Reader Question Bag: When Do HIPAA Rules Apply to Healthcare Email Marketing?
Today, let’s look at a question I recently received from one of my readers about how the nitty-gritty of HIPAA (the Health Insurance Portability and Accountability Act) interacts with email marketing for a behavioral health practitioner.
My reader, Veronica, wants to know if she can run a non-HIPAA compliant campaign to gather leads for future marketing for her mental health private practice once she pivots to telehealth from a traditional private practice.
Let’s dig in.
Veronica’s Question About HIPAA Compliant Email Marketing
I loved your blog post on HIPAA compliant email marketing. It got me thinking and raised a number of questions for me. I'm building a mental health private practice and would love to grow an email list that could afford me the opportunity to pivot to telehealth opportunities or online groups in the future. The problem I have is with my understanding of how to apply HIPAA compliant practices in growing my list.
For example, if I have a blog with free content and create a lead magnet that encourages visitors to sign up, am I responsible for protecting their name/email information? ....Or, is that responsibility only in place when if I ask current patients to be on a mailing list? ....And then, to complicate matters, if I create a list that is through an offer on my website and then patients also want to join that list, does that change my responsibility to protect identifying information in the list?
Am I making sense?
Would love guidance!
My Response to Veronica’s Question
Yes, Veronica, you are making sense! Thank you for your question.
Obligatory legal disclaimer: I'm not a lawyer so I always recommend folks do check with their attorney before any undertaking.
However, my non-legal opinion is that the answer to your question is yes, any information about a person that a healthcare provider obtains (whether or not that person is actually a paying patient) is personal health information (PHI) and therefore relates to the HIPAA rules around PHI.
My reason goes to the definition of PHI itself.
It Comes Back to the Definition of PHI
Section 1171 of Part C of Subtitle F of the Health Insurance Portability and Accountability Act of 1996 states that:
Health information means any information, whether oral or recorded in any form or medium, that–
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
Whew! Still with me?
What I’m seeing here is that:
You are a “healthcare provider”...
...the PHI (name, email address, the fact that they are contacting you, or signing up for emails regarding mental health) might be used for "future provision of health care to the individual"...
…therefore it means that HIPAA would apply to you in this instance.
If it were me, I would err on the side of caution and conduct my email campaign as though it needed full HIPAA compliance given what I’ve outlined above. That means no get-out-of-HIPAA-free card just because your list doesn't technically contain active patients.
Bummer, I know.
BUT! The good news is, sending HIPAA compliant emails is not too difficult or costly to do!
Running a HIPAA Compliant Email Marketing Campaign is Actually Pretty Straightforward
In a nutshell, there are a few things you want to keep in mind:
Make sure your ESP (email service provider) offers a BAA (business associate agreement)
Encrypt your emails (this is usually automatic if you’re using an ESP with a BAA)
Use transparent best practices when creating opt-in forms (so your leads know what to expect)
Avoid the use of personal identifiers (AKA don’t personalize the campaign!)
Finding an ESP with a BAA isn’t tricky, many of the leading email platforms will enter into a BAA with you: GSuite, Office365, and Mailchimp all come to mind as excellent choices here. Email encryption should be an automatic feature of any of these providers.
Using best practices when building your list means being clear in the opt-in form about how frequently you intend to email the lead and exactly what kind of goodies they can expect in their inbox if they do take the plunge and give you their contact information.
The final layer of protection you’ll want to add to your juicy HIPAA compliant emails is a blanket depersonalization of the email—that means you’ll have to ignore all the marketing advice to personalize your email campaigns with identifiers like name, age, location, and condition. Taking any of these extra steps is a no-no in the HIPAA compliant email marketing world.
Was Veronica’s Question Helpful to You?
It’s natural to be anxious about whether or not your email marketing is HIPAA complaint. After all, the penalties for screwing this one up are huge. If you’d like help crafting your HIPAA compliant email marketing campaign, let me know. I do consulting for folks looking to build their behavioral health businesses through safe, sustainable email marketing.
Why not reach out for a free 15 minute consultation? After learning more about your unique situation, I draw up a no-obligation custom quote for your project. I’ve helped many addiction treatment and behavioral health providers with HIPAA compliant email marketing and I can help you, too!