The Three Commandments of HIPAA Compliant Email Marketing

the three commandments of hipaa compliant email marketing

Figuring out how to do email marketing is hard enough, but add in this HIPAA stuff, too, and a lot of my clients—whether they are running sober living houses, detox centers, or treatment centers—start completely freaking out. 

If you're anything like them, you might be freaking out, too. 

They quickly go from: "How do I send good emails?"

To: "OMG HIPAAAAAHow do I not screw up and bankrupt my company over email marketing?!?! AHHHH!!!!"

this cat is really freaked out about HIPAA compliant email marketing

this cat is really freaked out about HIPAA compliant email marketing

Deep breaths.

Chill, folks. 

You CAN send effective, killer emails to leads without bringing the vengeful HIPAA gods down on you. I do it all the time. 

Obligatory legal disclaimer time! Please note that I am NOT a lawyer, I'm a humble copywriter with a degree in Literature and certifications in Email Marketing, Content Marketing, and SEO Copywriting from Portland, OR. Nothing I say here constitutes legal advice. Please talk to an actual lawyer to make sure you are getting your HIPAA compliance right. 

Moving on...

First, what is HIPAA and why does it matter in Email Marketing?

HIPAA stands for the Health Insurance Portability and Accountability Act.

It governs all health care providers—I'm looking at you, addiction treatment professionals!—who deal in electronic records. HIPAA was made into law in 1996 and governs how we use Electronic Health Records (EHRs), Facebook, emails, texts—basically anything that could involve digital transmission of PHI (protected health information). 

Get into HIPAA compliance now... or pay for it later 

this is what happens when you don't send HIPAA compliant emails

this is what happens when you don't send HIPAA compliant emails

It's important to stay on the right side of HIPAA because violators are subject to hefty, hefty fines. Currently, HIPAA violators can be fined up to $1.5 million per yer. That's $1.5 million per violator, per year.

For a single violation, fines typically range from $100 to $50,000 for each instance of wrongdoing.


Good news, though: Getting fined is pretty rare, especially around here. I'm proud to say that never once have I had any problems with HIPPA over one of my emails. Why? Because I do my research and stay abreast of changes—so my clients don't have to worry about it now, or ever.

The bottom line? I’ve studied this topic a lot! Today I'm going to share those juicy HIPAA compliant email marketing secrets with you.

HIPAA Compliant Email Marketing Commandment #1— Encrypt your emails!

In order to stay in compliance, all emails you send to leads and patients absolutely must be encrypted.

(not that kind of encryption)

(not that kind of encryption)

Encryption is a technical process that happens through your email service provider (ESP) and most ESPs will do this for you automatically. Make sure yours does.

There are a ton of HIPAA compliant ESPs out there but before we get to that, here's a few ESPs that are not HIPAA compliant:

  • Regular Gmail

  • Regular Outlook

  • Apple Mail

  • Yahoo

Don't use these for email marketing if you want to stay on the right side of HIPAA compliance! You’ve been warned.

Here's a few of my favorite ESPs that are HIPAA Compliant for Email Marketing: 

These are safe bets.

Note that GSuite is HIPAA compliant and Office 365 has an option to make emails encrypted, so it counts as HIPAA compliant, too. Infusionsoft, SalesForce, Mailchimp, and AgileCRM are all good options, too. If you want to get even fancier with it, there are ESPs designed especially for health care settings, like Clinical Contact and Spotlight Mailer. These are your go-to ESPs if you like specialty programs designed for your industry.

Overwhelmed with the options? I don’t blame you. Paul Potter has a great piece on how to pick a HIPAA compliant ESP if you need help deciding on an ESP. 

I’m not sure if my ESP is HIPAA compliant: BAAs and HIPAA Complaiance 

What should you do if your ESP isn’t on this list and you want to know if it is HIPAA compliant?


Check if your ESP has something called a BAA, short for “Business Associate Agreement.”

these people are smiling because they have a BAA for their HIPAA compliant ESP

these people are smiling because they have a BAA for their HIPAA compliant ESP

All HIPAA compliant ESPs have BAAs. BAAs are legal documents that basically ensure that if there is a HIPAA hiccup with the ESP that the ESP is responsible for the fall-out— not you. That means that if something goes wrong, your ESP will be in the hotseat but you’ll walk away unscathed. ESPs with BAAs have skin in the game, so they are invested in making sure that their services are 100% HIPAA compliant.

Your best bet? Search your ESP’s Help Desk documentation for a BAA or give them a call and ask a rep about their BAA. If the rep doesn't know what you're talking about, run.   

HIPAA Compliant Email Marketing Commandment #2—Just don't be shady, OK?

Here's the thing: People need to know that they are signing up for email marketing when they are forking over their contact information to you.

Don't trick your leads into signing up for email marketing 

hoodie man tricks people into signing up for email marketing -don’t be that guy

hoodie man tricks people into signing up for email marketing -don’t be that guy

Remember: Marketing is relationship building. Deception is a bad way to start off a relationship. Especially in the addiction treatment world, with all the negative press around shady marketing practices, it's SUPER important to keep all your marketing activities well above-board.

Don't be shady and just start surprising leads with email marketing messages. Tell them what's happening as it’s happening.

Let’s say you have a contact information collection form on your website—great. Put a few words near the call to action on the contact collection form telling your leads how you’ll be using their email address. I like something simple, like:

“You’ll be receiving occasional, useful emails from us. If you don’t find them helpful, you can opt-out at any time.”

