Is Constant Contact HIPAA Compliant?
Constant Contact is HIPAA compliant and can be used for sending digital communications containing ePHI provided that the platform is configured to support HIPAA compliance and the organization engaged in digital marketing (i.e., a covered entity) agrees to Constant Contact’s Business Associate Agreement. It is also important to be aware of the restrictions that apply to Constant Contact’s BAA or that an individual has themselves placed on disclosures of ePHI.
Sending Marketing Emails Containing ePHI
The HIPAA Privacy Rule does not prohibit HIPAA-covered entities from sending marketing emails, but before any PHI is disclosed in a marketing email or other digital communication, a valid authorization must be obtained from the subject of the PHI. It is also the case that individuals have the right to opt out of receiving marketing communications or select a channel of communication through which to receive them.
In order to improve efficiency, an email marketing solution may be considered, but HIPAA-covered entities need to exercise caution. Not all email marketing platforms have the necessary safeguards to meet the requirements of the HIPAA Security Rule, and some that do still cannot be used as the service provider is not prepared to enter into a business associate agreement with healthcare organizations.
Uploading any ePHI to an email marketing platform would be classed as an impermissible disclosure of ePHI if the covered entity has not first obtained satisfactory assurances that the service provider will protect any ePHI it receives and accepts that, as a business associate of a HIPAA-covered entity, it is also required to comply with certain aspects of HIPAA Rules.
HIPAA Compliant
Patient Communication
Software
Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
Is Constant Contact HIPAA Compliant?
When assessing whether Constant Contact is HIPAA Compliant, the business associate agreement is a good place to start. Constant Contact states on its website that it is prepared to enter into a business associate agreement with healthcare organizations, which will allow them to use the serve for sending emails to patients and health plan members.
However, there are some caveats. Constant Contact will only sign its own BAA; not one provided by a HIPAA-covered entity. When using the platform, HIPAA-covered entities are responsible for any data that are stored in their Constant Contact account. They must ensure they set strong passwords and configure the platform correctly. That includes setting up multi-user access or single-sign-on and assigning user roles correctly to limit what users can do when logged in to the account.
Constant Contact also states that the platform should not be used for “transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR).” So, while Constant Contact is prepared to sign a BAA and does support HIPAA compliance, there are restrictions on what the platform can be used for.