Last week, we looked at some keys to staying compliant when text messaging with patients. As a quick follow up, it made sense to also provide a few tips on email compliance. As patients are less and less likely to want phones calls, more communications need to be done using text and email.
While the TCPA applies to text messaging, CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) generally applies to email. CAN-SPAM is fairly easy to follow, but there are a few requirements you’ll want to be aware of when sending email messages, including:
- Do not use false or misleading headers
- Include a clear opt-out mechanism
- Honor opt-out/unsubscribe requests within 10 days
- Do not use deceptive subject lines
- Include the sender’s valid physical address
While it’s not a requirement to get express consent to send out marketing emails under CAN-SPAM, it may be a requirement under HIPAA. But it depends on what “marketing” you are doing. You must have patient authorization or consent before sharing protected health information or patient lists with third parties for their own purposes or for which you receive direct or indirect remuneration. In these instances, you would need express authorization or consent from patients in order to send marketing emails related to these activities.
However, you do not need to get patient authorization or consent under HIPAA if you are “marketing” the following directly to your patients (HIPAA excludes these activities from its definition of marketing):
- Communications describing your own health-related products or services or products or services that you provide directly to your patients
- Communications made for the treatment of the ndividual
- Communications for the case management or care coordination of the individual, or made to direct or recommend alternative treatments