“Keep an eye out for our killer monthly newsletter! No spamperiod.”

I sometimes like to add:

“Thankswe respect your privacy. We never share your information with anyone.”

The whole idea is to just give your leads and/or patients an idea of what type of content you'll be sending and how often. Be as specific as you can.

Avoid using the phrase, "email marketing" when possible 

I tend to advise against "email marketing" as a phrase on the contact collection form because, well, it's kinda off-putting.

No one likes to be "sold to" and if you are doing it well, it shouldn't feel like marketing at all, right? You've done your research on inbound marketing, so you are always careful to make sure your email marketing feels useful, timely, informative, friendly—but never sale-sy. 

I always cringe when I see things like, “Yes! I’d like to receive marketing emails from XYZ company!,” in forms.

Does anyone click that?

HIPAA also requires that you make it easy to unsubscribe from your email marketing list

There’s one other piece to being a non-shady, HIPAA compliant email marketer and that’s always giving the people on your list the option to unsubscribe.

bye bye disengaged email marketing list subscribers

bye bye disengaged email marketing list subscribers

Towards the bottom of your emails, always include an unsubscribe link so unhappy subscribers can bail. HIPAA compliant ESPs like Mailchimp do this for you automatically so you don’t have to think about it every time you send an email—which means it will happen every. single. time. you send an email to one of your marketing lists.

HIPAA approves. 

HIPAA Compliant Email Marketing Commandment #3 - Resist the urge to personalize!

Good email marketers always personalize their messages when they can. Automatically adding the first name or some other relevant data point to an email makes it much more effective—and useful—for leads.

That rule doesn’t apply in HIPAA compliant email marketing.

this is way too much personalization for a HIPAA compliant email marketing campaign, ok?

this is way too much personalization for a HIPAA compliant email marketing campaign, ok?

Including information like name or segmenting lists by attributes like drug of choice, location, treatment preference, and so on will be very tempting, but don't do it if you want to steer clear of HIPAA violations. 

Why can’t you personalize HIPAA compliant email marketing campaigns?

All of the information you would use in your personalization is considered PHI. PHI can't be used anywhere except in a patient’s chart, and it especially can’t be used in HIPAA compliant email marketing.

Think about it: If that email wound up in the wrong hands, you would be aiding in some serious privacy violation. Not only can that ruin lives, it can anger the HIPAA gods and cause your business' reputation and checkbook some serious harm. You don't want any of that. 

Keep emails general in tone and never, ever include any personal identifiers. 

Here’s some examples of messages that can easily be made HIPAA compliant:

  • A welcome email

  • Introducing a new treatment center

  • Introducing a new treatment method

  • Introducing a new staff member

  • Updating subscribers on news relating to treatment in their state

  • Updating subscribers on a new insurance partnership

  • Sharing a "best of" round-up of blog posts

As you can see, HIPAA compliant marketing emails are basically regular email marketing messages at the end of the day. Leave out the personalization and you’ll be golden.

Still have questions about HIPAA compliant email marketing?

this dog still has a lot of questions about HIPAA compliance. good boy.

this dog still has a lot of questions about HIPAA compliance. good boy.

Your best bet? Schedule a free 15 minute consultation with me to see if I can answer those questions for you. Again, I’m not a lawyer (links to those guys below!) but I can answer general questions about HIPAA compliance.

Got bigger problems or just want to dig a little deeper into HIPAA compliant email marketing? Here’s some places to start:

These lawyers specialize in HIPAA compliance. You probably want to ring them up if you are wading through an active violation—whether the violation is email marketing related or not.

Here’s a good summary of the HIPAA Privacy Rule straight from the source—the US Department of Health and Human Services. I don’t recommend DIY-ing your way through HIPAA compliance, but if you’re just looking for a quick introduction to HIPAA, this is a good one to check out.

Here’s another good introduction to the concept of HIPAA compliance by OnlineTech.

Still not sure if your email marketing is violating HIPAA privacy laws? Check out this checklist to see how your marketing stacks up against HIPAA expectations.

Interested in HIPAA compliant email marketing for a private practice focused on addiction treatment? You’re not alone. Check out this super-helpful article especially designed for folks in private practice.

Are you itching to report an email marketing-related HIPAA violation? You can do that here.

Finally, I’ve talked about HIPAA compliance elsewhere in this blog. Check out: 5 Tips for HIPAA Compliant Addiction Treatment Marketing or my post on email marketing: Crazy Email Marketing Stats for Rehab Marketing.

HIPAA Compliant email marketing is within your grasp

c’mon tiny human! almost there…just reach for it!

c’mon tiny human! almost there…just reach for it!

Phew! That was a lot of information!

I hope you found this helpful in your quest for effective, compliant email campaigns. Good job doing your due diligence on this one. Those who don’t just kick themselves later so congratulate yourself for having the foresight and wisdom to investigate this now—before you get hit with a violation.

Now that you’ve taken it all in, does all of this seem like too much to figure out by yourself?

No worries—you’re not alone. A lot of my clients choose to work with me specifically because I get HIPAA compliant email marketing. I specialize in marketing for addiction treatment professionals but these same principals can be applied to any business entity covered under HIPAA laws. Everyone, from mental health providers to physicians in private practice, can benefit from HIPAA compliant email marketing.

Imagine—I can take this whole messy concern off your plate and start sending killer emails for your business right away. That would probably feel pretty good, right?

Check out my services page to learn more about the kinds of smart, cost-effective marketing solutions I offer.



Erin Gilday