Is MailChimp HIPAA Compliant?
Mailchimp is not HIPAA compliant and cannot be used to send marketing emails or newsletters that contain Protected Health Information (PHI) unless the subject of the PHI has given their authorization for their individually identifiable health information to be shared in marketing communications via a noncompliant channel of communication.
Mailchimp is a versatile email and social media marketing platform with hundreds of integrations that can support commerce and customer relationship activities. In the healthcare industry, Mailchimp can be used โ for example – to create community newsletters, distribute information about healthy lifestyles, and raise awareness of seasonal illnesses or health hazards.
However, when a healthcare organization conducts a marketing campaign, the organization must comply with federal and state regulations governing the privacy and security of data, and account for the communication choices of marketing recipients. Typically, these regulations include:
- The HIPAA Privacy Rule requires covered entities to obtain a valid authorization from the subject of any PHI disclosed in a marketing communication.
- The HIPAA Security Rule requires covered entities and business associates to ensure the confidentiality and integrity of PHI transmitted in marketing communications.
- The FCCโs CAN-SPAM Rule requires covered entities and business associates to comply with the CAN-SPAM Act for commercial, transactional, and relationship emails.
- Multiple states have enacted legislation that require covered entities to obtain affirmative opt-in consent before patientsโ contact information can be used for marketing communications.
Due to the wide range of regulations that govern healthcare marketing activities, it is recommended that workforce members engaged in healthcare marketing activities receive compliance training. While compliance with some of the regulations is out of individual workforce membersโ control, it is important they are aware of the compliance requirements to help prevent avoidable violations of federal and state regulations.
Get the FREE
HIPAA Compliance
Email Checklist
Learn How To Prevent All Email Related HIPAA Violations
Immediate Access
Healthcare Industry Marketing and HIPAA
When a healthcare organization conducts any marketing activity that discloses PHI, it is necessary for the healthcare organization to obtain a valid HIPAA authorization form authorizing the use of PHI in the marketing activity from the subject(s) of the PHI or their personal representative(s) (ยง164.508(a)(3)). The HIPAA authorization form must state what PHI is being disclosed, who it is being disclosed to, and why.
In the event of PHI being used for marketing, the HIPAA authorization form should clearly state that the organization has no control over further disclosures of PHI once the PHI is in the public domain. Nonetheless, under the HIPAA Security Rule (ยง164.312(e)(1)), healthcare organizations are still required to โguard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.โ
This means that, if a healthcare organization sends marketing emails containing PHI, in addition to obtaining an authorization to use PHI for marketing, the method of transmission must comply with the HIPAA Security Rule. In the context of answering is Mailchimp HIPAA compliant, not only must the marketing platform be HIPAA compliant, but also the email service or email service provider used by the organization.
Is Mailchimp HIPAA Compliant?
In addition to being versatile, Mailchimp is secure. Mailchimpโs technology infrastructure includes network devices such as firewalls, and IDS/IPS tools which are strategically placed to control and monitor network traffic for data loss and corruption. Its servers are protected from DDoS attacks, and data in transit is protected by TLS 1.2 encryption. Mailchimp also has numerous compliance certifications.
However, Mailchimpโs Terms of Service state: โYou are responsible for determining whether the Service is appropriate for you, in light of your obligations under any regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), [โฆ] or other applicable laws.ย If you are subject to regulations (such as HIPAA) and you use the Service, we will not be responsible if the Service does not comply with such regulations.โ
Because of this clause, Mailchimp will not enter into Business Associate Agreements with HIPAA covered entities and business associates. This means healthcare organizations cannot disclose PHI in a marketing communication sent via the Mailchimp platform because this would be an unauthorized disclosure of PHI. However, if the disclosure is authorized, it would not be a violation of HIPAA.
How to Use Mailchimp Without Violating HIPAA
At present, it is not possible to make Mailchimp HIPAA compliant via an add-on or integration that isolates PHI from Mailchimpโs servers. But โ significantly – Mailchimp does not prohibit the use of PHI in marketing emails in its Terms of Service. This makes it possible to include PHI in marketing emails sent through the platform provided the disclosure is authorized by the subject of the PHI being disclosed in the marketing email.
As it is necessary to obtain an authorization before disclosing PHI in any marketing activity, the way to use Mailchimp in compliance with HIPAA is to include an addendum to the HIPAA authorization form stating that the marketing email will be sent via a noncompliant channel of communication. In most cases, the subject of the PHI is unlikely to object to the addendum if they have already agreed to the disclosure.
This makes Mailchimp usable by healthcare organizations because it is permitted to import contacts into a Mailchimp database (because contactย information is not protected by HIPAA when it is maintained separately from individually identifiable health information). However, this is not a perfect solution. While it allows for PHI to be disclosed in marketing communications, it does not allow PHI to be collected from email recipients via forms and surveys.
Conclusion: Better to Look Elsewhere for a HIPAA Compliant Platform
Many sources discussing is Mailchimp HIPAA compliant tend to focus on the fact that Mailchimp will not enter into a HIPAA Business Associate Agreement to conclude that Mailchimp is not HIPAA compliant. While this is an accurate conclusion, it does not prevent healthcare organizations from using Mailchimp to run email marketing campaigns โ even campaigns in which PHI is disclosed.
Nonetheless, while it is possible to work around the regulations, the limitations of using Mailchimp with HIPAA authorizations limits the benefits of the platform. Consequently, while it is possible to use Mailchimp without violating HIPAA, it would be better to look elsewhere for a HIPAA compliant email marketing platform. Suggestions include Paubox, JotForm, and Salesforce.