Your practice just launched an email newsletter. The first campaign goes out to 5,000 patients, and it includes appointment reminders with diagnosis details in the subject line. Within weeks, you receive an OCR complaint. The fine starts at $145 per violation. That single email could cost your practice over $725,000.
Short answer: You can use email marketing in healthcare, but you must encrypt all emails containing protected health information (PHI), sign a Business Associate Agreement (BAA) with your email platform, and obtain written patient authorization for marketing messages. Violating these rules carries penalties from $145 to $72,856 per violation, with annual maximums up to $2.13 million.
What HIPAA Actually Requires for Email Marketing
HIPAA does not ban email marketing. It regulates how you handle PHI in those emails. The Privacy Rule allows covered entities to communicate electronically with patients, provided they apply reasonable safeguards.
The three non-negotiable requirements are encryption (TLS 1.2 or higher), a signed BAA with your email service provider, and documented patient consent. Without all three, you are not compliant regardless of your email content.
What You Can Send Without Authorization
Treatment communications are exempt from the marketing authorization requirement. You can send appointment reminders, prescription refill notices, post-visit care instructions, and general health information not tied to a specific product or service.
You can also send communications about your own health-related products and services, as long as they are face-to-face or involve items of nominal value. Newsletters with general wellness tips fall into a gray area. If they promote specific services at your practice, they likely qualify as marketing under HIPAA and require separate written authorization.
What Crosses the Line
Any communication where you receive financial remuneration from a third party for making that communication is marketing under HIPAA and requires written authorization. Selling patient email lists is never permitted. Sending emails about third-party products to your patient database without authorization is a violation.
In 2025, the HHS Office for Civil Rights documented 170 email-related HIPAA breaches impacting over 2.5 million people. As of January 2026, inflation-adjusted penalties increased the minimum fine to $145 per violation for unknowing offenses, up from $141 in 2025. Willful neglect with no correction carries penalties up to $72,856 per violation, with annual caps reaching $2,134,831.
Choosing a Compliant Email Platform
Standard email services like Gmail and Yahoo do not provide the encryption or BAA framework required for HIPAA compliance. You need a platform specifically built for healthcare email or one that offers a signed BAA and end-to-end encryption.
Platforms like Paubox, Mailchimp (with its HIPAA-compliant tier), and Constant Contact (healthcare plan) offer BAA signing, encryption, audit logging, and consent management. The key factor is not the platform name but whether they will sign a BAA and encrypt all messages containing PHI.
What This Means for Your Practice
Email marketing remains one of the most cost-effective channels for patient engagement, but the compliance requirements are specific and enforced. Build your email program on three pillars: use only BAA-covered platforms with encryption, segment your lists so marketing messages only reach patients who gave written authorization, and never include PHI in subject lines or unencrypted message bodies.
The penalty structure is designed to make compliance cheaper than violation. A compliant email platform costs $50 to $500 per month. A single enforcement action costs $145 to $2.13 million.
Related reads:
- How to Reduce No-Shows with Appointment Reminders
- Google Reviews vs Healthgrades: Which Matters More for Doctors?
Need HIPAA-compliant email marketing that drives patient engagement? We build compliant email automation systems for healthcare practices that grow revenue without risking fines. Explore our email marketing services or get started.