No, Mailchimp is not HIPAA compliant. The company will not sign a Business Associate Agreement (BAA).
Mailchimp provides security measures to reduce the risk of unauthorized access, including physical security controls and encryption. Since encryption is built into the service, it meets certain HIPAA compliance regulations. But Mailchimp doesn’t guarantee that all HIPAA compliance standards are met.
According to Mailchimp’s terms and conditions, customers are responsible for ensuring they comply with regulations like HIPAA. Mailchimp explicitly states that it isn’t liable if the service violates HIPAA regulations.
Uploading patient information to a Mailchimp email list is a disclosure of Patient Health Information (PHI). That makes Mailchimp a business associate. If a HIPAA-covered entity uses Mailchimp services, a Business Associate Agreement must be in place for Mailchimp to meet HIPAA compliance requirements.
Without a signed BAA, Mailchimp doesn’t comply with HIPAA, so it shouldn’t be used with any form of PHI.
Readers should perform their own research before making the final decision. The information on the JotForm HIPAA Compliance Checker does not constitute official healthcare or legal advice. JotForm is not liable for any damage or liabilities arising out of or connected in any manner with this platform.