpot and MailChimp are not HIPAA compliant. This is why it is important to assess a vendor’s HIPAA compliance before choosing the vendor for patient emails.


Encryption, particularly end-to-end encryption (E2EE), is an essential component of keeping PHI safe from unauthorized use or disclosure. E2EE secures data at rest (stored data) as well as transmitted data (data being sent) by transforming into a coded format. This coded format prevents unauthorized access to PHI, as users require a decryption key to be able to read encrypted emails. However, it is important to note that email subject lines cannot be encrypted, so PHI should never be contained in the subject line of an email.

Business Associate Agreements.

No matter how secure an email vendor is, if they are unwilling or unable to sign business associate agreements (BAAs), they are not HIPAA compliant. An email provider is considered a business associate under the HIPAA regulation as they receive, transmit, and store data on behalf of their healthcare clients. All HIPAA business associates (BAs) are required to sign BAAs before working with healthcare clients. A BAA dictates the security measures a BA is required to have in place to safeguard PHI. It also requires each signing party to be responsible for maintaining their HIPAA compliance.

HIPAA Compliant Email Marketing: In Conclusion

In essence, HIPAA compliant email marketing comes down to a few key points. Patients must consent to receiving email marketing communications, they must give their consent if you’d like to include PHI in email communications, emails must be encrypted, and email vendors must sign a BAA.

See How It Works