Constant Contact offers an online and email marketing solution which allow businesses to easily keep in touch with customers and send newsletters and marketing communications. Are HIPAA-covered entities allowed to use Constant Contact? Does Constant Contact support HIPAA compliance?
Marketing Emails That Contain ePHI
The HIPAA Privacy Rule doesn’t forbid the sending of marketing emails; however before doing so, covered entities must obtain first authorization from patients/plan members who must opt-in to receive marketing communications. As long as authorizations have been acquired beforehand, covered entities can send marketing emails without violating the HIPAA Privacy Rule.
Using an email marketing solution can help healthcare organization to efficiently send out emails and manage mailing lists, although HIPAA-covered entities need to make sure that such a service is HIPAA compliant. Some email marketing providers’ platforms meet the requirements of the HIPAA Security Rule, yet they do not sign business associate agreements (BAAs) with healthcare companies.
Importing any ePHI into an email marketing platform is considered an impermissible ePHI disclosure if the covered entity does not have a BAA with the platform provider.
Is Constant Contact HIPAA Compliant?
When evaluating if Constant Contact is HIPAA compliant or not, a good place to start is with the business associate agreement. Constant Contact says on its website that it is prepared to sign a BAA with healthcare organizations so that they can use the platform for emailing patients/health plan members.
Nonetheless, there are a few caveats. Constant Contact won’t sign a BAA provided by a covered entity, only its own BAA. When utilizing the platform, it is the HIPAA-covered entity’s responsibility to ensure that any data stored in their Constant Contact account is secured. They need to set strong passwords and make sure their account is correctly configured to restrict access to stored data.
Constant Contact additionally says that healthcare organizations that have obtained a BAA must not use the platform for transmitting highly sensitive protected health information like substance abuse, HIV or mental health information. Its application is also not not be used with electronic medical records (EMR).
Therefore, although Constant Contact will sign a BAA and is HIPAA compliant, use of the platform has its restrictions.