" BAA requirements Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘BAA requirements’

Is Marketo HIPAA-Compliant?

Wednesday, October 23rd, 2019

If you’re in the healthcare sector and considering marketing-automation software, you may be wondering, “Is Marketo HIPAA-compliant?”

Marketo features a holistic range of marketing tools that aim to bring results for its users. Its offerings include:

  • Email marketing
  • Lead management
  • Mobile marketing
  • Customer base marketing
  • Consumer marketing
  • Account-based marketing
  • Revenue attribution

Together, these tools can help to streamline and maximize a business’s marketing processes, bringing in more clients and boosting sales. While Marketo offers a great range of tools, it isn’t suitable in every scenario.

Is Marketo HIPAA Compliant?

The short answer is no. While there are many aspects that seem like they would make Marketo HIPAA-compliant, such as 2048-bit certificates, and third-party security assessments, one critical component is missing – Marketo makes no mention of business associate agreements (BAAs).

BAAs are at the core of HIPAA compliance. If ePHI is shared between companies without one of these agreements in place, it’s an immediate HIPAA violation. This is true, regardless of whether every other aspect of the relationship falls completely within the guidelines. 

BAAs are essential because they legally lay out how data will be shared and processed between the two entities, as well as where the responsibility falls.

No matter where we looked on the Marketo website, we couldn’t find any mention of BAAs. We checked through the privacy policy, legal section and even conducted a site-search, but nothing showed up.

Without any indications of the company’s willingness to sign a business associate agreement, we can only assume that the answer to our question of “Is Marketo HIPAA-compliant?” is a strong no.

The company makes things confusing because its Healthcare Marketing Solutions page features references to medical organizations like Boston Children’s Hospital and GE Healthcare.

Despite this seeming conflict, it’s most likely that Marketo does not offer HIPAA-compliant services. If the company did go to the effort of making its platform HIPAA-compliant, it would make sense for it to market these efforts, or at least have some mention of BAAs on its website

The safest assumption is that Marketo probably provides solutions that don’t involve ePHI to the healthcare companies mentioned above. This could include services that don’t need to be HIPAA compliant, marketing email for other purposes, and related offerings.

Marketo HIPAA-Compliant Alternatives

If you were looking for a HIPAA-compliant bulk email solution, or some other software that makes marketing easier, we’re sorry to be the bringers of bad news. At least you can take solace in the knowledge that you won’t get caught in a HIPAA violation for using non-compliant software.

So what are your alternatives? Is Mailchimp HIPAA-compliant?

Unfortunately, MailChimp’s popular platform will also get you in trouble with regulators if it touches your ePHI.

If you’re out of ideas for automating and streamlining your marketing processes, you don’t need to give up hope just yet. At LuxSci, we offer both HIPAA-compliant bulk email and HIPAA-compliant marketing email services.

HIPAA compliance and security are our main focuses at LuxSci, so all of our services are designed with the regulations in mind at every step of the way. By partnering with LuxSci and using our marketing services carefully, your organization can significantly reduce its risks of HIPAA violations.

Business Associate Agreements: Fact vs Fiction

Tuesday, August 28th, 2018

HIPAA covered entities form partnerships with third parties to safeguard their data assets effectively. Business associate agreements (BAAs) formalize these relationships and, importantly, describe the HIPAA-related risks and responsibilities that business associates (BAs) will take on.

The written contract between the covered entity and business associate must meet the following requirements:

business associate agreement

  1. State the permitted and required uses and disclosure of PHI by the BA.
  2. Assure that the BA will not use or share information other than as required or permitted by the contract or by law.
  3. Require the BA to implement suitable safeguards to prevent the unauthorized use of information, including deploying the requirements of the HIPAA Security Rule as it relates to protected health information.
  4. Report to the covered entity any use or disclosure of information not provided for by the contract.
  5. Agree to disclose PHI to meet the covered entity’s obligation to provide individuals a copy of their PHI, and also either provide PHI for amendments or incorporate amendments.
  6. Adhere to the requirements of the Privacy Rule to the extent required.
  7. Provide to the Department of Health and Human Services records, practices and books related to the use and disclosure of PHI.
  8. At the termination of the contract, destroy or return all PHI created or received by the BA on behalf of the covered entity.
  9. Ensure that any subcontractors the BA engages must comply with substantially the same conditions and restrictions that apply to the BA.
  10. Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.

Read the rest of this post »

HIPAA Business Associate Agreement: Do I Need One?

Thursday, July 12th, 2018

A business associate (BA) is an individual or an entity who could come in contact with protected health information (PHI) by providing services to or performing activities on behalf of covered entities. Your employee is not a business associate, but your web host, email encryption service, billing company and lawyers could be, and these are just four examples. BAs of BAs (BA’s contracting with your vendors) further extend the chain.

Not all entities that access PHI must be business associates. For instance, the cleaning company that disposes trash from your office does not qualify as a business associate even though there is a possibility of the cleaning crew coming in contact with identifying patient information in dustbins or laying on FAX machines or desks (though if they do, then your employees did not manage the PHI properly). However, it is important to have a clear reporting mechanism in place where cleaning company workers can alert a point person in your office when they come across PHI.

Business associate agreement do I need one?

The Omnibus Rule provides multiple categories of business associates, including health information organizations (HIOs), anyone offering personal health records to individuals on behalf of covered entities, and covers a variety of service categories such as data aggregation, accreditation, actuarial and administrative services dispensed to a covered entity provided such services involve the disclosure of patient health information. Use this link for more information on business associates.

Read the rest of this post »