Constant Contact, Inc. is an online
marketing company, headquartered in Waltham, Massachusetts that provides an
email marketing solution which makes it easy for companies to stay in contact
with their customers through sending newsletters, updates, and email marketing
messages. Many medical offices and healthcare facilities utilize constant
contact to keep in touch with their patients.
However, one common question that is often
asked, is whether or not Constant Contact is HIPAA Compliant? And can it be
used by HIPAA-covered entities? These questions were recently discussed in the
HIPAA JOURNAL and their findings were as follows:
- The HIPAA Privacy Rule does not
prohibit HIPAA-covered entities from using constant contact or sending
marketing emails. However, patients must give their consent to receive email these
- HIPAA -covered entities should be
cautious when using an email marketing solution such as Constant Contact. Not all
solutions have the necessary safeguards to meet the requirements of the HIPAA
Security Rule, and some are not willing to enter into a business associate
agreement with healthcare organizations.
- Uploading any ePHI to an email
marketing platform is considered impermissible disclosure unless the covered
entity has obtained satisfactory assurances that the service provider will
protect any ePHI it receives. In addition, as a business associate, it must
also comply with certain aspects of HIPAA Rules.
- According to their website,
Constant Contact claims they are willing to enter into a business associate
agreement with healthcare organizations. However, Constant Contact will only
sign its own BAA; not one provided by a HIPAA-covered entity.
- HIPAA-covered entities are
responsible for the information that is stored in their Constant Contact
account. Entities must also ensure strong passwords are set and configure the
- Constant Contact states that
the platform should not be used for “transmitting highly sensitive PHI (for
example: mental health, substance abuse, or HIV information). Our application
was not built for electronic medical records (EMR).”
Although Constant Contact does support
HIPAA compliance, there are limitations to what the platform can be used for.