Is Constant Contact HIPAA Compliant?

Massachusetts-based Constant Contact has developed an online and email marketing solution that makes it easy to keep in touch with customers and send out newsletters and marketing messages, but can Constant Contact be used by HIPAA-covered entities? Is Constant Contact HIPAA compliant?

Sending Marketing Emails Containing ePHI

The HIPAA Privacy Rule does not prohibit HIPAA-covered entities from sending marketing emails, but before marketing messages can be sent, patients/plan members must give their authorization to receive those communications. Provided authorizations have been received in advance, marketing emails can be sent without violating the HIPAA Privacy Rule.

In order to improve efficiency, an email marketing solution may be considered, but HIPAA -covered entities need to exercise caution. Not all email marketing platforms have the necessary safeguards to meet the requirements of the HIPAA Security Rule, and some that do still cannot be used as the service provider is not prepared to enter into a business associate agreement with healthcare organizations.

Uploading any ePHI to an email marketing platform would be classed as an impermissible disclosure of ePHI if the covered entity has not first obtained satisfactory assurances that the service provider will protect any ePHI it receives and accepts that, as a business associate of a HIPAA-covered entity, it is also required to comply with certain aspects of HIPAA Rules.

Is Constant Contact HIPAA Compliant?

When assessing whether Constant Contact is HIPAA Compliant, the business associate agreement is a good place to start. Constant Contact states on its website that it is prepared to enter into a business associate agreement with healthcare organizations, which will allow them to use the serve for sending emails to patients and health plan members.

However, there are some caveats. Constant Contact will only sign its own BAA; not one provided by a HIPAA-covered entity. When using the platform, HIPAA-covered entities are responsible for any data that are stored in their Constant Contact account. They must ensure they set strong passwords and configure the platform correctly. That includes setting up multi-user access or single-sign-on and assigning user roles correctly to limit what users can do when logged in to the account.

Constant Contact also states that the platform should not be used for “transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR).”

So, while Constant Contact is prepared to sign a BAA and does support HIPAA compliance, there are restrictions on what the platform can be used for.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.