Email marketing is one of the most effective patient retention tools at your disposal. By regularly engaging with past patients via an email newsletter, you can provide them with helpful healthcare advice and encourage them to come back for additional treatment.
But before you start blasting marketing emails to your patients, you need to deal with a little thing called HIPAA compliance.
As you probably know, HIPAA exists to ensure protected health information (PHI) is only given to authorized individuals.
The advent of email communication opens a whole new gateway for unscrupulous, tech-savvy people to view the contents of emails containing PHI.
Fortunately, keeping your chiropractor email list HIPAA compliant is pretty straightforward. By following a few simple steps, you’ll be safe and sound if a compliance audit ever comes your way.
Necessary legal disclaimer: I am not a lawyer, and none of the information contained in this article is legal advice. To receive legal counsel regarding the HIPAA compliance of your emails, please consult a lawyer.
Before we get into the guide, I want to clear something up real quick.
There’s a belief out there that because marketing emails don’t typically contain PHI, they aren’t subject to HIPAA compliance rules.
The reality is that chiropractor marketing emails need to be HIPAA compliant ‒ even if they don’t contain PHI.
Here’s what the HIPAA Rulebook says about marketing: “Any communication that meets the definition of marketing is not permitted, unless the covered entity obtains an individual’s authorization.”
As email marketing is a form of marketing, you’ll need to get prior authorization from each person on your email list before sending them promotional emails.
When patients sign up for your email list, you’ll need to notify them of a few things:
Now, you probably have another question: What about the emails I’ve collected over the years on patient intake forms? Do I need to contact each patient and receive direct authorization? Or can I start using these email addresses without issue?
Unless your intake form has a section explicitly asking patients whether they want to receive marketing communications, you can’t use those emails.
Your patients only gave you their email information for necessary, direct communication purposes. If they didn’t explicitly check off a box that says they’re okay with being marketed to via email, you can’t add that patient to your email list.
Chiropractors and other healthcare practitioners need to be extra careful about choosing an email marketing service provider. While most U.S.-based industries only have to comply with the CAN-SPAM Act, businesses that handle PHI need to comply with HIPAA too.
Because HIPAA compliance adds an extra layer of complexity, most mainstream email marketing services don’t offer it.
For example, MailChimp ‒ one of the most popular email marketing services ‒ does not provide HIPAA compliance. They more or less state it on their Terms of Use page:
You represent and warrant that your use of MailChimp will comply with all applicable laws and regulations. You’re responsible for determining whether our Services are suitable for you to use in light of any regulations like HIPAA, GLB, EU Data Privacy Laws, or other laws. If you’re subject to regulations (like HIPAA) and you use our Service, then we won’t be liable if our Service doesn’t meet those requirements.
The main issue with Mailchimp and other noncompliant services is that they won’t sign a business associate agreement (BAA). This agreement is essential for any third party that handles your PHI. If you let a third party handle PHI without making them sign a BAA, you’re placing yourself at risk for numerous costly HIPAA violations ‒ which can range from $100 to $50,000 each, plus a risk of jail time.
I’m not trying to scare you; I only want to impress upon you how important choosing a HIPAA compliant email marketing service provider is.
Fortunately, there are numerous easy-to-use email marketing services out there. You’ll want to base your choice on the size of your email list, as the costs for more expensive services can be a bit out of budget.
If your email list has less than 500 patients, I recommend using these email service providers:
If your patient has 500 to 1,000 patients, these options are better than G Suite and Microsoft Office:
Seasoned marketers know that testimonials are the key to a prospect’s heart. The opinion of an objective third party is far more likely to convince someone to come into your office than any marketing copy you come up with.
However, you do need to be careful about including testimonials or success stories in your marketing efforts, as these stories often contain PHI. Taking all of the precautions mentioned earlier won’t matter if you accidentally send out PHI to an unauthorized party ‒ like your entire email list.
So if you’re serious about keeping your email list HIPAA compliant, you need to make sure your emails don’t share unauthorized PHI.
If you want to share a patient success story, that’s fine. You need to make sure that you get written authorization from the patient allowing you to do so. If you don’t, you risk a HIPAA violation.
Because this is so important, I’m going to repeat it ‒ Don’t share success stories or testimonials without prior written approval.
The HIPAA rules on retaining your email communications are a bit vague. Some doctors don’t save the marketing emails they send or the email correspondences they have with patients ‒ and that might be okay.
I think it’s best to play it safe though, especially where HIPAA is concerned.
As such, I recommend signing up for a HIPAA compliant email archiving service. A service like this will back up all of your email communications for the 6-year period that HIPAA requires you to save documentation relating to compliance efforts.
The need to comply with HIPAA adds a few hurdles to chiropractic email marketing.
Compliance is pretty easy once you know what to do, though.
As long as you get permission to send emails, use a HIPAA compliant email service, and ensure your marketing emails don’t contain unauthorized PHI... you’re in the clear.
