MailChimp is an automated email marketing program used for sending marketing newsletters and emails to mailing lists. Can healthcare organizations use MailChimp for sending protected health information (PHI)? Is MailChimp HIPAA compliant or is its use with PHI against HIPAA Rules?
HIPAA and Marketing
The HIPAA Privacy Rule specifies the permitted uses and disclosures of PHI. PHI sharing is restricted to the reasons related to the provision of medical care, healthcare operations and payment for healthcare services. There’s no prohibition on other uses and disclosures of PHI, but the written authorization of patients and health plan members must be ontained before PHI can be used or disclosed for other purposes.
Information about goods and services which are needed for treatment purposes may be sent to patients. However, prior to sending marketing communications to patients, authorizations are necessary. Marketing refers to the communication of information about a product or service that entices recipients of the messages to buy or utilize the product or service.
Provided that authorizations have been obtained, healthcare companies can use an automated marketing solution to send their communications, but with one caveat.
Uploading patient data to an automated marketing platform is considered as a disclosure of PHI and the service provider is considered a business associate. A business associate agreement (BAA) between the healthcare organization and service provider would be necessary for compliance with HIPAA.
So, Does MailChimp Support HIPAA Compliance?
MailChimp makes clear in its terms and conditions that customers are responsible for ensuring they conform to regulations like HIPAA. MailChimp is not responsible if customers use its services in a way that violates HIPAA laws or if its service fails to satisfy HIPAA requirements.
MailChimp implements security controls to prevent unauthorized access, encryption is used, and physical security controls protect its servers from being accessed by unauthorized individuals. However, MailChimp does not enter into BAAs with HIPAA covered entities so MailChimp cannot be considered a HIPAA-compliant email marketing platform.