Is Mailchimp HIPAA Compliant?
Mailchimp is not HIPAA compliant because the email service provider is unable to provide the required satisfactory assurances that it will appropriately safeguard Protected Health Information (PHI), which prohibits covered entities and business associates entering into a Business Associate Agreement and disclosing PHI via the Mailchimp platform.
Mailchimp is an automated email marketing platform that can be used to send marketing emails, newsletters, and other information emails to mailing lists. It is an effective mass communication solution for covered entities and business associates with large mailing lists who want to keep internal mail servers free for operational purposes. However, the platform cannot be used to collect, maintain, or transmit PHI, as Mailchimp states in its Terms of Use:
“You are responsible for determining whether the Service is appropriate for you, in light of your obligations under any regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), […] or other applicable laws. If you are subject to regulations (such as HIPAA) and you use the Service, we will not be responsible if the Service does not comply with such regulations.”
What this means for covered entities and business associates is that it is okay to maintain mailing lists and contact information in a Mailchimp database (because contact information is not considered PHI when it is maintained separately from individually identifiable health information), but it is not okay to use Mailchimp with forms or surveys that might collect PHI or with personalized recommendations based on an individual’s medical, treatment, or payment information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Including PHI in Marketing Emails and Newsletters
Covered entities and business associates can include PHI in marketing emails and newsletters only with the authorization of the subject of the PHI or their personal representative. For example, if a care home wanted to include an item in its newsletter about a resident celebrating their 100th birthday, the resident or their personal representative must sign a valid authorization.
The authorization not only has to explain that the care home has no control over how the information is further used or disclosed once the newsletter is sent, but also that the information is being shared with a third party service provider (in this case Mailchimp) who is not HIPAA compliant and who is not obligated to maintain the privacy or security of the resident’s PHI.
Covered entities and business associates unsure about what constitutes a valid authorization should review §164.508 of the Privacy Rule or seek professional compliance advice. It is also important to be aware that a valid authorization is required to disclose PHI in an marketing email or newsletter even when the marketing email or newsletter is being sent via a HIPAA compliant email service provider.
