Share this article on:
Return Path is an email marketing and optimization platform that allows businesses to automate and analyze their email marketing campaigns but is Return Path HIPAA compliant? Can the email marketing platform be used by healthcare organizations without violating HIPAA Rules?
Sending Marketing Emails to Patients and Health Plan Members
Before any healthcare organization can use an email service for sending marketing emails that contain electronic protected health information (ePHI) they must first:
- Obtain consent from patients/plan members to receive marketing communications
- Ensure that the service provider has appropriate security controls to protect the confidentiality of ePHI stored by or used by the platform
- Ensure that ePHI can be uploaded to the platform securely without placing the information at risk of compromise
- Enter into a HIPAA-compliant business associate agreement (BAA) with the service provider
Marketing messages are not included in the HIPAA Privacy Rule’s TPO definition. Consent must be obtained in writing from patients/members before ePHI can be used for marketing purposes.
A BAA is required, as the uploading of ePHI to a mailing service counts as a disclosure of ePHI. The service provider is considered a business associate and is required to be informed of its responsibilities with respect to HIPAA and must agree to abide by HIPAA Rules.
Provided the above conditions are met, a HIPAA-covered entity can use a third-party platform for sending marketing emails.
Is Return Path HIPAA Compliant?
Return Path naturally has a range of security protections in place to ensure the confidentiality, integrity, and availability data uploaded to its platform. However, Return Path makes no mention of HIPAA or business associate agreements in its terms and conditions.
Return Path also states in its T&Cs that it is the responsibility of users of its platform to ensure they comply with appropriate laws and regulations.
So, is Return Path HIPAA compliant? Without a BAA, Return Path is not a HIPAA compliant email service and cannot therefore be used in connection with any ePHI.