We've been getting asked by customers and prospects about Klaviyo and their ability to use it in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector. Today, we will determine if Klaviyo offers HIPAA compliant email marketing service or not.
Klaviyo helps ecommerce brands increase sales with email marketing, as well as with Facebook and Instagram marketing campaigns. The company pulls data out of a client's ecommerce platform and combines it with website behavior and information from other marketing tools. Klaviyo uses this information to target, personalize, analyze, and optimize its clients' marketing efforts. The company was founded in 2012 and is headquartered in Boston, MA.
Klaviyo and the business associate agreement
We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. According to Klaviyo's Terms of Service, customers can request a BAA, but that's not the end of the story.
Klaviyo and storing PHISection 5.8 "HIPAA Compliance" of Klaviyo's Terms of Service reads:
"Customer agrees to not upload or incorporate into any customer lists, or otherwise provide to Klaviyo any protected health information of any kind within the meaning of the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA) . . . If Klaviyo agrees to enter into a BAA with Customer, Customer may provide protected health information to Klaviyo, subject to these Terms of Service and the terms of the BAA."
This caveat seems confusing to me; first it says a user cannot "upload or incorporate" any protected health information ( PHI), but later it goes on to say that if Klaviyo has signed a BAA with a customer, that customer can "provide" Klaviyo with PHI. So what does "upload and incorporate" mean vs. "provide?" I emailed customer service to find out. A representative from the Klaviyo legal team explained to me:
"Storing PHI in the platform and sending PHI in emails are both intended to be captured by 'not upload or incorporate into any customer lists, or otherwise provide to Klaviyo.'"
So in other words: customers are indeed not allowed to store PHI on the Klaviyo platform. Names and email addresses can be considered PHI when coupled with a health condition—for example, when you identify someone as your medical patient by sending him or her a marketing email. Therefore, for all intents and purposes Klaviyo's BAA doesn't allow healthcare providers to store any patient data at all.
Does Klaviyo offer HIPAA compliant email service?
Although Klaviyo will sign a BAA with covered entities, it does not allow healthcare providers to store, upload, or include PHI in any customer lists on the platform.
Klaviyo is HIPAA Compliant - but with significant strings attached. Since healthcare providers can't store PHI on the platform without violating Klaviyo's BAA, you can't really use it for your medical marketing campaigns.
Paubox Marketing email marketing solutionTo meet the unmet need for HIPAA compliant email marketing, we created Paubox Marketing. It is the only solution that will:
- Sign a BAA
- Provide military-grade encryption
- Allow you to include PHI in your marketing emails
- Allow patients to read your emails directly from their inbox with no extra steps
In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best email marketing solution available for maintaining HIPAA compliance while harnessing the power of personalized email marketing.