Is MailChimp HIPAA Compliant?

Is Mailchimp HIPAA compliant?

Mailchimp is not HIPAA compliant and cannot be used to send marketing emails or newsletters that contain Protected Health Information (PHI) unless the subject of the PHI has given their authorization for their individually identifiable health information to be shared. In the absence of authorization, it is not permissible for HIPAA regulated entities to disclose PHI via Mailchimp.

HIPAA and Marketing

The HIPAA Privacy Rule specifies the permitted uses and disclosures of PHI. PHI sharing is restricted to the reasons related to the provision of medical care, healthcare operations and payment for healthcare services. There’s no prohibition on other uses and disclosures of PHI, but the written authorization of patients and health plan members must be obtained before PHI can be used or disclosed for other purposes.

Information about goods and services which are needed for treatment purposes may be sent to patients. However, prior to sending marketing communications to patients, authorizations are necessary. Marketing refers to the communication of information about a product or service that entices recipients of the messages to buy or utilize the product or service.

Provided that authorizations have been obtained, healthcare companies can use an automated marketing solution to send their communications, but with one caveat.

Uploading patient data to an automated marketing platform is considered as a disclosure of PHI and the service provider is considered a business associate. A business associate agreement (BAA) between the healthcare organization and service provider would be necessary for compliance with HIPAA.

So, Does MailChimp Support HIPAA Compliance?

MailChimp makes clear in its terms and conditions that customers are responsible for ensuring they conform to regulations like HIPAA. MailChimp is not responsible if customers use its services in a way that violates HIPAA laws or if its service fails to satisfy HIPAA requirements.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

MailChimp implements security controls to prevent unauthorized access, encryption is used, and physical security controls protect its servers from being accessed by unauthorized individuals. However, MailChimp does not enter into BAAs with HIPAA covered entities so MailChimp cannot be considered a HIPAA-compliant email marketing platform.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: