Skip to Content

Sensitive Data Email Standards

Discover how to Remain HIPAA Complaint With Each Data Exchange & Email Interaction
Securing Sensitive Data

HIPAA Compliant Emailing Best Practices

HIPAA eCommerce typically has transactional emails sent out to users. These include things like order confirmations, possible product recommendations, expiration reminders, prescription subscriptions, or medical device sales. There are also recalls, or doctors updates made on behalf of the site Overall, there are many different things a user may need to get notifications for.

However, all of these types of transactional notifications must be handled properly lest they violate HIPAA. The most common way of handling HIPAA email is to simply notify the user that they have a notification. It may even be possible to include a category or severity notice for the notification letting them know how quickly they need to look at the notification itself.

Typically, a common practice is to provide the end user with a confirmation that there is a message and then provide a link to send them to see that message. By doing so you are not actually sending any sensitive information in the email, protecting it from violating HIPAA. This provides a layer of safety in case the email becomes compromised.

As you want to avoid any potential HIPAA violation, you will want to be incredibly careful about what you send in these transactional emails. However, it is very important to be able to notify these users of key interactions within the site. This is doubly so for important medical updates.

Extending Your Reach Securely

Marketing Emails Best Practices

Another thing to consider is the marketing side of transactional emails. Often, you won’t want to send just a link. You may consider sending information about different types of products that may be useful to the user.

It’s important that whenever these marketing activities occur, the data used for targeting that particular user is encoded or separated for the marketing information that is gathered on a macro level. You don’t want to send someone an email with recommendations for particular products that might expose sensitive HIPAA information by association.

Generally, it is best to air on the side of caution, despite this not always being a major issue. You don’t want to cross the line for HIPAA and unintendedly put out sensitive and private information. You need to be incredibly careful with email, always being aware of the data sent within the email itself.

Protecting Personal Data and Information

Encrypted Emails & Data Transactions

It's also possible to provide encrypted email data. This could mean attaching an attachment that’s encrypted or possibly an encrypted link, meaning further authorization or verification is required. You could even have the devices themselves be authenticated, making it a bit of a smoother process for specific users. However, the best practice is typically requiring authorization for each person, meaning they must be verified before accessing any sensitive data in a transactional email.

There is no reason why you can’t provide people with information that is confirming an order or a shipment date. Of course, you must ensure any sensitive medical data has been removed from these confirmations. This could mean you cannot include some of the order line items, but you can show the order total and the expected shipment date. And, of course, you are always able to allow the user to log in themselves to see more detailed information.

Depending on your privacy notice and the practices you’ll be employing, it may be possible for you to allow the user to opt in to see information within transactional emails. They would need to verify that you’ve gone over it with legal counsel and verify that it’s acceptable to send whatever is inside the email itself, be it a specific transactional email or a marketing email.

Data Security Where it Matters Most

Prescription Data and Verification

Often, the end user might need to provide additional prescription data or provide a form of verification that they do indeed need to purchase something. They need to have some proof that they were prescribed it or that they passed a type of medical exam to allow them access to specific products.

In addition, it’s also rather common for an end user to be using a prescription, or have an item they purchasing that is recalled. You’ll want to inform them of any changes. Perhaps the subscription is about to renew, or they need to update payment information for a prescription. There may have been a recall, and if you don’t inform your users, they may be rather irritated.

You don’t want to feel like you’re forcing the user to log in every time they update, but you also don’t want to let any information just float around in an email. That would be much less secure than if it was inside of the portal or the HIPAA eCommerce application.

It can be very challenging to maintain the levels of security that are needed whenever you send an email to someone that includes sensitive medical information. As such, it’s highly recommending, if not required, that the emails themselves provide zero PHI data. This dramatically impacts the types of email and their content that you can send. You need to consider all of this when streamlining the process and making it easy for the end user to use.

HIPAA Compliance on the go

Mobile Application Capabilities

In addition to having a link that goes to the eCommerce application, the HIPAA eCommerce application or the web billing portal, you can consider having a mobile app. This can make it easy for people to read messages without having to switch from a mobile device to a browser. You could provide an email link that lets them jump straight to the application or specific areas of the site. This makes the process less tedious for the user, as they’re not having to dig and find the notification themselves, as they are immediately sent to where they need to be.

How Can Clarity Help

Clarity Marketplace Experts

We are interested in providing suggestions and recommended solutions based on the scenarios we’ve seen occur with previous clients. Feel free to reach out to us with any questions, and, to further help you, we’ve compiled more resources below. We look forward to potentially talking with you about your project.

Back to top
Request a Quote
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.
Request a Demo
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.
Ask an Expert
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.