Is Mandrill HIPAA Compliant?
Mandrill is not HIPAA compliant and cannot be used by HIPAA covered entities or business associates to send transactional emails that contain Protected Health Information (PHI) as the service does not support user compliance with HIPAA. In addition, Mandrill’s parent company – Mailchimp – will not enter into Business Associate Agreements with customers.
Mandrill is a transactional email service that can be used as part of the Mailchimp platform to send “transactional” emails – emails that are triggered by events such as an account creation (welcome email), the placement of an order (order confirmation), support enquiries (acknowledgement of enquiry), and password reset requests.
Transactional emails do not usually use or disclosure PHI because names and email addresses are not considered PHI under HIPAA when they are maintained in a separate database from individually identifiable health information. If this were the case with Mandrill, the answer to the question is Mandrill HIPAA compliant would be it doesn’t have to be because the service is not using or disclosing PHI.
However, because Mandrill is a service offered by the Mailchimp platform – which could be used by covered entities and business associates to send personalized marketing emails – the names and email addresses used by the Mandrill service are maintained on the Mailchimp platform. If the contact details are maintained with individually identifiable health information, this would mean the contact details assume the same PHI protections as the health information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mailchimp Would Have to be HIPAA Compliant to make Mandrill HIPAA Compliant
Because Mandrill can only be used by Mailchimp subscribers, and because the names and email addresses of contacts are maintained on the Mailchimp platform rather than by the Mandrill service, Mailchimp would have to be HIPAA compliant to make Mandrill HIPAA compliant. However, in Mailchimp’s Terms of Use, Clause 21 states:
“You are responsible for determining whether the Service is appropriate for you, in light of your obligations under any regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Act, Bliley (Gramm-Leach-Bliley Act or GLBA), […] or other applicable laws. If you are subject to regulations (such as HIPAA) and you use the Service, we will not be responsible if the Service does not comply with such regulations.”
This clause means that, although Mailchimp has robust security controls and procedures for notifying customers of data breaches, Mailchimp does not provide the assurances required by §164.308 of the Security Rule and §164.504 of the Privacy Rule that it will appropriately safeguard PHI. In addition, Mailchimp will not enter into a Business Associate Agreement with HIPAA covered entities or business associates – meaning that it is a violation of HIPAA to disclose PHI to Mailchimp or Mandrill.
Healthcare Organizations Can Still Use Mandrill – But Not With PHI
Healthcare organizations that want to take advantage of the email services provided by Mailchimp and Mandrill can still do so, provided no individually identifiable health information is maintained in the Mailchimp contact database (as any names and contact details maintained in the same database would assume the same PHI protections). Organizations who are unsure about this distinction should seek professional compliance advice.
