We’ve been getting asked by customers and prospects about Constant Contact and their ability to use it in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Apple iMessage
- Citrix ShareFile
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Slides
- Google Voice
- Office 365
- Return Path
Today, we will determine if Constant Contact offers HIPAA compliant email service or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Constant Contact
Constant Contact is an online marketing company, headquartered in Waltham, Massachusetts. The company was founded in 1995, went public in 2007, and was acquired by Endurance International Group in 2016.
Constant Contact and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We checked Constant Contact’s site and found what we were looking for in their Knowledge Base (KB).
In a KB article called Business Associate Agreements (BAAs), they state:
If you are a covered entity, please contact us at firstname.lastname@example.org to request a business associate agreement prior to using our product with your email subscribers.
Constant Contact will only sign our business associate agreement form (additional charges may apply). We cannot make any changes to our standard form of business associate agreement under any circumstances.
While we can see that Constant Contact will sign their own BAA, there are additional details to take note of.
For example, Constant Contact also states in the aforementioned KB article:
[You] Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.
In other words, while Constant Contact will sign a BAA with a customer, customers are not allowed to actually use their service to transmit PHI (protected health information).
Does Constant Contact Offer HIPAA Compliant Email Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
Constant Contact clearly states that while they will sign a BAA, customers are not allowed to use their service to actually transmit protected health information (PHI).
Constant Contact is HIPAA Compliant but with strings attached.
You should not use their service to actually transmit PHI.