Blog Hero

Understanding the Privacy Act and How to Build Your Database


Leveraging your patient list for your marketing efforts is a great way to keep patients involved, interested, and coming back to see you when it’s time for another eye exam, specialty service, or a new pair of eyeglasses. But with today’s complicated privacy laws, how do you use text or email campaigns without accidentally crossing into illegal territory?

We’ve put together some information on North American privacy laws that can help you make the most of your patient list without causing legal trouble.

Disclaimer: This blog is only meant to serve as a guideline and does not replace or supersede the legislature it discusses. Please refer to the original laws to ensure you understand the full scope of each one and contact legal counsel if you have any questions.

Federal Laws

HIPAA (United States of America)

The Health Insurance Portability and Accountability Act was passed in 1994, and while it serves several purposes, one of them is to enforce some privacy standards relating to individually identifiable health information. Here’s a summary what you need to know about the HIPAA Privacy Rule when building and using your patient database.

Health Insurance Portability and Accountability Act
  • The Privacy Rule is meant to protect all “individually identifiable health information” that you might get from your patients. The way you get that information doesn’t matter; whether you hear it verbally, read it in an email, or your patient fills it out in an online form, that information is protected. Individually identifiable health information includes:
    • The patient’s name, address, birthday, or social insurance number
    • The patient’s past, present, or future mental or physical health condition
    • Any services or care you’ve provided to the patient in the past or are currently providing the patient
    • Any other information that one might reasonably believe could be used to identify your patient
  • You need your patient’s express written permission to use or disclose their information for any marketing efforts. Your intended use or disclosure of the information needs to be clearly defined in plain language to make sure your patient understands what they’re agreeing to. Your patient also needs to have the opportunity to revoke their consent at any point
  • While keeping your patient’s information in a database is fine, you will need their permission to add them to any sort of mailing list that sends out notifications about upcoming sales, campaigns, promotions, and events
  • Some common notifications aren’t considered marketing, and therefore, don’t require prior consent. Things that aren’t considered marketing include:
    • Letting patients know about new medical equipment through general mailing or publication
    • Reminding patients to refill their prescriptions
    • Reminding patients about upcoming appointments

Note that we’ve only covered what’s relevant to building a patient database for text and email marketing campaigns. You can read the HIPAA Privacy Rule in its entirety here.

CASL (Canada)

Canadian Anti-Spam Legislation
Canada’s Anti-Spam Legislation deals with any kind of electronic message, including emails, social media, and texts messages designed to sell, promote, or advertise any product or service. A direct message asking for consent to send any of the messages described above is also considered a commercial message. Here’s a summary of what you need to know about the CASL Act when building and using your patient database,

  • In order to send a commercial electronic message, you first need to have either express or implied consent from the addressee. If you’re unsure of what constitutes implied consent, it’s best to rely on express written consent, for instance, asking patients whether you can send them promotions and deals when they fill out forms.
  • To get express consent, you need to provide the following information in clear and simple terms:
    • What you’re asking consent for
    • Whether you’re getting consent for your own business, or for another party to send commercial messages
  • To have implied consent:
    • The recipient must have publicly published their contact information without specifying that they don’t want to receive commercial messages
    • You must have had an existing business relationship with the recipient, meaning they’ve been a patient of yours within the last two years of the day before you send the message
    • The recipient has contacted you to ask a question or has filled out a form within 6 months of the day before you send the message
  • When sending commercial messages, you must also:
    • Identify who is sending the message and on whose behalf it’s being sent (assuming they’re different people)
    • Include a few methods by which the recipient can contact your practice (like by phone or email). This contact information must be valid for at least 60 days after the message is sent
    • Include an option for your patient to unsubscribe from future messages
  • You do not need a patient’s consent to:
    • Confirm an appointment, follow up on billing, or otherwise facilitate or complete their appointment via electronic messages
    • Provide information relating to the ongoing use or purchases of certain products (for instance, sending recall information to patients who wear a certain brand of contact lenses does not require consent)
    • Remind patients to refill prescriptions

Note that we’ve only covered what’s relevant to building a patient database for text and email marketing campaigns. You can read the CASL Act in its entirety here.

One Important Caveat

While federal legislation is a good starting point, it’s important to remember that many provinces, territories, and states in North America also have their own legislation dealing with privacy and the use of personal information.

We’ve listed every state, province, and territory below with a link to their respective privacy laws. Click your region to learn more about the restrictions specific to your area.

Provincial and State Laws


British Columbia | Alberta | Saskatchewan | Manitoba | Ontario | Quebec | New Brunswick | Nova Scotia | Newfoundland and Labrador | Prince Edward Island | Yukon | Northwest Territories | Nunavut

The United States of America

Alabama | Alaska | Arizona | Arkansas | California | Colorado | Connecticut | Delaware | Florida | Georgia | Hawaii | Idaho | Illinois | Indiana | Iowa | Kansas | Kentucky | Louisiana | Maine | Maryland | Massachusetts | Michigan | Minnesota | Mississippi | Missouri | Montana | Nebraska | Nevada | New Hampshire | New Jersey | New Mexico | New York | North Carolina | North Dakota | Ohio | Oklahoma | Oregon | Pennsylvania | Rhode Island | South Carolina | South Dakota | Tennessee | Texas | Utah | Vermont | Virginia | Washington | West Virginia | Wisconsin | Wyoming

Written by Kaia Carter

More Articles By Kaia Carter

Our Website Products


Our essential websites are perfect for new start-ups and small practices. If you are ready to create – or upgrade – your online presence and want to get started right away, our essential website is for you.


Our essential+ sites are a step up from our essential sites. You’ll get all the ease and speed of our essential sites, but with 5 extra pages of custom content to tell your patients about your specialty or area of focus.


Our premium sites are custom websites with 20-25 pages of custom medical content, SEO performance monitoring and custom design. 


Custom sites are completely custom sites, and are available only by request.


If you have multiple locations or require multiple websites, our Enterprise option is built for you.

Discover Our Website Solutions

What We Can Do For You

We’ll work with you to build a customized plan that respects your budget, represents your unique practice, and achieves your objectives.

Marketing Membership

Search Engine Optimization

Google Ads

Digital Awareness Ads

Email Marketing

Social Media


Dry Eye Marketing

Medical Niche Marketing

Partnered With Industry Leaders in Eye Care

Lumenis logo
Canadian Dry Eye Summit logo
Otto logo
sunbit logo
jobs 4ECPS logo
4 Patient Care logo
Payments 4 ECPS logo
Birdeye logo

Our Lumenis Partnership

We understand that specializing in a niche service can help elevate your practice – and how it is crucial for your patients to understand what you offer.

Marketing4ECPs’ partnership with Lumenis was developed to support its clients with innovative marketing solutions. We support the marketing behind the OptiLight system, helping practices drive awareness to this specialized treatment and make the most of promoting their investment.

What Industry Leaders Are Saying

Our work speaks for itself, but don’t just listen to us. See what industry leaders have to say!

Get In Touch

instagram facebook facebook2 pinterest google-plus google linkedin2 yelp youtube phone location calendar share2 link star-full star star-half chevron-right chevron-left chevron-down chevron-up envelope fax