" hipaa bulk email Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘hipaa bulk email’

Is Mailchimp HIPAA-Compliant?

Friday, January 17th, 2020

“Is Mailchimp HIPAA-compliant?” has echoed through the boardrooms of healthcare organizations countless times. Whenever companies explore their options for email automation and marketing software, the popular provider’s name tends to be one of the first to pop up.

Mailchimp has long been the go-to option for designing emails and newsletters, sending them out, sharing to social networks, tracking results and much more. 

The company offers an integrated marketing platform that helps to simplify how businesses connect with their customers and also enhances their results.

It’s only natural that healthcare organizations are also wondering whether Mailchimp HIPAA-compliant bulk email is possible.

Is Mailchimp HIPAA Compliant?

Sadly, the answer will disappoint most of those in the healthcare sector, as well as other businesses that deal with electronic protected health information (ePHI). Mailchimp is not HIPAA-compliant.

Despite this, there are some promising aspects of Mailchimp’s security that make it seem as though it could be a HIPAA-compliant marketing email option.

These include login pages that are encrypted with TLS, hashed password storage and brute-force protection that prevents attackers from attempting to log in with every possible password combination. The company also conducts regular penetration tests and other security audits.

While these security features are a positive sign for Mailchimp’s service, the platform has a major stumbling block – there’s not a single mention of a business associate agreement (BAA) on the company’s website. 

This is concerning, because a BAA is essential for HIPAA compliance whenever companies share their data or allow it to be processed by another organization.

BAAs are a critical part of HIPAA compliance and failure to have one is considered an immediate HIPAA violation. It doesn’t matter if all security best practices are being followed, and the ePHI is being shared in a manner that’s compliant in every other way – sharing data without a BAA in place is still a violation.

This is because BAAs set out how two organizations can share data, and under what circumstances. BAAs also delineate where the legal responsibilities of each party fall, and who will be culpable if there are any problems.

If a company puts in the extra effort to provide a HIPAA-compliant service, they will generally advertise their compliance so that they can attract more clients from the health sector.

Since Mailchimp doesn’t have any reference to BAAs on its site – not even a single mention buried in its legal section – it’s safe to assume that the only answer to “Is Mailchimp HIPAA-compliant?” is a resounding “No”.

Beyond the absence of a HIPAA BAA, Mailchimp also does not make any provision for encrypting the bulk mail that would be sent out from its platform.  This makes it completely unsuitable for sending email in a context where compliance counts. There are many, many other security nuances also missing from Mailchimp — ones would not be needed unless you have to follow HIPAA or other compliance frameworks.

Mailchimp HIPAA-Compliant Alternatives

All is not lost for healthcare companies that need a HIPAA-compliant bulk email solution or other marketing tools. While they may have to rule out popular options like Mailchimp, there are a number of HIPAA-compliant marketing email services that are specifically designed for organizations that have to abide by the regulations.

At LuxSci, we specialize in providing secure and HIPAA-compliant services. When building our solutions, we take security, regulatory and practical considerations into account from the early planning stages up until the finished product.

Our approach results in tailor-made tools and services like HIPAA-compliant bulk email and secure hosting. These offer healthcare companies the right balance between their security and regulatory concerns, as well as their need for high-performance tech solutions.

Is SendGrid HIPAA-Compliant?

Wednesday, October 30th, 2019

If your health organization has been investigating its options for promotional email services, you may be wondering, “Is SendGrid HIPAA compliant?” The popular service is used to send 50 billion emails each month, with major clients including Uber, Spotify and Yelp.

SendGrid offers convenient marketing campaign tools alongside its own email API, and its solutions help to both save time and offer scalability. But is SendGrid an appropriate tool for those that need to send HIPAA-compliant bulk email?

Is SendGrid HIPAA-Compliant?

“No, we are not.”

SendGrid makes this extremely clear on its Is SendGrid HIPAA-compliance page. The company should be commended for being so upfront about this. Some of its rivals take a bit of poking around to figure out whether their services can be used to protect ePHI within the confines of HIPAA regulations.

The company does not provide HIPAA-compliant marketing email software with appropriate safeguards for sensitive patient data. SendGrid goes on to say that, “We do not offer any encryption or security measures…beyond those included in the SMTP RFC, which was not designed with HIPAA compliance in mind.”

If that wasn’t enough to convince you, SendGrid’s Terms of Service certainly should:

If You are (or become) a Covered Entity or Business Associate (as defined in HIPAA) or a Financial Institution (as defined in GLBA), you agree not to use the Service for any purpose or in any manner involving Protected Health Information (as defined in HIPAA) or Nonpublic Personal Information (as defined in GLBA).

If you got lost in the legalese and you’re still wondering “Is SendGrid HIPAA compliant?” the paragraph is essentially just a fancy reiteration of the company’s earlier response of, “No, we are not.”

As one final nail in the coffin, SendGrid’s website has no current mentions of its willingness to sign a business associate agreement (BAA). BAAs are essential for HIPAA compliance whenever one company uses the service of another to transmit, store or process their ePHI in any way.

These agreements lay down the ground rules for how data will be shared, the protection measures that will be put in place, and which party is legally responsible in different circumstances. If a company is unwilling to sign one of these agreements, then it’s impossible to use its service to process ePHI and still remain HIPAA-compliant.

SendGrid HIPAA-Compliant Alternatives

Because SendGrid is not a HIPAA-compliant marketing email service, your organization will need to look for other options that provide secure bulk email solutions. At LuxSci, we specialize in HIPAA-compliant technologies that protect data and can meet the stringent regulatory requirements.

From our High Volume secure email sending service to our HIPAA-compliant web hosting, we design all of our offerings to make it as easy as possible for our clients to comply with the laws, without compromising on usability or effectiveness.

How to Pick the Right Platform for High Volume Transactional Emails

Tuesday, June 12th, 2018

Many healthcare organizations prefer using email for business communication as it leaves a paper trail and can be a more secure solution than mobile messaging. When large volume transactional emails need to be sent every month, healthcare organizations face the challenge of ensuring that any financial and personally identifiable data sent by email is secured to avoid data misuse. The good news is that the email security challenge can be overcome by using a high bulk email platform that safeguards the confidentiality of the information.

high volume email

Here’s what you should look for when selecting an email platform for transmitting large volumes of transactional information regularly:

Read the rest of this post »

Transactional/Bulk email with ePHI in It? What to do about HIPAA

Thursday, August 29th, 2013

Case in pointA medical lab that needs/wants to send test results to patients via email.  This is:

  • Bulk email … possibly 100s or 1000s of messages/day
  • Transactional … every message is important and unique.
  • ePHI … every message contains private health information governed by HIPAA

Customers that have approached us looking for solutions for scenarios like this and others (e.g. medical news, appointment updates and reminders, etc.) have had problems managing this kind of electronic messaging because:

  1. Their own ISPs put limits on the maximum number of messages they can send in a day
  2. Most email marketing solutions and bulk mailing solutions do not have a HIPAA bulk email compliance component and thus are completely useless for sending ePHI of any kind.
  3. All messages must be encrypted in a HIPAA compliant way, making in house solutions difficult, especially when combined with #1.

    Read the rest of this post »

LUXSCI