We've been getting asked by customers and prospects about Constant Contact and their ability to use it in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector. Today, we will determine if Constant Contact offers HIPAA compliant email marketing service or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Constant Contact
Constant Contact is an online marketing company, headquartered in Waltham, Massachusetts. The company was founded in 1995, went public in 2007, and was acquired by Endurance International Group in 2016.
Constant Contact and the business associate agreement
We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. We checked Constant Contact's site and found what we were looking for in its Knowledge Base (KB). A KB article called Business Associate Agreements (BAAs) states:
If you are a covered entity, please contact us at legal@constantcontact.com to request a business associate agreement prior to using our product with your email subscribers. Constant Contact will only sign our business associate agreement form (additional charges may apply). We cannot make any changes to our standard form of business associate agreement under any circumstances.
While we can see that Constant Contact will sign its own BAA, there are additional details to take note of.
For example, Constant Contact also states in the aforementioned KB article:
[You] should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.
In other words, while Constant Contact will sign a BAA with a customer, customers are not allowed to actually use the service to transmit PHI (protected health information).
Is Constant Contact HIPAA compliant?
HIPAA does not differentiate between "highly sensitive" PHI and other PHI; PHI is simply any piece of information in someone’s medical record that can identify the person. It ties a medical condition to an individual. Even just a name can be considered PHI if it is in any way associated with a healthcare provider—such as in a marketing email coming from your practice. Any marketing email you send contains both a name and an email address in the header, so really, any email you send via Constant Contact contains PHI.
Conclusion
Constant Contact is HIPAA compliant because it will sign a BAA. However, the BAA does not allow you to transmit PHI.
HIPAA email marketing tools comparison
To meet the unmet need for HIPAA compliant email marketing, we created Paubox Marketing. It is the only solution that will:
- Sign a BAA
- Provide military-grade encryption
- Allow you to include PHI in your marketing emails
- Allow patients to read your emails directly from their inbox with no extra steps
In addition, Paubox Marketing is HITRUST CSF certified.
Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing.
SEE ALSO: Why Paubox Marketing is the Best HIPAA Email Marketing Solution Available
| Company | Will they sign a BAA? | Can you send PHI? |
| Adobe Campaign | NO | NO |
| Blue Orchid Marketing | NO | NO |
| Campaign Monitor | NO | NO |
| Campaigner | NO | NO |
| Drip | NO | NO |
| Emma | NO | NO |
| GetResponse | NO | NO |
| Hubspot | NO | NO |
| L-Soft | NO | NO |
| Mad Mimi (GoDaddy) | NO | NO |
| Mailchimp | NO | NO |
| MailerLite | NO | NO |
| Marketo (Adobe) | NO | NO |
| Salesforce Pardot | NO | NO |
| SendGrid (Twilio) | NO | NO |
| Yesware | NO | NO |
| ActiveCampaign | YES | NO |
| Constant Contact | YES | NO |
| Infusionsoft by Keap | YES | NO |
| Salesforce Marketing Cloud | YES | NO |
| Eloqua (Oracle) | YES | YES ** |
| Paubox Marketing | YES | YES |
(** To use Oracle Eloqua in a HIPAA compliant manner, recipients receive two emails for every message you send. Patients must also log into a secure message center to view your message— it does not appear in their inboxes. This creates friction and makes it less likely that your patients will read your marketing email.)
Make your email marketing HIPAA compliant today.