HIPAA allows email marketing only when the communication does not use or disclose protected health information or when a valid HIPAA authorization from the individual permits the use or disclosure, with limited HIPAA Privacy Rule exceptions that do not cover remote email marketing communications.
The HIPAA Privacy Rule regulates the use and disclosure of protected health information for marketing. Marketing involves communications that encourage the recipient to purchase or use a product or service. When a marketing email uses protected health information or is sent to a list that itself reveals a health condition, treatment relationship, or payment relationship, the communication is regulated and typically requires the individual’s written authorization that meets HIPAA Privacy Rule requirements for authorizations.
HIPAA Privacy Rule exceptions that permit certain marketing communications without authorization are limited. The HIPAA Privacy Rule includes exceptions for face-to-face communications and for promotional gifts of nominal value, which do not apply to email marketing. Communications that fall outside the HIPAA Privacy Rule definition of marketing, such as certain treatment communications and certain healthcare operations communications, can be sent without marketing authorization when they meet the conditions for exclusion and any applicable limits related to remuneration.
The refill reminder category is treated differently from marketing when it fits the HIPAA Privacy Rule exception for refill reminders or other communications about a drug or biologic currently prescribed to the individual and any financial remuneration received is limited to an amount reasonably related to the cost of making the communication. This exception is narrow and does not convert general promotional campaigns into permitted communications.
Email marketing also requires control of how recipient information is handled. Email addresses can be protected health information when they identify an individual and are maintained in connection with healthcare or payment, and a group recipient list can itself disclose that individuals receive services from a specific provider or program. Bulk delivery methods that expose recipient addresses can create an impermissible disclosure even when the message content is generic.
If a vendor sends marketing emails on behalf of a HIPAA Covered Entity or Business Associate and the vendor creates, receives, maintains, or transmits protected health information for that service, the vendor functions as a Business Associate and requires a Business Associate Agreement. The email platform and related services also need safeguards under the HIPAA Security Rule when electronic protected health information is created, stored, or transmitted in the campaign workflow.
A compliant determination for email marketing requires a documented review of whether protected health information is used or disclosed, whether the message meets the HIPAA Privacy Rule definition of marketing, whether an exception applies, and whether a valid authorization is obtained and retained when required.