Does Mandrill support HIPAA compliance? Can healthcare organizations use MailChimp’s transactional email service without violating HIPAA Rules?
MailChimp, a popular email marketing platform, now offers a transactional email service under the brand name Mandrill. Mandrill enables companies to send automated emails to clients and people that engage with their web applications and the solution links to MailChimp through an API.
Transactional emails are different from marketing email messages. They are configured to be automatically sent by events like password reset requests, the placement of orders, and to welcome customers that sign up for a service. While marketing emails need patients/plan members to opt-in under HIPAA Rules. Generally, for transactional emails, an opt-in is not required.
That doesn’t mean there aren’t any HIPAA issues for healthcare companies that are thinking about utilizing Mandrill. Any email service that healthcare organizations use with electronic protected health information (ePHI) would need to have privacy and security measures integrated into the platform to avoid unauthorized accessing of ePHI. It is also necessary to maintain an audit trail. Any stored data must be encrypted and any ePHI shared with the platform must be secured in transit.
If using the service with any ePHI, Mandrill would be classified as a business associate and would need to enter into a business associate agreement (BAA) with a healthcare organization.
Consumers of Mandrill are restricted by MailChimp’s terms and conditions. MailChimp says in its T&Cs that it is the responsibility of its users to make sure its email platform is used in a manner that is compliant with HIPAA. In addition, since MailChimp (at the time of writing) does not sign a BAA, both MailChimp and Mandrill cannot be considered HIPAA compliant. (You can learn more on Mailchimp’s HIPAA compliance here)
Healthcare organizations can use MailChimp and Mandrill; however, they cannot be used with any ePHI because they are not HIPAA compliant.