No, Constant Contact isn’t HIPAA compliant. The company is willing to sign a business associate agreement (BAA), but the email service shouldn’t be used for protected health information (PHI).
Constant Contact offers many security features that align with HIPAA requirements, such as multiuser access, account management, and the ability to limit user access. The service has technical, physical, and administrative safeguards in place to protect email subscriber data. While these security features are sufficient for general email communication, they don’t meet the privacy safeguards necessary for transmitting patient information.
The HIPAA Privacy Rule applies to protected health information (PHI), which includes any information found in a medical record that’s tied to the identity of an individual, including diagnoses, treatments, and billing. HIPAA rules don’t prohibit covered entities from sending marketing emails, as long as they don’t include protected health information. For example, a medical provider can email patients about changes in business hours or new office policies. However, patients must first give their permission to be added to the email marketing list.
Constant Contact is a good solution for general communication. But the company is clear that its email marketing platform doesn’t support the transmission of highly sensitive PHI. The service wasn’t designed to accommodate electronic medical records (EMR) and shouldn’t be used for personal medical information.
Constant Contact is willing to sign its own business associate agreement (BAA) but won’t sign BAAs provided by customers. The signed BAA isn’t sufficient for HIPAA compliance because, as the Constant Contact website states, the service shouldn’t be used for PHI.