Discussions

HIPAA Compliant Email Marketing Tools - What are you using?

Posted by Anna Carrion @annamariecarrion, Wed, Jun 19 12:39pm

Is anyone using email marketing tools to email patients? And if so, which ones? Our Patient Family Advisory Committee has said they want to receive updates about our EMR tool via email. Although we aren't sending any ePHI to the patients, we are using there emails and want to be careful about what we're using.

Thanks for the question, Anna. Are you using an email tool for other purposes in the hospital beyond communicating on EMR? Or will this be a new initiative for you? I'm tagging a few members to ask if they'll share their current email management tool – and address any concerns about email and HIPAA or PHI. @emilybacheller @andrewmcglothlen @jshellenberger @katiewhitt @staceybiggs

Liked by Anna Carrion

REPLY
@DanHinmon

Thanks for the question, Anna. Are you using an email tool for other purposes in the hospital beyond communicating on EMR? Or will this be a new initiative for you? I'm tagging a few members to ask if they'll share their current email management tool – and address any concerns about email and HIPAA or PHI. @emilybacheller @andrewmcglothlen @jshellenberger @katiewhitt @staceybiggs

Jump to this post

Yes and no. We have a few departments using their own preferred tools from CreateSend to Active Campaign. But our IS is pushing to have all external emails be through a HIPAA compliant tool because we never know if that user is already a patient – both of those tools aren't. Their concern is mostly from a data security standpoint and since an email is technically considered ePHI, they want to take the most precaution as possible.

REPLY
@annamariecarrion

Yes and no. We have a few departments using their own preferred tools from CreateSend to Active Campaign. But our IS is pushing to have all external emails be through a HIPAA compliant tool because we never know if that user is already a patient – both of those tools aren't. Their concern is mostly from a data security standpoint and since an email is technically considered ePHI, they want to take the most precaution as possible.

Jump to this post

From research I've done Constant Contact is one of the few email marketing platforms that offer a HIPAA compliant business agreement.

REPLY

I suspect your attorneys or compliance people need to weigh in on the definition of ePHI. For example, if you have a patient advisory council who just wants to "receive updates about our EMR tool via email" although their emails should be kept private for other reasons, I am not sure that specific email list needs to be covered because of HIPPA; however if your organization is doing a newsletter about HIV, then that email list may need to be.

I think this brings up a very difficult and interesting question: To what extent does any/every email relationship with a healthcare organization need to be covered by HIPPA? Do patients who join advisory councils for healthcare organizations need to give explicit consent their relationship to the hospital will be made public, or is that already implied?

Anyway, interesting thread. Look forward to reading the responses of people who know a lot more than me.

REPLY
Please login or register to post a reply.

© Mayo Clinic Social Media Network. All Rights Reserved.