Is MailChimp HIPAA Compliant?

Share this article on:

MailChimp is an automated email marketing platform that can be used to send marketing emails and newsletters to mailing lists, but can it be used by healthcare organizations to communicate with patients? Is MailChimp HIPAA compliant?

Marketing and the HIPAA Privacy Rule

The HIPAA Privacy Rule defines the allowable uses and disclosures of protected health information (PHI). Uses and disclosures are restricted to those that are necessary for the provision of healthcare, payment for healthcare, and for healthcare operations. Other uses and disclosures are not prohibited, but they require written authorization to be obtained from patients and health plan members in advance.

It is possible to send messages about goods and services that are required for treatment purposes, but before marketing communications can be sent to patients, individual authorizations are required. Marketing is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

If authorizations have been received from patients confirming that they agree to receive marketing communications, an automated marketing solution is a good option for sending those messages.

However, the uploading of patient information to MailChimp would be classed as a disclosure of PHI. MailChimp would therefore be considered a business associate. A HIPAA-covered entity would therefore need to enter to a business associate agreement (BAA) with MailChimp to be HIPAA compliant.

By signing a BAA with a HIPAA-covered entity, MailChimp would confirm that it satisfies HIPAA requirements and has agreed to implement safeguards to keep any PHI it receives private and confidential.

Is MailChimp HIPAA Compliant?

MailChimp explains in its terms and conditions that it is the responsibility of customers to ensure they comply with regulations such as HIPAA and that MailChimp is not liable if its service is used in violation of HIPAA regulations nor if its service does not meet HIPAA requirements.

Security controls have been implemented to prevent unauthorized access, the application is encrypted, and physical security controls have been put in place, but MailChimp is not prepared to sign a business associate agreement with HIPAA covered entities.

In our opinion, unless a signed BAA is obtained, MailChimp is not HIPAA compliant and should not be used in connection with any PHI.

Author: HIPAA Journal

Share This Post On