Talk to sales
Start for free

We've been getting asked by customers and prospects about Constant Contact and their ability to use it in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector. Today, we will determine if Constant Contact offers HIPAA compliant email marketing service or not.

SEE ALSO: HIPAA Breaches and Cloud Providers


About Constant Contact

Constant Contact is an online marketing company, headquartered in Waltham, Massachusetts. The company was founded in 1995, went public in 2007, and was acquired by Endurance International Group in 2016.


Constant Contact and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. We checked Constant Contact's site and found what we were looking for in its Knowledge Base (KB). A KB article called Business Associate Agreements (BAAs) states:


If you are a covered entity, please contact us at to request a business associate agreement prior to using our product with your email subscribers. Constant Contact will only sign our business associate agreement form (additional charges may apply). We cannot make any changes to our standard form of business associate agreement under any circumstances.


While we can see that Constant Contact will sign its own BAA, there are additional details to take note of.

For example, Constant Contact also states in the aforementioned KB article:

[You] should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.


In other words, while Constant Contact will sign a BAA with a customer, customers are not allowed to actually use the service to transmit PHI (protected health information).


Is Constant Contact HIPAA compliant?


HIPAA does not differentiate between "highly sensitive" PHI and other PHI; PHI is simply any piece of information in someone’s medical record that can identify the person.  It ties a medical condition to an individual. Even just a name can be considered PHI if it is in any way associated with a healthcare provider—such as in a marketing email coming from your practice. Any marketing email you send contains both a name and an email address in the header, so really, any email you send via Constant Contact contains PHI.



Constant Contact is HIPAA compliant because it will sign a BAA.  However, the BAA does not allow you to transmit PHI.


HIPAA email marketing tools comparison


To meet the unmet need for HIPAA compliant email marketing, we created Paubox Marketing. It is the only solution that will:
  • Sign a BAA
  • Provide military-grade encryption
  • Allow you to include PHI in your marketing emails
  • Allow patients to read your emails directly from their inbox with no extra steps


In addition, Paubox Marketing is HITRUST CSF certified.

Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing.


SEE ALSO: Why Paubox Marketing is the Best HIPAA Email Marketing Solution Available


Company Will they sign a BAA? Can you send PHI?
Adobe Campaign NO NO
Blue Orchid Marketing NO NO
Campaign Monitor NO NO
Campaigner NO NO
Drip NO NO
Emma NO NO
GetResponse NO NO
Hubspot NO NO
L-Soft NO NO
Mad Mimi (GoDaddy) NO NO
Mailchimp NO NO
MailerLite NO NO
Marketo (Adobe) NO NO
Salesforce Pardot NO NO
SendGrid (Twilio) NO NO
Yesware NO NO
ActiveCampaign YES NO
Constant Contact YES NO
Infusionsoft by Keap YES NO
Salesforce Marketing Cloud YES NO
Eloqua (Oracle) YES YES **
Paubox Marketing YES YES

(** To use Oracle Eloqua in a HIPAA compliant manner, recipients receive two emails for every message you send. Patients must also log into a secure message center to view your message— it does not appear in their inboxes. This creates friction and makes it less likely that your patients will read your marketing email.)


Make your email marketing HIPAA compliant today.

Start a 14-day free trial of Paubox Email Suite today