How can healthcare and medical businesses choose the right internal email and email marketing platforms? Well, to be honest, it just depends.
Below, your marketing experts at Oneupweb have outlined two of healthcare organizations’ most common uses for email, and the main things to keep in mind when choosing an email service provider (ESP):
Email for employee use:
Before you need to worry about HIPAA-compliant email marketing platforms you need to make sure the platform your employees use for internal company business is HIPAA-compliant and works optimally for your needs.
Three things to keep in mind when you’re looking at options:
- You need an email service that will sign a Business Associate Agreement (BAA) for HIPAA compliance. This essentially states that your service provider will accept the responsibilities for HIPAA compliance on your behalf and is essential legal coverage for your business.
- You do not want to manage storing and sending email, use a cloud email service provider that has signed a BAA. The cost of maintaining a set of email servers, securing access to the physical machines, and maintaining them is unreasonable unless you are at an impressive scale.
- You should not use email to send Personal Identifiable Information (PII) or Patient Health Information (PHI). Email without end-to-end encryption is very unsecure. Staff should be trained to direct patients to log in to a certified HIPAA-compliant patient portal if they need to share patient information electronically. Sending any PHI or PII is fine from your HIPAA-compliant account but you can’t control what the recipients do with that information, and it can live forever in someone else’s inbox.
Luckily, this is all pretty easy. Google and Microsoft both offer options that can be made HIPAA-complaint with a BAA. Both G Suite and Office 365 platforms have the ability to scale from small business to enterprise scale, and can be set up, managed and used pretty much anywhere. Using another email service provider outside of the big two leaves a potential for issues in the future.
A few other notes to consider:
- If you or your team use personal email for work, you are violating HIPAA. Always have your employees and staff use your work-approved email for professional communications. Free email services commonly use automated processing to scan emails for marketing data, and this breaks compliance.
- Device Management is key. Having your IT department quickly remove former employees’ devices and accounts from service is extremely important. Additionally, for current staff, your IT team can force devices to re-authenticate with their email and password periodically, ensuring an old cell phone or iPad doesn’t get handed to the wrong person with access to email still enabled.
- Two-factor authentication should be enabled for added security. All staff should have to use this. It requires they use an approved device to enable new devices for email, lost passwords, etc. This is a general best practice for any business and should be a requirement for companies and practitioners in the healthcare industry.
Email marketing services for your business:
Your email needs don’t stop with internal memos. When you’re searching for the right email marketing service here are some points to keep in mind:
Some key items you need to be aware of …
- You don’t want to share data between your marketing department / services and your patient health records. This not only opens up more security risks, it is too tempting to break the relevant HIPAA and ICANN spam laws.
- You need a double opt-in from patients. If a patient gives you their email address for use, even if the line on the form specifically states it’s for healthcare marketing purposes, there is a gray area when it’s attached to healthcare. They need to opt-in separately for marketing.
- Encrypt all marketing lists and make sure they do not include any PII like first name, last name, gender or age. And unless you can prove you received this information from the client separately from their health information and specifically for the purpose of marketing, you could get in trouble.
- Most major email service providers are NOT HIPAA-compliant. This includes Mailchimp, SendGrid, Constant Contact and Yesmail. A quick search will usually answer this question. HIPAA Journal has a nice ongoing list of services they have checked for HIPAA compliance.
- The good news is, you don’t need to be HIPAA-compliant for email marketing. Just make sure there is an air gap: a disconnect between your email marketing and your patient health records, and that your email lists have been created using double opt-in and remain encrypted.
This can be as easy or as hard as you want it to be. The air gap is the recommended method. If you want to market products or services to patients, exporting their email addresses only and uploading them to your email marketing platform removes the risk of PII or PHI being used inappropriately for email marketing. The double opt-in then removes the risk that patients may have felt pressured to sign up while they were receiving care.
All major email service providers will meet your relevant ICANN spam laws. What you need to ensure is that you have an email marketing list that has been opted-in separately from your health services with double opt-in and that you do not share data between patient health records and your marketing department. Other than that, simply stick to email marketing best practices.
Keep This in Mind:
When you need to send PII or PHI for any of these common reasons:
- Patient appointment reminders
- Patient care reminders, such as don’t forget messages for medication, surgery preparedness or physical therapy
- Test results
- Patient billing
… then please partner with a HIPAA-compliant patient portal with email service. Capterra can help you choose from the hundreds of companies out there to get you the features you need. If you’re searching for the right content management system for your healthcare website, we have that information, too.
When you are all set up and ready to start email marketing, let us know. Oneupweb can help you design, develop and execute an email marketing campaign that is both compliant and effective. Talk to us today.