Book A Demo

Our Blogs

Join Our Newsletter

Receive monthly content from Marketing4ECPs full of all the best marketing tips, insights, and experiments to help grow your eye care business

Understanding the Privacy Act and How to Build Your Database


Leveraging your patient list for your marketing efforts is a great way to keep patients involved, interested, and coming back to see you when it’s time for another eye exam, specialty service, or a new pair of eyeglasses. But with today’s complicated privacy laws, how do you use text or email campaigns without accidentally crossing into illegal territory?

We’ve put together some information on North American privacy laws that can help you make the most of your patient list without causing legal trouble.

Disclaimer: This blog is only meant to serve as a guideline and does not replace or supersede the legislature it discusses. Please refer to the original laws to ensure you understand the full scope of each one and contact legal counsel if you have any questions.

Federal Laws

HIPAA (United States of America)

The Health Insurance Portability and Accountability Act was passed in 1994, and while it serves several purposes, one of them is to enforce some privacy standards relating to individually identifiable health information. Here’s a summary what you need to know about the HIPAA Privacy Rule when building and using your patient database.

Health Insurance Portability and Accountability Act
  • The Privacy Rule is meant to protect all “individually identifiable health information” that you might get from your patients. The way you get that information doesn’t matter; whether you hear it verbally, read it in an email, or your patient fills it out in an online form, that information is protected. Individually identifiable health information includes:
    • The patient’s name, address, birthday, or social insurance number
    • The patient’s past, present, or future mental or physical health condition
    • Any services or care you’ve provided to the patient in the past or are currently providing the patient
    • Any other information that one might reasonably believe could be used to identify your patient
  • You need your patient’s express written permission to use or disclose their information for any marketing efforts. Your intended use or disclosure of the information needs to be clearly defined in plain language to make sure your patient understands what they’re agreeing to. Your patient also needs to have the opportunity to revoke their consent at any point
  • While keeping your patient’s information in a database is fine, you will need their permission to add them to any sort of mailing list that sends out notifications about upcoming sales, campaigns, promotions, and events
  • Some common notifications aren’t considered marketing, and therefore, don’t require prior consent. Things that aren’t considered marketing include:
    • Letting patients know about new medical equipment through general mailing or publication
    • Reminding patients to refill their prescriptions
    • Reminding patients about upcoming appointments

Note that we’ve only covered what’s relevant to building a patient database for text and email marketing campaigns. You can read the HIPAA Privacy Rule in its entirety here.

CASL (Canada)

Canadian Anti-Spam Legislation
Canada’s Anti-Spam Legislation deals with any kind of electronic message, including emails, social media, and texts messages designed to sell, promote, or advertise any product or service. A direct message asking for consent to send any of the messages described above is also considered a commercial message. Here’s a summary of what you need to know about the CASL Act when building and using your patient database,

  • In order to send a commercial electronic message, you first need to have either express or implied consent from the addressee. If you’re unsure of what constitutes implied consent, it’s best to rely on express written consent, for instance, asking patients whether you can send them promotions and deals when they fill out forms.
  • To get express consent, you need to provide the following information in clear and simple terms:
    • What you’re asking consent for
    • Whether you’re getting consent for your own business, or for another party to send commercial messages
  • To have implied consent:
    • The recipient must have publicly published their contact information without specifying that they don’t want to receive commercial messages
    • You must have had an existing business relationship with the recipient, meaning they’ve been a patient of yours within the last two years of the day before you send the message
    • The recipient has contacted you to ask a question or has filled out a form within 6 months of the day before you send the message
  • When sending commercial messages, you must also:
    • Identify who is sending the message and on whose behalf it’s being sent (assuming they’re different people)
    • Include a few methods by which the recipient can contact your practice (like by phone or email). This contact information must be valid for at least 60 days after the message is sent
    • Include an option for your patient to unsubscribe from future messages
  • You do not need a patient’s consent to:
    • Confirm an appointment, follow up on billing, or otherwise facilitate or complete their appointment via electronic messages
    • Provide information relating to the ongoing use or purchases of certain products (for instance, sending recall information to patients who wear a certain brand of contact lenses does not require consent)
    • Remind patients to refill prescriptions

Note that we’ve only covered what’s relevant to building a patient database for text and email marketing campaigns. You can read the CASL Act in its entirety here.

One Important Caveat

While federal legislation is a good starting point, it’s important to remember that many provinces, territories, and states in North America also have their own legislation dealing with privacy and the use of personal information.

We’ve listed every state, province, and territory below with a link to their respective privacy laws. Click your region to learn more about the restrictions specific to your area.

Provincial and State Laws


British Columbia | Alberta | Saskatchewan | Manitoba | Ontario | Quebec | New Brunswick | Nova Scotia | Newfoundland and Labrador | Prince Edward Island | Yukon | Northwest Territories | Nunavut

The United States of America

Alabama | Alaska | Arizona | Arkansas | California | Colorado | Connecticut | Delaware | Florida | Georgia | Hawaii | Idaho | Illinois | Indiana | Iowa | Kansas | Kentucky | Louisiana | Maine | Maryland | Massachusetts | Michigan | Minnesota | Mississippi | Missouri | Montana | Nebraska | Nevada | New Hampshire | New Jersey | New Mexico | New York | North Carolina | North Dakota | Ohio | Oklahoma | Oregon | Pennsylvania | Rhode Island | South Carolina | South Dakota | Tennessee | Texas | Utah | Vermont | Virginia | Washington | West Virginia | Wisconsin | Wyoming

Other Categories

Kaia Carter
Kaia Carter / Content Writer

Kaia is a professional content writer at Marketing4ECPS. She enjoys literature on a daily basis.

More articles by Kaia Carter
question youtube phone share2 link location2 calendar chevron-right chevron-up chevron-left facebook twitter linkedin2 google-plus instagram pinterest

Hear from our clients

Meet Our