Is Constant Contact HIPAA Compliant?

constant contact HIPAA compliant

Constant Contact is HIPAA compliant provided users subscribe to a business plan with the capabilities to support HIPAA compliance, configure the capabilities to meet the requirements of the Security Rule, and enter into a Business Associate Agreement with the software vendor.

Constant Contact offers an online and email marketing solution which allow businesses to easily keep in touch with customers and send newsletters and marketing communications. Are HIPAA-covered entities allowed to use Constant Contact? Does Constant Contact support HIPAA compliance?

Marketing Emails That Contain ePHI

The HIPAA Privacy Rule doesn’t forbid the sending of marketing emails; however before doing so, covered entities must obtain first authorization from patients/plan members who must opt-in to receive marketing communications. As long as authorizations have been acquired beforehand, covered entities can send marketing emails without violating the HIPAA Privacy Rule.

Using an email marketing solution can help healthcare organization to efficiently send out emails and manage mailing lists, although HIPAA-covered entities need to make sure that such a service is HIPAA compliant. Some email marketing providers’ platforms meet the requirements of the HIPAA Security Rule, yet they do not sign business associate agreements (BAAs) with healthcare companies.

Importing any ePHI into an email marketing platform is considered an impermissible ePHI disclosure if the covered entity does not have a BAA with the platform provider.

Is Constant Contact HIPAA Compliant?

When evaluating if Constant Contact is HIPAA compliant or not, a good place to start is with the business associate agreement. Constant Contact says on its website that it is prepared to sign a BAA with healthcare organizations so that they can use the platform for emailing patients/health plan members.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Nonetheless, there are a few caveats. Constant Contact won’t sign a BAA provided by a covered entity, only its own BAA. When utilizing the platform, it is the HIPAA-covered entity’s responsibility to ensure that any data stored in their Constant Contact account is secured. They need to set strong passwords and make sure their account is correctly configured to restrict access to stored data.

Constant Contact additionally says that healthcare organizations that have obtained a BAA must not use the platform for transmitting highly sensitive protected health information like substance abuse, HIV or mental health information. Its application is also not not be used with electronic medical records (EMR).

Therefore, although Constant Contact will sign a BAA and is HIPAA compliant, use of the platform has its restrictions.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: