" marketo Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘marketo’

Is Constant Contact HIPAA-compliant?

Monday, January 6th, 2020

In a perfect world, Constant Contact HIPAA-compliant marketing software would make it easy for your business to perfect its email marketing strategy, while still staying within the narrow lanes of HIPAA regulations.

Back on earth, it may be possible to use the software and remain HIPAA-compliant, but things aren’t so straightforward.

Constant Contact is renowned for its package of services, including:

  • Email templates that make it easy to design professional newsletters and other marketing materials.
  • Email marketing automation.
  • Marketing tools for ecommerce.
  • Contact management.
  • Analytic tools for tracking results.

It has a lot to offer, but is it a good choice for organizations in the health niche or those that process electronic protected health information (ePHI)? Can Constant Contact be a HIPAA-compliant marketing email solution?

Is Constant Contact HIPAA-Compliant?

A cursory search of the website seems to imply that Constant Contact is HIPAA-compliant. The company even has a page dedicated to business associate agreements (BAAs), which are a critical part of compliance whenever an organization may be sharing ePHI with another entity.

BAAs are formal agreements that set out how the two parties will share the data, what protection measures need to be in place, and who is responsible for what.

The BAA page states that Constant Contact will only sign their own BAA and won’t make changes to it “under any circumstances”. This isn’t necessarily unusual for a service provider, but it could make HIPAA compliance impossible for any organization that requires alterations to the agreement. To check if the BAA is right for your company, you will need to email the legal department listed in the above-linked page for a copy.

If you think you may have found the HIPAA-compliant bulk email service you were looking for, reading on may crush your dreams, because it states that you:

Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.

This section is a little confusing, because HIPAA makes no mention of “highly sensitive PHI”. The law doesn’t generally differentiate between HIV results and eczema diagnoses,  treating all breaches of PHI equally. This is the first red flag that Constant Contact may not be a good option for HIPAA compliance.

It then goes on to say to avoid use the service if you “have such information to send”. While the whole paragraph isn’t exactly straightforward, the only safe assumption is that Constant Contact is not HIPAA-compliant for sending PHI in email. Although the company will sign a BAA, it acknowledges that its services are not designed to secure PHI, and using them could put the data at risk.

A final major factor in this consideration is that Constant Contact does not include any facility to ensure that your bulk email messages are actually encrypted when sent.  As HIPAA requires, among many other things, that all ePHI be encrypted during transmission, this is probably why Constant Contact recommends that you NOT use their bulk emailing service for the actual sending of bulk sensitive email.

Constant Contact HIPAA-Compliant Alternatives

If you are still looking for a HIPAA-compliant bulk email or marketing service that is suitable for the health sector, you don’t have to despair. LuxSci provides HIPAA-compliant solutions that are built with the regulations in mind from the ground up.

From our email marketing service to our secure forms, we offer solutions that can bring your company results without falling foul of HIPAA regulations. We also keep our BAA process as straightforward as we can, to avoid the confusion that comes with some other providers.

Is Marketo HIPAA-Compliant?

Wednesday, October 23rd, 2019

If you’re in the healthcare sector and considering marketing-automation software, you may be wondering, “Is Marketo HIPAA-compliant?”

Marketo features a holistic range of marketing tools that aim to bring results for its users. Its offerings include:

  • Email marketing
  • Lead management
  • Mobile marketing
  • Customer base marketing
  • Consumer marketing
  • Account-based marketing
  • Revenue attribution

Together, these tools can help to streamline and maximize a business’s marketing processes, bringing in more clients and boosting sales. While Marketo offers a great range of tools, it isn’t suitable in every scenario.

Is Marketo HIPAA Compliant?

The short answer is no. While there are many aspects that seem like they would make Marketo HIPAA-compliant, such as 2048-bit certificates, and third-party security assessments, one critical component is missing – Marketo makes no mention of business associate agreements (BAAs).

BAAs are at the core of HIPAA compliance. If ePHI is shared between companies without one of these agreements in place, it’s an immediate HIPAA violation. This is true, regardless of whether every other aspect of the relationship falls completely within the guidelines. 

BAAs are essential because they legally lay out how data will be shared and processed between the two entities, as well as where the responsibility falls.

No matter where we looked on the Marketo website, we couldn’t find any mention of BAAs. We checked through the privacy policy, legal section and even conducted a site-search, but nothing showed up.

Without any indications of the company’s willingness to sign a business associate agreement, we can only assume that the answer to our question of “Is Marketo HIPAA-compliant?” is a strong no.

The company makes things confusing because its Healthcare Marketing Solutions page features references to medical organizations like Boston Children’s Hospital and GE Healthcare.

Despite this seeming conflict, it’s most likely that Marketo does not offer HIPAA-compliant services. If the company did go to the effort of making its platform HIPAA-compliant, it would make sense for it to market these efforts, or at least have some mention of BAAs on its website

The safest assumption is that Marketo probably provides solutions that don’t involve ePHI to the healthcare companies mentioned above. This could include services that don’t need to be HIPAA compliant, marketing email for other purposes, and related offerings.

Marketo HIPAA-Compliant Alternatives

If you were looking for a HIPAA-compliant bulk email solution, or some other software that makes marketing easier, we’re sorry to be the bringers of bad news. At least you can take solace in the knowledge that you won’t get caught in a HIPAA violation for using non-compliant software.

So what are your alternatives? Is Mailchimp HIPAA-compliant?

Unfortunately, MailChimp’s popular platform will also get you in trouble with regulators if it touches your ePHI.

If you’re out of ideas for automating and streamlining your marketing processes, you don’t need to give up hope just yet. At LuxSci, we offer both HIPAA-compliant bulk email and HIPAA-compliant marketing email services.

HIPAA compliance and security are our main focuses at LuxSci, so all of our services are designed with the regulations in mind at every step of the way. By partnering with LuxSci and using our marketing services carefully, your organization can significantly reduce its risks of HIPAA violations.

LUXSCI