3 Levels of HIPAA-Compliant Email Marketing For Nonprofit Providers

“Is sending this email worth a $50,000 fine?”

Many nonprofit health providers ask themselves this question, highlighting the risk of email marketing in healthcare. It’s not just a financial problem, either.

Trying to research HIPAA compliance for email marketing is like falling down the rabbit hole in Alice in Wonderland. For every question you answer, there are five more—until you get up from your desk confused about where you are and what time it is.

It frustrates me to observe this because your patients deserve a level of personalized care and communication that’s modern, effective, and tailored to their preferences.

Let’s talk for a minute about the opportunity that personalized email marketing offers nonprofit providers and the three investment levels you might take with this communications channel.

The risks and rewards of HIPAA-compliant email marketing

The risks of HIPAA violations are well-documented. You can face maximum fines of up to $1.5MM if you frequently and intentionally violate HIPAA guidelines without correcting your behavior.

While 99.99% of nonprofit providers will certainly not be violating HIPAA guidelines egregiously enough to get slapped with that kind of fine, you still face penalties of anywhere from $100-$50,000 per incident, even if you were not aware of the violations.

On the other hand, the benefits of email marketing are undoubtedly compelling. I have written previously about the exciting opportunities I see in marketing automation for advocacy, education, and fundraising. 

On a more fundamental level, email marketing has both a low cost of entry and high potential ROI. 

Overall stats peg it at a $42 return for every $1 invested. Health nonprofits can expect to raise $58 for every 1,000 emails they send, on top of gaining more clients and increasing their lifetime value.

Recent trends from MailChimp also point to an increase in email engagement after COVID-19. Nonprofits saw an average of a 50% increase in email click rate on April 14, 2020, compared to their historical average.

From a long-term perspective, there is also tremendous potential to personalize emails to the patient journey to improve the quality of care, retain clients, and build stronger relationships with those you serve.

However, because of HIPAA concerns, email marketing in the healthcare space is miles behind other industries—and in some cases, nonexistent.

Here are the levels of the email marketing ladder for nonprofit providers, as I see them.

Level 1: One-size-fits-all

If you want to do entry-level email marketing at your nonprofit provider, here’s your HIPAA groundwork:

1. Make sure you get explicit consent from patients to receive marketing communications from you.
2. Eliminate all personal health information (PHI) from your email marketing software aside from the person’s email address (including names, if possible).
3. Ensure your staff has training on the handling of PHI for communications (i.e., don’t upload anything but the email address to your marketing software, no segmenting the list by their medical condition).

These steps will allow you to send one-size-fits-all email campaigns to your entire list. Most of you are probably doing this already, but it’s worth repeating.

Of course, the problem with one-size-fits-all emails is that your marketing communications are wholly oblivious to whatever is happening inside that individual’s journey. Blasting out generic email campaigns can be ineffective at best, and tone-deaf at worst.

To personalize, you need personal information. But things get trickier when you start to add PHI into the equation, such as names or medical conditions.

Level 2: Personalizing with PHI

To move to the next level, you need an email provider willing to sign a BAA (Business Associate Agreement) with you. Paubox has a list of email providers who will sign a BAA. 

However, in the fine print of most of these agreements, you can’t send emails that include PHI. Many agreements only cover the storage of the data “at rest” on the provider’s platform.

There are several HIPAA-compliant email providers, but most of them make a recipient log into a portal to view communications. This friction strips away most of the convenience benefits of email marketing.

Paubox seems to be the notable exception to this rule. They will sign a BAA with you and allow you to send emails that include PHI without requiring recipients to log into a portal. (We have no affiliation with them, in case you’re wondering.)

Level 3: HIPAA-compliant marketing automation

The “ultimate” email marketing solution for nonprofit providers is a marketing automation platform such as Salesforce Marketing Cloud or Mautic (open source) configured to send emails through a Paubox integration.

For more thoughts on how you might use marketing automation, check out our list of ideas for advocacy, education, and fundraising.

In summary, the three levels on the email marketing ladder for nonprofit providers are:

1. You send one-size-fits-all emails to a list of only email addresses.
2. You send personalized emails to a list containing PHI using an email provider such as Paubox that’s willing to sign a BAA.
3. You configure fully automated email sequences via Salesforce or Mautic marketing automation and send through Paubox.

What should I do if I’m at level one?

Most nonprofit providers will be at the first level of this ladder—and not likely to move anytime soon.

Being stuck at level one begs the question, “Is there anything I can do right now to improve my email marketing?”

The good news is that, with some creativity, you can pseudo-personalize your PHI-devoid email list.

Here are two ideas to consider:

Idea #1: Use your EHR system to direct patients or clients to external resources on your site, such as an educational email series or PDF download you’ve created. 

Have patients enter their email address, and then tag them in your email marketing system as accessing that resource. As long as it is specific enough (e.g., diet tips, techniques for coping with anxiety), you can segment your list by the resources they downloaded without directly including PHI.

Once you have those segments in place, you can use them to craft more tailored emails to individual audience groups without importing PHI.

Idea #2: Send a one-size-fits-all email, but include resources personalized to different audience segments. 

At the very least, you will be providing more tailored resources to the individuals on your list.

As I alluded to in the first idea, you can also use what people click on to assign broad “interest” tags, allowing you to segment and send more specific emails based on the resources they consume.

The more you use subscriber behavior to track and segment, the more I suggest using an email provider that will, at minimum, sign a BAA for data at rest (such as ActiveCampaign or Constant Contact). That will help protect you in case your tags and segments get too close to PHI-land.

All told, it’s easy to lose sight of the forest for the trees when researching email marketing and HIPAA compliance.

However, remember that email marketing provides an untapped opportunity to provide more personalized care and build relationships with your patients.

Use it wisely and reap the benefits.