Is Mandrill HIPAA Compliant?

Mandrill HIPAA compliant email?

Does Mandrill support HIPAA compliance? Can healthcare organizations use MailChimp’s transactional email service without violating HIPAA Rules?

MailChimp, a popular email marketing platform, now offers a transactional email service under the brand name Mandrill. Mandrill enables companies to send automated emails to clients and people that engage with their web applications and the solution links to MailChimp through an API.

Transactional emails are different from marketing email messages. They are configured to be automatically sent by events like password reset requests, the placement of orders, and to welcome customers that sign up for a service.  While marketing emails need patients/plan members to opt-in under HIPAA Rules. Generally, for transactional emails, an opt-in is not required.

That doesn’t mean there aren’t any HIPAA issues for healthcare companies that are thinking about utilizing Mandrill. Any email service that healthcare organizations use with electronic protected health information (ePHI) would need to have privacy and security measures integrated into the platform to avoid unauthorized accessing of ePHI. It is also necessary to maintain an audit trail. Any stored data must be encrypted and any ePHI shared with the platform must be secured in transit.

If using the service with any ePHI, Mandrill would be classified as a business associate and would need to enter into a business associate agreement (BAA) with a healthcare organization.

Consumers of Mandrill are restricted by MailChimp’s terms and conditions. MailChimp says in its T&Cs that it is the responsibility of its users to make sure its email platform is used in a manner that is compliant with HIPAA. In addition, since MailChimp (at the time of writing) does not sign a BAA, both MailChimp and Mandrill cannot be considered HIPAA compliant. (You can learn more on Mailchimp’s HIPAA compliance here)


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Healthcare organizations can use MailChimp and Mandrill; however, they cannot be used with any ePHI because they are not HIPAA compliant.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: