Is your email database compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

This is one of the most frequent questions we hear in our conversations with hospitals. For healthcare marketers, this is a valid concern since HIPAA is closely monitored and comes with strict penalties that can result in millions of dollars in fines.

Distinguishing between the types of information needed for an email campaign is the first step in determining whether HIPAA compliance is applicable when partnering with an email database provider.

Defining Personally Identifiable Information (PII) and Personal Health Information (PHI)

Is DMD HIPAA compliant?

Two categories of information come into play with regards to HIPAA compliance. PII includes items like name, social security number, email address, and physical address. PHI encompasses information that can be associated with an identified individual—essentially one’s medical records—and may include things like diagnoses and treatment recommendations.

Prior to HIPAA’s implementation in 1996, there was no generally accepted set of security standards or requirements for protecting health information in the healthcare industry. With the evolution of technology, such as electronic health records (EHR) and computerized physician order entry (CPOE), it became apparent that government intervention would be required to protect patients’ PHI. For this reason, HIPAA was passed by Congress to regulate the transfer of medical information and to set new standards for the management of healthcare data.

However, sometimes the lines between the content of the email and the email itself get blurry.

The Intersection of PHI and Email

HIPAA covers the handling and transfer of PHI—by covered entities (hospitals, clinics, labs) to third parties—but does not address specific channels such as email. If an organization uses email to send PHI, such as a diagnosis or a treatment plan, then that email would have to comply with HIPAA guidelines. However, if the email does not contain PHI about an identified individual, then it does not have to comply with HIPAA guidelines. The point is that the email address of a patient is not governed by HIPAA, but rather the content of that email.

For example, any email communication sent to consumers which contains educational or marketing content does not have to comply with HIPAA guidelines, such as announcing a new department, welcoming a new doctor, or providing an update on the flu vaccine. That content is not considered PHI.

Prior to HIPAA, there was no security standards for protecting health information in the healthcare industry

Similarly, any identifiable information, such as name or email address, is not considered PHI and therefore is not governed by HIPAA.  An online newsletter signup that collects name and email address—but no specific health information—does not have to comply with HIPAA.

Setting the Record Straight

So, back to the question at hand: Is DMD’s email database HIPAA compliant?

The answer is: Email addresses themselves are not governed by HIPAA laws. Because of this, marketers do not have to consider HIPAA compliance when deciding on a provider of email addresses. When buying email addresses, the more important considerations are the source of the emails (i.e. how they were obtained) and whether a third party has verified that the proper opt ins have been obtained.

Notably, DMD’s email address database is compliant with relevant data privacy regulations, thanks to our strict adherence to rigourous consent management. We are already meeting the requirements set forth for the recently adopted data privacy law in California and are staying abreast of movements towards a federal data privacy standard.

Rest assured, when partnering with DMD, you'll receive the highest quality email data that is authenticated, verified by a third-party audit, and 100 percent compliant with current law and industry standards.