Is Constant Contact HIPAA Compliant?

Is Constant Contact HIPAA Compliant?

Published: April 11th, 2019

Constant Contact, Inc. is an online marketing company, headquartered in Waltham, Massachusetts that provides an email marketing solution which makes it easy for companies to stay in contact with their customers through sending newsletters, updates, and email marketing messages. Many medical offices and healthcare facilities utilize constant contact to keep in touch with their patients.

However, one common question that is often asked, is whether or not Constant Contact is HIPAA Compliant? And can it be used by HIPAA-covered entities? These questions were recently discussed in the HIPAA JOURNAL and their findings were as follows:

The verdict:

  • The HIPAA Privacy Rule does not prohibit HIPAA-covered entities from using constant contact or sending marketing emails. However, patients must give their consent to receive email these email communications.
  • HIPAA -covered entities should be cautious when using an email marketing solution such as Constant Contact. Not all solutions have the necessary safeguards to meet the requirements of the HIPAA Security Rule, and some are not willing to enter into a business associate agreement with healthcare organizations.
  • Uploading any ePHI to an email marketing platform is considered impermissible disclosure unless the covered entity has obtained satisfactory assurances that the service provider will protect any ePHI it receives. In addition, as a business associate, it must also comply with certain aspects of HIPAA Rules.
  • According to their website, Constant Contact claims they are willing to enter into a business associate agreement with healthcare organizations. However, Constant Contact will only sign its own BAA; not one provided by a HIPAA-covered entity.
  • HIPAA-covered entities are responsible for the information that is stored in their Constant Contact account. Entities must also ensure strong passwords are set and configure the platform correctly.
  • Constant Contact states that the platform should not be used for “transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR).”

The bottom line:

Although Constant Contact does support HIPAA compliance, there are limitations to what the platform can be used for.