Return Path is an email marketing and optimization program that helps companies to put their email marketing campaigns and analytics on autopilot. Many companies use Return Path, but what about healthcare organizations? Is Return Path HIPAA compliant?
Email Marketing to Patients and Health Plan Members
There are rules that must be followed by healthcare organizations if they want to send marketing emails containing electronic protected health information (ePHI). Prior to uploading any ePHI to a marketing platform it is important that:
- Permission has been obtained from patients/plan members to send them marketing messages.
- The email service provider must have implemented appropriate security controls to ensure the privacy of ePHI uploaded to the platform.
- The method used to upload data to the platform must have safeguards in place to prevent interception of the data.
- The service provider must enter into a HIPAA-compliant business associate agreement (BAA) with the covered entity.
The HIPAA Privacy Rule’s TPO definition does not include marketing messages. Thus, written consent from patients/health plan members must be obtained prior to using ePHI for marketing purposes.
A BAA is necessary, since the uploading of ePHI to a mailing service provider is considered a PHI disclosure. The service provider is viewed as a business associate and must be notified of its duties regarding HIPAA and should agree to follow HIPAA Rules. If the preceding conditions are satisfied, it is acceptable for a HIPAA-covered entity to use a third-party platform to send marketing communications.
So, Is Return Path HIPAA Compliant?
Return Path has an array of security controls in place to ensure data uploaded to the platform is secured. However, Return Path does not appear to offer a BAA to covered entities and there is no mention of HIPAA on the Return Path website. Return Path does state that users of the platform are responsible for compliance with rules and regulations so it is the responsibility of the covered entity to ensure HIPAA Rules are not violated.
Our verdict is Return Path is not HIPAA compliant unless a signed BAA is obtained. The platform can be used by healthcare organizations, but not with any ePHI.