3 Keys to Keeping your Healthcare Marketing Emails Compliant

email marketing complaince

Healthcare compliance penalties cost organizations millions in 2015. While most of these incidents involve direct breaches of patient data, healthcare compliance covers a wide range of topics, and marketing, in particular, is a cause of concern for many healthcare companies. From paid search to social media, we’re launching a series on how to keep your organization compliant in an era of increasing liability.

Compliance in email marketing

As a key introduction to this series, we’re covering a primary area of importance: email marketing. We have outlined three essential areas where standards need to be met and compliance maintained before hitting that send button on your next patient email.

#1: HIPAA Compliance

For organizations that are a HIPAA-covered entity, there are six email security provisions that must be in place to protect sensitive patient information:

  1. Access Control—Unique usernames and passwords for each employee’s account within your organization
  2. Person or entity authentication—Strict access control within your organization for who can access patient information, including data that is encrypted both during transmission and storage
  3. Integrity—A process to prevent third parties from accessing, altering or destroying patient data
  4. Transmission security—SSL-based encryption for any patient data transmitted out of your network
  5. Audit controls—A system to produce a detail login audit trail for those who access patient data, including date, time and IP address of each login and a record of all sent and received messages
  6. Patient Sign-Ups—Patient sign-ups for items such as email newsletters must be received and recorded electronically—never add a patient to a mail list based on a verbal commitment during an appointment, etc.

The common thread here is strict access, encryption and the ability to audit. There are two ways to go about this: the first is to develop your own secure, encrypted email service. The other is to select a HIPAA-compliant email service provider. Keep in mind that developing a system internally means that you are accepting responsibility for keeping all patient data secure.

Once data security is in place, you must also consider the message contained within each email. The message must be informational and generic, as opposed to a direct sell targeted to a specific symptom or disease. For example, avoid this type of message: “Get your diabetic testing supplies here.” Instead, this message is better: “Do you know someone who may be interested in diabetic testing supplies?”

#2: Federal Trade Commission Regulations

In addition to healthcare-specific rules, there are also the regulations that apply to other forms of email marketing. The CAN-SPAM Act is enforced by the Federal Trade Commission, and each separate email violation is subject to penalties of up to $16,000.

Here are some of the compliance issues that must be part of your email strategy to maintain adherence to CAN-SPAM:

  • You can send an email to a recipient if there has been a business transaction between both parties.
  • You must not use false or misleading header information in the email.
  • The subject line must accurately reflect the content of the message.
  • The message must be clearly identified as an advertisement.
  • Recipients must know where your business is located, including a valid physical postal address.
  • The message must include opt-out instructions that are clear and easy to understand.
  • There must be a process in place to ensure that opt-out requests are handled within 10 business days of receipt and this process must be active for at least 30 days after a message is sent.
  • Opt-out requests cannot include a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending the initial reply email or visiting a single web page.
  • Lists of those who have opted out cannot be sold or transferred to a third party, except a company that has been hired to help you maintain CAN-SPAM compliance.
  • Finally, you must ensure that a third party that you hire to help you maintain compliance is in fact adhering to every tenant of the law.

#3: Medicare Compliance

You can only email a Medicare beneficiary if that person agrees to receive emails from the plan or an agent. Permission to receive emails must not be obtained by an unaffiliated third party.

Any emails that you send to a Medicare beneficiary need to include a double opt-in process.

Never email beneficiaries based on purchase lists or a refer-a-friend type program. Mass emails should not be sent and all emails should include the disclaimer: “This is an advertisement.”


The information we’ve shared is by no means comprehensive and is not intended as legal advice. We encourage to review HHS, FTC and Medicare guidelines for more information.

For a free audit of your healthcare marketing email process, contact us to get started. 

0/5 (0 Reviews)

Subscribe to the Blog