A customer recently asked us about whether they were able to use Infusionsoft by Keap as a HIPAA compliant email service. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
Today we will determine if Infusionsoft by Keap offers HIPAA compliant email for marketing or not.
Infusionsoft by Keap
Infusionsoft by Keap offers a subscription-based, all-in-one sales and marketing SaaS product for small businesses with fewer than 25 employees. The private company is based in Chandler, Arizona .
What is a business associate?
A business associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a covered entity. In a nutshell, the role of a business associate is to help covered entities comply with the HIPAA Privacy Rule. In the case of Infusionsoft by Keap, it would certainly qualify as a business associate if it provides services to covered entities.
Infusionsoft and the business associate agreement
If a business associate provides services to a covered entity, then a business associate agreement (BAA) must be in place. A BAA is a written contract between a covered entity and a business associate and is required by law for HIPAA compliance. We checked the Infusionsoft by Keap site for mention of its ability to sign a BAA. We found the answer we were looking for on a page called Keap HIPAA Compliance.
HIPAA compliant email marketing and Infusionsoft by Keap
Covered entities are required to take reasonable steps to protect PHI sent from email all the way to the recipient’s inbox. As such, HIPAA compliant email must be encrypted in-motion while being transmitted over the Internet. It should be noted however, the scope of the Keap BAA protects and encrypts data only at-rest in its platform. In other words, any email sent from Infusionsoft's platform is not covered by the Keap BAA.
Does Infusionsoft by Keap offer HIPAA compliant service?
The BAA is a key component to HIPAA compliance between a covered entity and a business associate, and we were able to learn that Keap will sign one. However, the Keap BAA does not include coverage for transmitting PHI via the platform. According to HIPAA, even just a name is PHI if it is in any way associated with a healthcare provider—such as in a marketing email coming from your practice. Any marketing email you send contains both a name and an email address in the header, so really, you can’t send any emails via Infusionsoft in a HIPAA compliant manner. Instead, you must incorporate a HIPAA compliant email API that integrates with Infusionsoft by Keap, such as the Paubox Email API.
Learn more: Sending HIPAA Compliant Email with Infusionsoft
HIPAA email marketing tools comparisonTo meet the unmet need for HIPAA compliant email marketing, we created Paubox Marketing. It is the only solution that will:
- Sign a BAA
- Provide military-grade encryption
- Allow you to include PHI in your marketing emails
- Allow patients to read your emails directly from their inbox with no extra steps
In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing.
|Company||Will they sign a BAA?||Can you send PHI?|
|Blue Orchid Marketing||NO||NO|
|Mad Mimi (GoDaddy)||NO||NO|
|Infusionsoft by Keap||YES||NO|
|Salesforce Marketing Cloud||YES||NO|
|Eloqua (Oracle)||YES||YES **|
(** To use Oracle Eloqua in a HIPAA compliant manner, recipients receive two emails for every message you send. Patients must also log into a secure message center to view your message— it does not appear in their inboxes. This creates friction and makes it less likely that your patients will read your marketing email.)