Drip is a CRM that allows clients to build custom automated marketing campaigns through email and SMS. But is Drip HIPAA compliant? The answer is discussed below.

Why Does it Matter if Drip is HIPAA Compliant?

Is Drip HIPAA Compliant

Under HIPAA, a software provider is considered a business associate when they create, maintain, store, receive, or transmit protected health information (PHI) on behalf of their healthcare clients.

As such, if you use a software platform to filter PHI through, you must ensure that the platform is HIPAA compliant. Although it may be surprising, a patient’s email address is considered PHI. So, to send an email to a patient, the email platform must be HIPAA compliant.

To determine a software provider’s HIPAA compliance, it is important to determine their security measures, as well as their willingness to sign a business associate agreement.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Drip Security Measures

Business associates are required to have safeguards to ensure the confidentiality, integrity, and availability of PHI. These security measures should include encryption, access controls, and audit controls (at a minimum). 

In regards to HIPAA safeguards Drip states on their website, “Drip is not HIPAA compliant and we do not provide the encryption and security level as required to become HIPAA compliant.”

Drip and Business Associate Agreements

In addition to assessing a business associate’s security measures, before sharing PHI with a business associate, healthcare organizations must have a signed business associate agreement (BAA). A BAA dictates the security measures required to protect PHI, and also requires each signing party to be responsible for maintaining their HIPAA compliance.

There is no mention on Drip’s website on whether or not they will sign a BAA, however, since they state that they are not HIPAA compliant, it’s fair to say that they will not.

Is Drip HIPAA Compliant?

No, Drip CRM is not HIPAA compliant. Therefore, it cannot be used in conjunction with PHI.

Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.

Global CTAs Image