HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is MailChimp HIPAA Compliant?

MailChimp is an automated email marketing platform that can be used to send marketing emails and newsletters to mailing lists, but can it be used by healthcare organizations to communicate with patients? Is MailChimp HIPAA compliant?

Marketing and the HIPAA Privacy Rule

The HIPAA Privacy Rule defines the allowable uses and disclosures of protected health information (PHI). Uses and disclosures are restricted to those that are necessary for the provision of healthcare, payment for healthcare, and for healthcare operations. Other uses and disclosures are not prohibited, but they require written authorization to be obtained from patients and health plan members in advance.

It is possible to send messages about goods and services that are required for treatment purposes, but before marketing communications can be sent to patients, individual authorizations are required. Marketing is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

If authorizations have been received from patients confirming that they agree to receive marketing communications, an automated marketing solution is a good option for sending those messages.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

However, the uploading of patient information to MailChimp would be classed as a disclosure of PHI. MailChimp would therefore be considered a business associate. A HIPAA-covered entity would therefore need to enter to a business associate agreement (BAA) with MailChimp to be HIPAA compliant.

By signing a BAA with a HIPAA-covered entity, MailChimp would confirm that it satisfies HIPAA requirements and has agreed to implement safeguards to keep any PHI it receives private and confidential.

Is MailChimp HIPAA Compliant?

MailChimp explains in its terms and conditions that it is the responsibility of customers to ensure they comply with regulations such as HIPAA and that MailChimp is not liable if its service is used in violation of HIPAA regulations nor if its service does not meet HIPAA requirements.

Security controls have been implemented to prevent unauthorized access, the application is encrypted, and physical security controls have been put in place, but MailChimp is not prepared to sign a business associate agreement with HIPAA covered entities.

In our opinion, unless a signed BAA is obtained, MailChimp is not HIPAA compliant and should not be used in connection with any PHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.