25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is Marketo HIPAA Compliant?

Posted By on Dec 19, 2023

Marketo is HIPAA compliant and can be used to collect, store, analyze, and share Protected Health Information (PHI) between members of the same organization’s workforce or systems, provided the email marketing and lead management platform is used in Adobe’s Experience Cloud for Healthcare and its use is supported by a Business Associate Agreement.

Marketo is a popular marketing automation platform that was acquired in 2018 by Adobe. At the time of the acquisition, Marketo was not HIPAA compliant because the previous vendor would not enter into a Business Associate Agreement with covered entities and business associates. However, Adobe has recently added the platform to its Experience Cloud for Healthcare and is marketing the platform as a HIPAA-Ready Service under its rebranded name “Marketo Engage”.

What is a HIPAA-Ready Service?

A HIPAA-Ready Service is any service in Adobe’s Experience Cloud for Healthcare that has additional features and functionalities to support HIPAA compliance. For example, under a standard Marketo Engage plan, organizations would have to purchase database encryption as an add-on; whereas organizations that subscribe to Adobe’s Experience Cloud for Healthcare have this feature include in the service – making Marketo Engage HIPAA compliant for this particular Security Rule requirement.

Although it is possible for organizations to subscribe to a standard Marketo plan without the additional features and functionalities, it would mean the platform could not be used to collect PHI from marketing targets – limiting the platform’s effectiveness. Even subscribing to a standard Marketo plan and purchasing the required add-ons would not make Marketo HIPAA compliant because Adobe will not enter into a Business Associate Agreement with subscribers to the standard plan.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Marketo Engage HIPAA Compliant BAA

The Marketo Engage HIPAA compliant Business Associate Agreement (BAA) is only available to Experience Cloud for Healthcare customers. The BAA is typical of many cloud service providers’ Business Associate Agreements inasmuch as it is a one-size-fits-all Agreement offering standard terms and standard shared responsibilities (i.e., the cloud service provider is responsible for the security of the cloud, whereas the customer is responsible for security in the cloud).

It is useful to know that the Marketo Engage HIPAA compliant BAA covers other HIPAA-Ready Services in the Experience Cloud for Healthcare (for example, Adobe Experience Manager, Customer Journey Analytics, and the Customer Data Platform), so it is not necessary to enter into separate BAAs for each service. In addition, Adobe provides configuration recommendations to help organizations meet their own HIPAA compliance obligations when using a HIPAA-Ready Service.

Organizations’ HIPAA Compliance Obligations

Organizations’ HIPAA compliance obligations are to configure the Marketo platform – and any other HIPAA-Ready Services – to comply with the Physical and Technical Safeguards of the Security Rule (i.e., data backups, access controls, auto logoff, etc.) and to provide appropriate HIPAA training on how to use the platform in compliance with HIPAA. In some cases, “appropriate” HIPAA training may not only consist of cybersecurity best practices, but also compliance with the Privacy Rule.

Compliance with the Privacy Rule is a factor because, although a HIPAA compliant marketing solution allows organizations to collect, store, analyze, and share PHI, it is mostly impermissible to send PHI in a marketing email without a valid authorization signed by the subject of the PHI. Organizations unsure about the Privacy Rule’s restrictions on using PHI in marketing should refer to 45 CFR §164.508(a)(3) or seek further advice from a HIPAA compliance professional.

Conclusion: Is Marketo HIPAA Compliant?

Strictly speaking, the answer to the question is Marketo HIPAA compliant is that it can be. By default, the email marketing and lead management platform is not HIPAA compliant, but it is possible to make Marketo HIPAA compliant by subscribing to Adobe’s Experience Cloud for Healthcare, entering into a BAA with Adobe for HIPAA-Ready Services, and configuring the platform to comply with the Physical and Technical Safeguards of the Security Rule.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist