Paubox blog: HIPAA compliant email made easy

Is Campaign Monitor HIPAA compliant? (Update 2024)

Written by Kapua Iao | November 24, 2019

Campaign Monitor is a global technology company that provides an easy-to-use email marketing platform. Many healthcare organizations use email marketing platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Campaign Monitor does not mention a BAA on its website and may not be HIPAA compliant.

 

What is Campaign Monitor?

Campaign Monitor was originally part of the CM group but was purchased by Marigold as a Marigold Engage Express product. It offers cost-effective, automated email marketing for organizations. With Campaign Monitor, users can great customizable emails and personalize their customers’ journeys. Moreover, it can trigger automatic emails to handle appointments and transactions.

Strong healthcare email marketing can influence patients by providing tailored information, fostering trust, and engaging recipients.

LEARN ABOUTThe dos and don’ts of email marketing for patient engagement

 

Is Campaign Monitor considered a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

  • Permitted uses and disclosures of PHI
  • Safeguards for protecting PHI
  • Reporting and mitigation of security incidents
  • Compliance with HIPAA regulations
  • Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Campaign Monitor and its ability to be HIPAA compliant. Campaign Monitor (Marigold) is a business associate of a healthcare organization if it accesses any PHI, like a name or email address. 

 

Campaign Monitor and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2019 blog, we stated that we could not find information to indicate that Campaign Monitor would sign a BAA. Then in 2022, it appeared that Campaign Monitor would sign a BAA with its health customers though it also stated that customers could not use its service to send email containing PHI.

As of 2024, there is no mention of a BAA or HIPAA on the Campaign Monitor website. Moreover, Marigold does not specifically mention a BAA. Some of its other products (i.e., companies purchased such as Cheetah Digital and Sailthru) can be accompanied by an agreement.

RELATEDHow to know if you're a business associate

 

Campaign Monitor, HIPAA marketing, and data security

The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” HIPAA compliance for marketing concerns the safe storage and transmission of sensitive information. Moreover, covered entities and business associates must have written consent from patients to share and disclose PHI.

Campaign Monitor emphasizes its commitment to data security and that it currently works with healthcare providers. In fact, its security web page lists strong operational, physical, and application security currently utilized. Its Terms of Use page, however, explicitly states that customers must acknowledge “that the Services are not configured to process, receive, and/or store Sensitive [personally identifiable information (PII)]” including PHI.

 

Is Campaign Monitor HIPAA compliant?

The BAA is a necessary component of HIPAA compliance and Campaign Monitor does not currently mention a BAA on its website. Moreover, the company states in its terms of use that customers must acknowledge not using its services with any PHI.

Conclusion: Campaign Monitor may not be HIPAA compliant.

 

Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

  • Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
  • Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
  • Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
  • Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.