Is Constant Contact HIPAA-Compliant?

January 6th, 2020

In a perfect world, using Constant Contact would make it easy for your business to perfect its email marketing strategy, while still staying within the narrow lanes of HIPAA regulations.

Back on earth, it may be possible to use the software and remain HIPAA-compliant, but things aren’t so straightforward.

Constant Contact HIPAA compliant

Constant Contact is renowned for its package of services, including:

  • Email templates that make it easy to design professional newsletters and other marketing materials
  • Email marketing automation
  • Marketing tools for ecommerce
  • Contact management
  • Analytic tools for tracking results

Constant Contact has a lot to offer, but is it a good choice for organizations that want to send electronic protected health information (ePHI)? Can Constant Contact be a HIPAA-compliant marketing email solution?

Is Constant Contact HIPAA-Compliant?

A cursory search of the website seems to imply that Constant Contact is HIPAA-compliant. The company even has a page dedicated to business associate agreements (BAAs), which are a critical part of compliance whenever an organization may be sharing ePHI with another entity.

BAAs are formal agreements that set out how the two parties will share the data, what protection measures need to be in place, and who is responsible for what.

The BAA page states that Constant Contact will only sign their own BAA and won’t make changes to it “under any circumstances.” This isn’t necessarily unusual for a service provider, but it could make HIPAA compliance impossible for any organization that requires alterations to the agreement. To check if the BAA is right for your company, you will need to email the legal department listed in the above-linked page for a copy.

If you think you may have found the HIPAA-compliant email marketing service you were looking for, reading on may crush your dreams. It states that you:

Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.

This section is a little confusing, because HIPAA makes no mention of “highly sensitive PHI.” The law doesn’t generally differentiate between HIV results and eczema diagnoses, treating all breaches of PHI equally. This is the first red flag that Constant Contact may not be a good option for HIPAA compliance.

The BAA says that you should avoid using the service if you “have such information to send.” While the whole paragraph isn’t exactly straightforward, the only safe assumption is that Constant Contact is not HIPAA-compliant for sending PHI in email. Although the company will sign a BAA, it acknowledges that its services are not designed to secure PHI, and using them could put the data at risk.

A final major factor in this consideration is that Constant Contact does not have the ability to encrypt emails containing PHI. HIPAA requires, among many other things, that all ePHI be encrypted during transmission. This is probably why Constant Contact recommends against using their bulk emailing service for the actual sending of HIPAA-compliant emails.

Constant Contact HIPAA-Compliant Alternatives

If you are looking for a HIPAA-compliant email marketing service that is suitable for the health sector, you don’t have to despair. LuxSci provides HIPAA-compliant solutions that are built with the regulations in focus.

From our email marketing service to our secure forms, we offer solutions that can bring your company results without violating HIPAA regulations. We also keep our BAA process as straightforward as we can, to avoid the confusion that comes with some other providers.