Email marketing is one of the most effective channels for dental and medical practices to stay connected with patients. But you can't send the same content you'd send through a regular business email. HIPAA puts strict limits on what patient information can appear in marketing emails and which platforms you can use. This guide clarifies what's allowed and how to set up compliant email marketing.
What Is PHI in Email Marketing
PHI (Protected Health Information) is any patient information that identifies the patient and relates to their health or treatment. In the context of email marketing, PHI includes:
- •Patient names
- •Medical record numbers or patient IDs
- •Dates of birth (especially if they identify the patient)
- •Diagnoses or health conditions (e.g., "Because you have diabetes...")
- •Treatment information (e.g., "Your recent root canal")
- •Appointment details
Email addresses, however, are generally NOT considered PHI on their own unless they contain identifiable information (like "sarah.johnson.dentist@email.com" where the email reveals health information). The email address is the contact channel, not the data being protected.
What You Can Send in Marketing Emails
You can send marketing emails that provide value without disclosing the recipient's health information. Safe marketing emails include:
- •Appointment reminders (generic: "You have an appointment Tuesday at 2 PM")
- •Treatment recommendations (general, not tied to the patient's specific condition)
- •Service promotions and new treatment offerings
- •Seasonal reminders ("Time for your annual checkup")
- •Insurance benefits and payment plan information
- •Educational content (general health tips, not patient-specific)
- •Birthday and anniversary greetings (without revealing why they're a patient)
The key is that the email should be usable by anyone, not just the specific patient. If someone else opened the email, they shouldn't learn anything about the recipient's health status.
What You Cannot Send
Never send marketing emails that include specific PHI:
- •"Hi Sarah, your dental implant is ready for pickup" (reveals specific treatment)
- •"Because you suffer from anxiety, we offer sedation dentistry" (reveals diagnosis)
- •"Your teeth whitening appointment is ready" (reveals specific patient concern)
- •Patient testimonials with names and health details
- •Medical records or health history documents
The safest approach: if the email reveals anything about the patient's health, medical history, or specific treatments, don't send it through a marketing email platform. Use a secure patient portal or direct communication channels instead.
Pro tip
Test your email templates by reading them aloud as if you're addressing someone else. If it reveals the recipient's health status or specific medical information, it's not compliant. Rephrase it to be generic.
Consent and Opt-In Requirements
Even if your email doesn't contain PHI, you still need proper consent to send marketing emails:
- •Affirmative consent: patients must explicitly opt in to receive marketing emails, not opt out
- •Easy unsubscribe: every email must include a clear unsubscribe link
- •Records: keep documentation of when and how patients consented to emails
When patients sign your patient agreement or fill out your intake form, include a checkbox: "I consent to receive appointment reminders and promotional emails." Make it optional, not mandatory. Document this consent in your records or practice management system.
Email Platform Setup and BAAs
Your email marketing platform must have a signed BAA if it will store patient email addresses alongside any health-related data (like appointment history, treatment type, or patient notes).
Setup best practices:
- Request a BAA from your email platform before signing up. If they don't offer one, find a HIPAA-aware alternative.
- Don't include patient identifiers in your email list segments or audience tags. Use only non-PHI data to segment (e.g., "interested in cosmetic dentistry" is safe; "has crown treatment pending" is not).
- Don't store patient health data in custom fields. Many email platforms allow custom fields for segmentation. Don't use them for medical information.
- Use encryption if you're uploading patient email lists to the platform. Download lists and uploads should use encrypted file transfer.
- Review the platform's data retention policy. After you stop using the platform, they should delete your patient data within a set timeframe.
If you're not including PHI in your email platform (just generic email addresses with no health data attached), a BAA may not be strictly required, but it's a best practice to request one anyway.
Common Mistakes to Avoid
Compliance mistakes we see practices make:
- •Personalizing emails with patient names combined with treatment information. Instead, use first name only in generic templates.
- •Using patient feedback or testimonials without explicit written consent and removing identifying details.
- •Using a regular email platform (Gmail, Outlook) for patient list management instead of a HIPAA-compliant platform.
- •Forgetting to include unsubscribe links on every email.
- •Not documenting patient consent before adding them to mailing lists.
The simplest approach: keep marketing emails generic and educational, request proper BAAs from your vendors, document consent, and always make unsubscribing easy. Combine this with reputation management strategies and paid advertising to build a comprehensive patient acquisition strategy that doesn't rely on PHI in marketing emails.
Frequently Asked Questions
How long does this typically take to implement? +
For most practices, 2 to 6 weeks depending on current setup and resources available.
What if my practice is small? +
These strategies work for all practice sizes. Start with the highest-priority item and build from there.
Do I need professional help? +
Some tasks require professional expertise. Start with what you can do, and hire specialists for technical items.
What is the ROI? +
Most practices see ROI within 3 to 6 months if done correctly. Patient acquisition cost drops and patient retention improves.
How do I measure if this is working? +
Track metrics relevant to each strategy. Use Google Analytics, your PMS, and call tracking to measure impact.
What if I do not have budget for this? +
Many of these strategies are free or low-cost. Start with free tools and tactics, then invest in paid solutions as revenue allows.
How often do I need to update this? +
Most strategies require quarterly reviews. Some, like reviews and content, benefit from ongoing attention.