The question “Is Mailchimp HIPAA-compliant?” has echoed across healthcare companies and organizations countless times. Whenever they explore their options for email automation and marketing software, the popular provider’s name tends to be one of the first to pop up.
Offering an integrated email marketing solution that enables businesses to streamline how they connect with their customers, Mailchimp has long been the go-to option for companies looking to improve their engagement efforts.
With healthcare organizations using the platform to distribute emails, send newsletters, share content on their social channels, track their results and more, it’s only natural that these companies are also wondering whether Mailchimp HIPAA-compliant bulk email is possible.
IS MAILCHIMP HIPAA COMPLIANT?
Unfortunately, the answer will disappoint many in the healthcare sector, as well as other businesses and companies that deal with electronic protected health information (ePHI): Mailchimp is not HIPAA-compliant.
Despite this, however, the platform does have some promising security features and policies that make it seem as though Mailchimp could be a HIPAA-compliant marketing email option, including:
- Login pages encrypted with Transport Layer Security (TLS)
- Hashed password storage and brute-force protection, which prevent malicious actors from attempting to log in with every possible password.
- Regular penetration tests and security audits.
Now, while these security features are certainly encouraging, there is a significant omission that prevents Mailchimp from being a HIPAA-compliant email provider.
MAILCHIMP: NO BUSINESS ASSOCIATE AGREEMENT
According to the HIPAA Privacy Rule, “A business associate is a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) by a covered entity”.
In the context of a HIPAA-compliant email provider, Mailchimp would be the business associate and the healthcare organization would be the covered entity.
Subsequently, a business associate agreement (BAA) is a written contract between a covered entity and a business associate that is essential for HIPAA compliance. It details how two organizations can share data and under what circumstances. A BAA also delineates where the legal responsibilities of each party fall and who will be culpable if there are any problems.
BAAs are a critical part of HIPAA compliance and failure to have one is considered an immediate HIPAA violation. It doesn’t matter if all security best practices are being followed, and the ePHI is shared in a manner that’s compliant in every other way – sharing data without a BAA in place is still a violation.
If a company puts in the extra effort to provide a HIPAA-compliant service, it will generally advertise its compliance to attract more clients from the health sector. In the case of Mailchimp – there is hardly a mention of a BAA on its website.
Additionally, Section 21 of MailChimp’s Terms of Use states, “You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA, GLBA … If you’re subject to regulations (like HIPAA) and you use the Service, then we won’t be liable if the Service doesn’t meet those requirements.”
In other words, in contrast to a BAA, Mailchimp is transparent and clear on squarely placing the responsibility of non-compliance on the healthcare organization – even mentioning HIPAA by name.
Besides the absence of a BAA, Mailchimp also does not make any provision for encrypting the bulk emails that would be sent out from its platform. This makes it unsuitable for sending HIPPA-compliant emails. On top of this, Mailchimp lacks many other security nuances, which wouldn’t be required unless you have to follow HIPAA or other compliance frameworks.
In conclusion, the only answer to “Is Mailchimp HIPAA-compliant?” is a resounding “No”.
MAILCHIMP HIPAA-COMPLIANT ALTERNATIVES
Fortunately, all is not lost for healthcare companies that need a HIPAA-compliant bulk email or high volume email solution, or other HIPAA-compliant marketing tools. While they may have to rule out popular options like Mailchimp, there are several HIPAA-compliant email services that are specifically designed for organizations that have to comply with the regulations.
As the most experienced HIPAA-compliant email provider, LuxSci specializes in providing secure and HIPAA-compliant services for companies aiming to send hundreds of thousands – or even millions – of emails to patients and customers. In light of this, we place security, regulatory and customer considerations front and center when delivering our solutions.
Our approach combines the most experience in HIPAA-compliant communications with a suite of secure solutions, including HIPAA-compliant high volume email and HIPAA-compliant email marketing. Our flexible encryption and multi-channel approach to secure healthcare communications enables healthcare companies to strike the right balance between security and regulatory concerns, and communicating with patients and customers over the channel of their choice for better outcomes.
Interested in discovering how LuxSci’s secure, HIPAA-compliant email, marketing, text and forms solutions can transform your healthcare engagement efforts?
Contact us to learn more about today!