Marketo is an email marketing and lead management platform that has now been acquired by Adobe. Can healthcare organizations use Marketo in association with electronic protected health information (ePHI)? Does Marketo support HIPAA compliance?
Healthcare organizations searching for an email marketing platform must be sure that the platform provider supports HIPAA complaint before the service is used in connection with ePHI. Healthcare organizations may utilize marketing automation platforms for a variety of functions without entering into a business associate agreement (BAA) with the platform provider. However, if the healthcare organization’s use involves ePHI, a BAA is necessary.
Additionally, HIPAA limits the uses and disclosures of ePHI by HIPAA covered entities to the following purposes:
- Providing treatment
- Paying for healthcare
- Healthcare operations
Marketing, defined by HIPAA as communicating with a person regarding a product or service that entices the person to buy or use the product or service that is being promoted, is only permitted if HIPAA-covered entities obtain written consent from patients in advance.
Is Marketo HIPAA Compliant?
Marketo declares on its website that it has achieved Privacy Shield and SOC2 certification. Marketo has also implemented a host of safety measures to keep customer information private and confidential.
Marketo uses high-grade 2048-bit certificates to encrypt connections and unique session tokens secure user sessions and call for re-verification with every transaction. Marketo runs scans of its network and systems regularly to check for vulnerabilities and applies patches promptly. Marketo additionally has penetration tests conducted and independent third parties frequently assess its products for potential vulnerabilities. Marketo also implements physical, administrative and technical safeguards to keep data, software and hardware secure and stores all clients’ information in separate databases.
However, Marketo’s user policy says its customers should never upload nor give Marketo access to passport or visa numbers, social security numbers, driver’s license numbers; employee or taxpayer IDs; financial account or payment card data; passwords; or healthcare records and information relating to payment for healthcare. Further, there is no mention of a BAA on the Marketo website and related forums.
If there’s no BAA, Marketo cannot be regarded as HIPAA compliant and cannot be used in connection with ePHI.