FB pixel

How To Keep Your Chiropractor Email List HIPAA Compliant

featured 38 rename to slug

Email marketing is one of the most effective patient retention tools at your disposal. By regularly engaging with past patients via an email newsletter, you can provide them with helpful healthcare advice and encourage them to come back for additional treatment.

But before you start blasting marketing emails to your patients, you need to deal with a little thing called HIPAA compliance.

As you probably know, HIPAA exists to ensure protected health information (PHI) is only given to authorized individuals.

The advent of email communication opens a whole new gateway for unscrupulous, tech-savvy people to view the contents of emails containing PHI.

Fortunately, keeping your chiropractor email list HIPAA compliant is pretty straightforward. By following a few simple steps, you’ll be safe and sound if a compliance audit ever comes your way.

Necessary legal disclaimer: I am not a lawyer, and none of the information contained in this article is legal advice. To receive legal counsel regarding the HIPAA compliance of your emails, please consult a lawyer. 

Do chiropractor marketing emails need to be HIPAA compliant?

HIPAA compliance rules

Before we get into the guide, I want to clear something up real quick.

There’s a belief out there that because marketing emails don’t typically contain PHI, they aren’t subject to HIPAA compliance rules.

The reality is that chiropractor marketing emails need to be HIPAA compliant ‒ even if they don’t contain PHI. 

Get permission before sending emails

email prior authorization

Here’s what the HIPAA Rulebook says about marketing: “Any communication that meets the definition of marketing is not permitted, unless the covered entity obtains an individual’s authorization.”

As email marketing is a form of marketing, you’ll need to get prior authorization from each person on your email list before sending them promotional emails.

When patients sign up for your email list, you’ll need to notify them of a few things:

  • You need to tell them in written form that you will be sending them marketing emails. I recommend doing this in the initial welcome email they receive when they first subscribe to your list.
  • You need to tell them what kind of content you’ll be sending. As a chiropractor, this will likely include newsletter content, promotional offers, product offers, appointment reminders, and news about your practice. Again, the welcome email is an excellent place to put this.
  • You need to give them the ability to unsubscribe easily. All reputable email marketing service providers will have this, so I wouldn’t worry about it.

Now, you probably have another question: What about the emails I’ve collected over the years on patient intake forms? Do I need to contact each patient and receive direct authorization? Or can I start using these email addresses without issue?

Unless your intake form has a section explicitly asking patients whether they want to receive marketing communications, you can’t use those emails.

Your patients only gave you their email information for necessary, direct communication purposes. If they didn’t explicitly check off a box that says they’re okay with being marketed to via email, you can’t add that patient to your email list.

Use a HIPAA compliant email marketing service provider

email marketing service provider

Chiropractors and other healthcare practitioners need to be extra careful about choosing an email marketing service provider. While most U.S.-based industries only have to comply with the CAN-SPAM Act, businesses that handle PHI need to comply with HIPAA too.

Because HIPAA compliance adds an extra layer of complexity, most mainstream email marketing services don’t offer it.

For example, MailChimp ‒ one of the most popular email marketing services ‒ does not provide HIPAA compliance. They more or less state it on their Terms of Use page:

  1. Compliance with Laws

You represent and warrant that your use of MailChimp will comply with all applicable laws and regulations. You’re responsible for determining whether our Services are suitable for you to use in light of any regulations like HIPAA, GLB, EU Data Privacy Laws, or other laws. If you’re subject to regulations (like HIPAA) and you use our Service, then we won’t be liable if our Service doesn’t meet those requirements.

The main issue with Mailchimp and other noncompliant services is that they won’t sign a business associate agreement (BAA). This agreement is essential for any third party that handles your PHI. If you let a third party handle PHI without making them sign a BAA, you’re placing yourself at risk for numerous costly HIPAA violations ‒ which can range from $100 to $50,000 each, plus a risk of jail time.

I’m not trying to scare you; I only want to impress upon you how important choosing a HIPAA compliant email marketing service provider is.

Fortunately, there are numerous easy-to-use email marketing services out there. You’ll want to base your choice on the size of your email list, as the costs for more expensive services can be a bit out of budget.

Does your email marketing need a boost?

Small lists

If your email list has less than 500 patients, I recommend using these email service providers:

  • G Suite. G Suite from Google offers HIPAA compliance ‒ including a BAA. Please note that this does not include Gmail. While Gmail is encrypted end-to-end, Google doesn’t provide BAAs for their free services.
  • Microsoft Office 365. Microsoft will also enter a BAA with you if you purchase full access to its Microsoft Office 365 package.

Medium lists

If your patient has 500 to 1,000 patients, these options are better than G Suite and Microsoft Office:

  • Clinical Contact. This email service was made specifically for healthcare providers and offers complete HIPAA compliance.
  • LuxSci. LuxSci is another web service built explicitly for HIPAA compliance. They offer more than just email marketing solutions, but their email service is nevertheless comprehensive and easy-to-use.

Large lists

  • Keap. Formerly known as Infusionsoft, Keap is a comprehensive business organization and automation tool that has a fully-fledged email marketing system. They are also HIPAA compliant.
  • Salesforce. Salesforce is one of the world’s most popular customer relationship management solutions. While they offer a ton of robust features that you might not need, their email marketing service is well-designed and HIPAA compliant.

Ensure marketing emails don’t contain PHI

written authorization from the patient

Seasoned marketers know that testimonials are the key to a prospect’s heart. The opinion of an objective third party is far more likely to convince someone to come into your office than any marketing copy you come up with.

However, you do need to be careful about including testimonials or success stories in your marketing efforts, as these stories often contain PHI. Taking all of the precautions mentioned earlier won’t matter if you accidentally send out PHI to an unauthorized party ‒ like your entire email list.

So if you’re serious about keeping your email list HIPAA compliant, you need to make sure your emails don’t share unauthorized PHI.

If you want to share a patient success story, that’s fine. You need to make sure that you get written authorization from the patient allowing you to do so. If you don’t, you risk a HIPAA violation.

Because this is so important, I’m going to repeat it ‒ Don’t share success stories or testimonials without prior written approval.

Retain all of your emails

Want to learn how Dr. Shalabi was able to gain 77 new patients?

The HIPAA rules on retaining your email communications are a bit vague. Some doctors don’t save the marketing emails they send or the email correspondences they have with patients ‒ and that might be okay.

I think it’s best to play it safe though, especially where HIPAA is concerned.

As such, I recommend signing up for a HIPAA compliant email archiving service. A service like this will back up all of your email communications for the 6-year period that HIPAA requires you to save documentation relating to compliance efforts.

Final thoughts

The need to comply with HIPAA adds a few hurdles to chiropractic email marketing.

Compliance is pretty easy once you know what to do, though.

As long as you get permission to send emails, use a HIPAA compliant email service, and ensure your marketing emails don’t contain unauthorized PHI... you’re in the clear.

Additional Resources

HIPAA Journal: Is Mailchimp HIPAA Compliant?

Shawn Manaher - Owner of Ignite Marketing
Shawn Manaher
Shawn Manaher is the founder and CEO of Ignite Marketing. He's one part local business growth specialist, one part campaign strategizing ninja, and two parts leader of an awesome nerd pack. He won't eat pancakes unless you call them flat waffles.

Want more customers for your local business?

Get Facebook local lead generation done for you by experts who understand the value of your dollar. Gain positive ROI in the first 30-40 days of your campaign or your money back on ad management fees.
Schedule a 30 Minute CallCreating Paid Facebook Offers FREE Guide
© Ignite Marketing 2018-2019. All Rights Reserved
As an Amazon Associate, we earn from qualifying purchases.