Is Marketo HIPAA Compliant?
Marketo is a marketing automation solution for lead management and email marketing that was recently acquired by Adobe. Can Marketo be used by healthcare organizations in connection with ePHI? Is Marketo HIPAA compliant?
Healthcare organizations looking for a marketing automation platform need to ensure the platform provider complies with HIPAA regulations if the platform is to be used in connection with electronic protected health information.
Healthcare organizations can use marketing automation platforms for a range of purposes without having to enter into a business associate agreement (BAA) with the solution provider, but if the solution is to be used with ePHI, a BAA is essential.
HIPAA places restrictions on uses and disclosures of ePHI by HIPAA covered entities. ePHI can be used and disclosed for the purposes of providing treatment, in relation to payment for healthcare, or for healthcare operations (TPO) without having to obtain authorization from patients. Other uses and disclosures, which include marketing, require authorizations from patients.
HIPAA defines marketing as “communication to an individual about a product or service that encourages the individual to purchase or use that product or service.” – See 45 CFR 164.501(1).
Prior to sending any marketing communications, HIPAA-covered entities must obtain authorization from patients/members in writing, either physically or electronically with an e-signature.
Is Marketo HIPAA Compliant?
Marketo states on its website that its platform has Privacy Shield certification and has been SOC2 certified and Marketo has implemented safeguards to ensure customer data are kept private and confidential.
Connections to Marketo are encrypted using high-grade 2048-bit certificates and user sessions are protected by unique session tokens and require re-verification for each transaction. Marketo performs regular scans of its network and systems for vulnerabilities and patches are applied promptly. Marketo also performs pen tests and has its products assessed by independent third parties. Physical, technical and administrative safeguards are implemented to keep software, hardware, and data secured and all clients’ data are stored in separate databases.
Marketo’s use policy states that customers must not provide Marketo access to or upload “any of the following categories of data: social security numbers; passport or visa numbers; driver’s license numbers; taxpayer or employee ID; financial account or payment card information; passwords; medical or health records or information reflecting the payment of such treatment.”
So, is Marketo HIPAA compliant?
The Marketo website and associated forums contain no mention of a BAA. Without a BAA the solution cannot be considered HIPAA compliant and should not be used with ePHI.
That does not mean Marketo cannot be used by healthcare organizations. Many healthcare organizations, including GE Healthcare, Kindred Healthcare, Boston Children’s Hospital and EHR provider Allscripts use the platform. It is the responsibility of users of the platform to ensure that HIPAA Rules are followed.