Is Marketo HIPAA Compliant?

Is Marketo HIPAA compliant?

Marketo is HIPAA compliant for organizations that subscribe to Adobe’s Experience Cloud for Healthcare, that agree to the terms of Adobe’s Business Associate Agreement, and that configure the platform to comply with the Security Rule safeguards. It is also important members of the workforce are told not to send Protected Health Information (PHI) in marketing communications unless the disclosure is authorized by the subject of the PHI or is exempted by the Privacy Rule.

Marketo is a versatile automated marketing and lead management platform that can be used to create dynamic content for lead forms, landing pages, and emails. Marketo does not have to be HIPAA compliant in order for covered entities and business associates to take advantage of the platform’s capabilities; but, when the conditions are met to make Marketo HIPAA compliant, organizations can also use the platform to collect, store, analyze, and share PHI internally.

Making Marketo HIPAA Compliant

Adobe offers a variety of subscription options for the Marketo platform. However, Adobe will only enter into a Business Associate Agreement with covered entities and business associates that subscribe to the platform via the Experience Cloud for Healthcare. This is because the Experience Cloud for Healthcare is designed with the necessary security, features, and functionalities to support HIPAA compliance.

The Marketo HIPAA compliant Business Associate Agreement is a “one-size-fits-all” Agreement between Adobe and subscribers to the Experience Cloud for Healthcare that also covers the use of other “HIPAA-Ready Services” such as the Adobe Customer Data Platform, Experience Manager, and Customer Journey Analytics Platform. However, it is important to review the terms of the Business Associate Agreement – especially with regards to Adobe’s shared responsibility model.

Adobe’s shared responsibility model means that Adobe is responsible for the security of the cloud, while subscribers are responsible for security in the cloud. Adobe explains this concept further in its implementation guide which also provides configuration recommendations to help subscribers configure the platform in compliance with the Security Rule. Note: following the recommendations does not replace the requirement to conduct a HIPAA risk assessment before using Marketo to collect PHI.

Why HIPAA Training May Also be Necessary

While it is important to make Marketo HIPAA compliant before collecting PHI, it is also important the platform is used in compliance with HIPAA. Depending on what the platform is used for, ensuring it is used in compliance with HIPAA may not only mean providing members of the workforce with security training, but also with Privacy Rule HIPAA training.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

This is because the Privacy Rule generally prohibits the use of PHI in marketing emails unless the disclosure is authorized by the subject of the PHI, the disclosure falls into one of the exempted categories in the definition of marketing in §164.501, or the disclosure is to conduct post marketing surveillance on an FDA regulated product or activity.

The failure to comply with the Privacy Rule when using the Marketo platform would be a HIPAA violation that would also breach Adobe’s Terms of Use. Because of this risk – and the risk of the service being terminated – covered entities and business associates unsure about their compliance obligations are advised to seek professional advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: