A customer recently asked us about whether they were able to use HubSpot in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
Today we will determine if HubSpot offers HIPAA compliant email for marketing or not.
HubSpot is a developer and marketer of software products for inbound marketing and sales. It was founded by Brian Halligan and Dharmesh Shah in 2006. Its products and services provide tools for social media marketing, content management, web analytics and search engine optimization.
What is a business associate?
A business associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a covered entity. In a nutshell, the role of a business associate is to help covered entities comply with the HIPAA Privacy Rule. In the case of HubSpot, it would certainly qualify as a business associate if it provides services to covered entities.
Business associate agreement provisions
If a business associate provides services to a covered entity, then a business associate agreement (BAA) must be in place. A BAA is a written contract between a covered entity and a business associate and is required by law for HIPAA compliance. At a minimum, a BAA contains 10 provisions.
Read full article: Business Associate Agreement Provisions
HubSpot and the business associate agreement
We checked the HubSpot site for mention of a BAA. We found the answer we were looking for on HubSpot's Terms of Service page.
You may not use the Subscription Service if you are legally prohibited from receiving or using the Subscriptions Service under the laws of the country in which you are resident or from which you access the Subscription Service. The Subscription Service is not designed to comply with industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Federal Information Security Management Act (FISMA), so you may not use the Subscription Service where your communications would be subject to such laws.
In addition, we found several references to HubSpot's inability to service the HIPAA market in the HubSpot Community pages:
Does HubSpot offer HIPAA compliant service?
The BAA is a key component to HIPAA compliance between a covered entity and a business associate. On its Terms of Service page, we clearly see that HubSpot is not in the business of providing HIPAA compliant service.
HIPAA email marketing tools comparisonTo meet the unmet need for HIPAA compliant email marketing, we created Paubox Marketing. It is the only solution that will:
- Sign a BAA
- Provide military-grade encryption
- Allow you to include PHI in your marketing emails
- Allow patients to read your emails directly from their inbox with no extra steps
In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing.
|Company||Will they sign a BAA?||Can you send PHI?|
|Blue Orchid Marketing||NO||NO|
|Mad Mimi (GoDaddy)||NO||NO|
|Infusionsoft by Keap||YES||NO|
|Salesforce Marketing Cloud||YES||NO|
|Eloqua (Oracle)||YES||YES **|
(** To use Oracle Eloqua in a HIPAA compliant manner, recipients receive two emails for every message you send. Patients must also log into a secure message center to view your message— it does not appear in their inboxes. This creates friction and makes it less likely that your patients will read your marketing email.)