This is for General Information! We are not Attorneys
We are a HIPAA compliant healthcare marketing agency, but we are not lawyers. We’re providing this information based on our experience as a HIPAA compliant agency. It’s general information about getting HIPAA compliant online reviews for our clients based only on our experience. Please do not construe this as legal advice.
Please do consult with your healthcare attorney for specific questions. And throughout this video, you’re going to hear me refer to healthcare attorneys a few times. They’re really good to have. They’re different from a general business attorney. Healthcare laws are much more specific. If you do not have a healthcare attorney, we highly recommend that you find a good one.
Email Has Value As Part Of A Marketing Plan
Why bother having email in your marketing plan at all? Well, there’s a lot of value to having email in it. Here are a few examples:
- Remind patients of important dates, like appointments, rescheduling, etc.
- Send out important information to patients and referral sources, such as announcing you have flu vaccines; you have a new treatments you’re offering; there’s an upcoming event you’re hosting or sponsoring, and so on.
- Send out fun information, like happy birthdays to your patient, happy holidays, health awareness days, weeks, months, and so on, that keep patients engaged in the practice.
There Are A TON Of Choices In Email Marketing Services
The company logos here are far from the full list of choices.
They have different features, benefits, price points, easy to use, customer support, etc.
Just make sure that you compare them and choose the best option for your practice. One of the requirements you have is that your email service has to be HIPAA compliant.
Email Services Require PHI To Do Their Job Effectively For You
Email services, in order to do all this good stuff, they need a certain amount of information about your patients which can include PHI. All email services are going to require at least an email address. Some also require a name. And when you put those two together, an email address and a name, right there you’ve got PHI.
Sometimes practices will put in more information about patients into their email system. For example, if you want to send a birthday email to each of your patients, you have to add your patients’ birth dates. It’s common also to include the address and phone number. All told, this is PHI and it has to be protected in ways that comply with HIPAA standards.
Ugh! Do You Really Have To Protect These Data That Much?
It’s just email. Can bad things really happen? Well, like I said before, you’re going to be storing PHI and transmitting it (i.e. sending emails) and both have to be done in a HIPAA compliant way.
Exposure is Enough
Another consideration is exposure. Representatives who work for each of these email service provider in departments like customer support and tech support typically have login access to your account where you’re storing your patient information. Why do they have login access? Because they need to get inside of your account to see what’s going on in order to fix a problem. Right there, they can see PHI. But even if you never ask them to look in your account, and even if they never need to look in your account, they have the ability to look. That’s exposure, and exposure is enough qualify as needing to comply with HIPAA standards.
How do you Tell if You’re Using HIPAA Compliant Email Service?
Generally speaking, two things have to be true:
- They sign a BAA with you
- They talk the talk
Signing a BAA
BAA stands for business associate agreement. BAAs are required by HIPAA. They’re very dense, legal documents. They can be a dozen pages, but generally speaking, here’s what they cover with respect to PHI:
- What’s required of you as the Covered Entity
- What’s required of the Business Associate (your marketing agency or an online forms provider, for example). If you’re using a marketing agency and they are using a third party forms company, you need to have a separate BAA with both of them.
- How each of you stores it
- How each of you protects it from theft and theft and loss
- How each of you transmits it
- What happens if there’s a breach, God forbid, which party does what, how long do they have, who pays for what who’s responsible for?
- Much more
With a BAA in place, the Office of Civil Rights (OCR) is much happier. OCR is the federal agency that will investigate a breach or conduct an audit. There are usually state agencies as well.
They Talk the Talk
The other broad category of things that you want to see is that they talk the talk. They use appropriate wording on their website or their materials like:
- encrypted systems
- log in to get your data
- secure storage
- HIPAA compliant website forms or HIPAA compliant online forms
You don’t have to see all of these terms. But you want to see terms that at least sound like these. Inside each term are more specific descriptions of how they do each one, not to great levels of detail, but they give you some assurances that they’ve thought this through and that they’re doing these things.
What If You Can’t Tell If It’s HIPAA compliant?
If you’re going to do it on your own, start easy. Go to their website, go to the homepage, scroll down to the bottom, look for their privacy policy or their terms, or, or both click on them, open it up and scan. You’re looking for the words, HIPAA compliant or HIPAA. If they say they are great, if they don’t, then either call them yourself, or even easier, go to whoever developed your website and ask them. Usually whoever built your website, also plugged in the forms and designed the forms for you. They’ll at least know who they’re using, and then you can ask them to research it, or they can give you the name and you can do it yourself. But one way or the other, we really do think you ought to find out if the online forums provider that you’re using is HIPAA compliant.
What If Your Email Marketing Service Is Not HIPAA Compliant?
We can see four options for you.
- Keep using the service but stop sharing PHI with it. It’s okay to use a service, email or otherwise, that is not HIPAA compliant as long as you do not share PHI with them.
- Get a BAA in place. Maybe the service is HIPAA compliant but you don’t have an executed BAA in place with them. In that case, either sign their BAA or give them yours to sign.
- Stop including email in your marketing plan. If the service you’re using isn’t HIPAA compliant and you feel you must share PHI in order to do the emails you want, then an option is to stop doing email altogether. If you stop, you can’t share PHI.
- Switch to an email service that is HIPAA compliant.
Take our Free HIPAA Marketing Assessment
Marketing and HIPAA can and do overlap. If this topic has made you wonder, even a little bit, about your practice’s marketing and HIPAA compliance, our PracticeCare® HIPAA Digital Marketing Assessment can help you get started to figure it out.
It’s free and takes about 10 to 15 minutes. It’s a series of questions that cover what we know are the more common areas where digital marketing and HIPAA can overlap. It’s designed to be a good start to help you see if you have any gaps in your HIPAA compliance with respect to digital marketing and then some ideas of what you can do. Once you fill it out and submit it, we will send your assessment right away.