HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Return Path HIPAA Compliant?

Return Path is an email marketing and optimization platform that allows businesses to automate and analyze their email marketing campaigns but is Return Path HIPAA compliant? Can the email marketing platform be used by healthcare organizations without violating HIPAA Rules?

Sending Marketing Emails to Patients and Health Plan Members

Before any healthcare organization can use an email service for sending marketing emails that contain electronic protected health information (ePHI) they must first:

  • Obtain consent from patients/plan members to receive marketing communications
  • Ensure that the service provider has appropriate security controls to protect the confidentiality of ePHI stored by or used by the platform
  • Ensure that ePHI can be uploaded to the platform securely without placing the information at risk of compromise
  • Enter into a HIPAA-compliant business associate agreement (BAA) with the service provider

Marketing messages are not included in the HIPAA Privacy Rule’s TPO definition. Consent must be obtained in writing from patients/members before ePHI can be used for marketing purposes.

A BAA is required, as the uploading of ePHI to a mailing service counts as a disclosure of ePHI. The service provider is considered a business associate and is required to be informed of its responsibilities with respect to HIPAA and must agree to abide by HIPAA Rules.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Provided the above conditions are met, a HIPAA-covered entity can use a third-party platform for sending marketing emails.

Is Return Path HIPAA Compliant?

Return Path naturally has a range of security protections in place to ensure the confidentiality, integrity, and availability data uploaded to its platform. However, Return Path makes no mention of HIPAA or business associate agreements in its terms and conditions.

Return Path also states in its T&Cs that it is the responsibility of users of its platform to ensure they comply with appropriate laws and regulations.

So, is Return Path HIPAA compliant? Without a BAA, Return Path is not a HIPAA compliant email service and cannot therefore be used in connection with any ePHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.