Is Mailchimp HIPAA-Compliant?

January 17th, 2020

“Is Mailchimp HIPAA-compliant?” has echoed through the boardrooms of healthcare organizations countless times. Whenever companies explore their options for email automation and marketing software, the popular provider’s name tends to be one of the first to pop up.

Mailchimp has long been the go-to option for designing emails and newsletters, sending them out, sharing to social networks, tracking results and much more. 

The company offers an integrated marketing platform that helps to simplify how businesses connect with their customers and also enhances their results.

It’s only natural that healthcare organizations are also wondering whether Mailchimp HIPAA-compliant bulk email is possible.

Is Mailchimp HIPAA Compliant?

Sadly, the answer will disappoint most of those in the healthcare sector, as well as other businesses that deal with electronic protected health information (ePHI). Mailchimp is not HIPAA-compliant.

Despite this, there are some promising aspects of Mailchimp’s security that make it seem as though it could be a HIPAA-compliant marketing email option.

These include login pages that are encrypted with TLS, hashed password storage and brute-force protection that prevents attackers from attempting to log in with every possible password combination. The company also conducts regular penetration tests and other security audits.

While these security features are a positive sign for Mailchimp’s service, the platform has a major stumbling block – there’s not a single mention of a business associate agreement (BAA) on the company’s website. 

This is concerning, because a BAA is essential for HIPAA compliance whenever companies share their data or allow it to be processed by another organization.

BAAs are a critical part of HIPAA compliance and failure to have one is considered an immediate HIPAA violation. It doesn’t matter if all security best practices are being followed, and the ePHI is being shared in a manner that’s compliant in every other way – sharing data without a BAA in place is still a violation.

This is because BAAs set out how two organizations can share data, and under what circumstances. BAAs also delineate where the legal responsibilities of each party fall, and who will be culpable if there are any problems.

If a company puts in the extra effort to provide a HIPAA-compliant service, they will generally advertise their compliance so that they can attract more clients from the health sector.

Since Mailchimp doesn’t have any reference to BAAs on its site – not even a single mention buried in its legal section – it’s safe to assume that the only answer to “Is Mailchimp HIPAA-compliant?” is a resounding “No”.

Beyond the absence of a HIPAA BAA, Mailchimp also does not make any provision for encrypting the bulk mail that would be sent out from its platform.  This makes it completely unsuitable for sending email in a context where compliance counts. There are many, many other security nuances also missing from Mailchimp — ones would not be needed unless you have to follow HIPAA or other compliance frameworks.

Mailchimp HIPAA-Compliant Alternatives

All is not lost for healthcare companies that need a HIPAA-compliant bulk email solution or other marketing tools. While they may have to rule out popular options like Mailchimp, there are a number of HIPAA-compliant marketing email services that are specifically designed for organizations that have to abide by the regulations.

At LuxSci, we specialize in providing secure and HIPAA-compliant services. When building our solutions, we take security, regulatory and practical considerations into account from the early planning stages up until the finished product.

Our approach results in tailor-made tools and services like HIPAA-compliant bulk email and secure hosting. These offer healthcare companies the right balance between their security and regulatory concerns, as well as their need for high-performance tech solutions.