We’re not sure why, but recently we have been receiving a flurry of inquiries about email marketing and HIPAA privacy rules. The common thread with these questions: Are physical therapists who use email marketing services (like the one you may be using included with PT Referral Machine service packs) violating HIPAA?
It seems that many practitioners who want to implement email marketing have been avoiding it because they are concerned about HIPAA. Our review of the HIPAA requirement is below, but first we want to share a story to whet your appetite for exploring the potential revenue stream sitting in your email list – it’s literally tens of thousands of dollars with almost no cost.
In a meeting earlier this week a client shared his most recent email marketing success. One of his patients who was discharged more than a year ago was having trouble with his arm, but wasn’t thinking about physical therapy or consulting his therapist. Then he received an educational email from the physical therapy clinic, and a “lightbulb” went on. When he saw his physician he told him, “I am going to go to my physical therapist to get this fixed. They have advanced methods for treating stuff like this,” quoting directly from the email. Intrigued, the doc asked him to have the therapist send him details on these advanced methods and gave the patient his personal email to give to the therapist.
That one new referral relationship has the potential to add tens of thousands of dollars to his bottom line. Imagine if that happens just once or twice a month. If you are sending good strategic content out with the right frequency, it’s not only likely this type of result will happen consistently, it’s highly probable.
Imagine what that means in lost revenue when you sit on the sidelines worrying about a HIPAA problem that may not exist…
Now the skinny on the HIPAA myth:
NOTE: This is our business opinion based on our 14 years of healthcare marketing, research, and legal consultation.
When using your patient email addresses you do not need to worry about HIPAA violations under the following conditions:
The definition of “Protected Health Information” is pretty broad, and can even go down to IP addresses on the internet, but the act is also fairly clear on permitted uses. Email messages to patients about your services seem to be clearly permitted. PT Referral Machine fulfillment of that email also seems to be permitted under the definition of “Business Associates.” The act also seems to leave some room for each practitioner’s ethical judgment; PTRM subscribers should know that we do not share, sell, or disclose any patient lists. We do not send any communication to your list without your expressed approval (hence the dashboard approval process). Your emails are designed with the intention of being used as part of your healthcare operations, promoting compliance and awareness of the other health related information and services that you offer.
Further, our understanding of HIPAA Permitted Uses and Disclosures, is as follows:
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
(1) To the Individual (unless required for access or accounting of disclosures);
(2) Treatment, Payment, and Health Care Operations;
(3) Opportunity to Agree or Object;
(4) Incident to an otherwise permitted use and disclosure;
(5) Public Interest and Benefit Activities; and
(6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
Under the HIPAA privacy rule, 45 C.F.R. § 164.506(a), the standard is as follows:
- a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) [relating to psychotherapy notes] and (3) [relating to marketing], a covered entity may use or disclose protected health information for treatment, payment, or health care operations . . . provided that such use or disclosure is consistent with other applicable requirements of this subpart.
“Covered entities” include business associates of covered entities. In turn, “business associate” is defined in relevant part as any entity that:
“Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.”
The PT Referral Machine service is clearly provided in connection with consulting, management, and administrative operations, so on that basis alone our opinion is that the disclosure is authorized without consent.
Please note, however, that state-level privacy laws that are more protective than HIPAA are not preempted by HIPAA. So, it will be important to examine the relevant state law as well.
If the HIPAA question has been standing in your way, maybe it’s time to experience the business-building potential of a PTRM Free Trial.