Does HIPAA Allow Email Marketing in Healthcare?

by

Although HIPAA appears to allow many types of email marketing in healthcare, concerns exist that emailing a marketing communication about a healthcare service or product implies a treatment relationship between a patient and HIPAA covered entity. As email addresses and subject lines are not encrypted in most email transmissions, this could represent an unauthorized disclosure of PHI.

With the exception of face-to-face communications, the HIPAA Privacy Rule does not permit HIPAA covered entities to use or disclose Protected Health Information (PHI) in a marketing communication without a valid authorization from the subject of the PHI. However, when you review the definition of marketing in §164.501 of the HIPAA Privacy Rule, many types of marketing communications are excluded from the definition. These include:

  • Refill reminders and communications about medications and medical equipment currently prescribed for the individual.
  • Appointment reminders and other notifications regarding provider-to-patient treatments sent directly to the patient.
  • Communications regarding case management or care coordination that do not fall within the definition of treatment.
  • Recommendations for alternative treatments, therapies, healthcare providers, or care settings (subject to Anti-Kickback laws)
  • Descriptions of health-related products or services provided by a healthcare provider or included in a plan of benefits.

The list of exceptions suggests that many types of marketing communications in healthcare are allowed by HIPAA, even when PHI is disclosed in the content of the communication. However, whereas the HIPAA Privacy Rule covers all types of PHI, when communications are transmitted electronically (for any reason), the HIPAA Security Rule applies – and this can have an impact on when HIPAA allows email marketing in healthcare.

The HIPAA Security Rule’s General Requirements

The HIPAA Security Rule’s General Requirements (§164.306(a)) include that HIPAA covered entities and business associates must ensure the confidentiality, integrity, and availability of electronic PHI, protect against any reasonably anticipated threats or hazards to the security or integrity of such information, and protect against any reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule.

In the context of answering the question does HIPAA allow email marketing in healthcare, even though the HIPAA Privacy Rule permits disclosures of PHI in certain marketing communications, additional protections must be implemented when marketing communications are sent by email to ensure the confidentiality of electronic PHI. In many cases, encrypting the content of marketing emails may not be sufficient to ensure the confidentiality of electronic PHI.

This is because PHI is health, treatment, or payment information and any identifying information maintained in the same designated record set. A permitted marketing communication sent via the US Postal Service only displays identifying information (i.e., the recipient’s address) and not PHI, whereas an email displays the sender’s email address, the recipient’s email address, and the nature of the communication (i.e., the subject line) because email metadata is not encrypted.

How Does This Impact Email Marketing in Healthcare?

When a healthcare organization sends a marketing email via a HIPAA compliant email service, the email travels from the healthcare organization’s email client or browser to its email service provider’s servers. From there the email is forwarded to a server maintained by the recipient’s email service provider, where it remains until the recipient logs into the email account and the marketing email is downloaded to the recipient’s email client or browser.

If the subject line of the email implies a treatment relationship between the sender of the email and the recipient, the recipient’s email address qualifies as PHI. As the recipient’s email address is transmitted in plain text during its journey from the healthcare organization’s email client to the recipient’s email client, it could represent an unauthorized disclosure of PHI if the email is intercepted in transit or while waiting on the recipient’s email service provider’s server.

For this reason, precautions must be taken with email marketing in healthcare to limit the amount of information in the subject line of a marketing email so a treatment relationship between the sender and the recipient cannot be implied. For example, subject lines could read “Appointment Reminder” rather than “Dentist Appointment Reminder” or “Recommendations Following Your Visit” rather than “Recommendations Following Your Hospital Visit”.

Distinctions such as these can make the difference between email marketing in healthcare being allowed by HIPAA and email communications representing unauthorized disclosures of PHI. Healthcare organizations concerned they may impermissibly be disclosing PHI in marketing emails are advised to seek independent compliance advice and, if changes are required to marketing policies, be sure to include the policy changes in HIPAA training.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]