MailChimp is a software provider that enables users to send out automated email marketing campaigns. However, as a healthcare organization you must consider the HIPAA compliance of software before implementing them within your organization. Is MailChimp HIPAA compliant?

Is MailChimp HIPAA Compliant: Security Features

Is MailChimp HIPAA Compliant

A key component to determine whether or not a software provider is HIPAA compliant is assessing their security features. These features must ensure the confidentiality, integrity, and availability of protected health information (PHI). So does MailChimp offer adequate security features to secure PHI?

MailChimp provides an encrypted connection to prevent unauthorized access to data. They provide access controls requiring users to input unique login credentials to access the platform. MailChimp also enables data backup to prevent loss of user data.

Let’s Simplify Compliance

Do you need HIPAA guidance? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Is MailChimp HIPAA Compliant: Business Associate Agreements

Although security measures securing PHI are an essential component of HIPAA compliance, the willingness to sign a business associate agreement is equally important. Software providers that are unwilling to sign a business associate agreement (BAA) cannot be used in conjunction with PHI. MailChimp is not willing to sign a BAA.

In MailChimp’s “Standard Terms of Use” they state, “You represent and warrant that your use of the Service will comply with all applicable laws and regulations. You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA… If you’re subject to regulations (like HIPAA) and you use the Service, then we won’t be liable if the Service doesn’t meet those requirements.”

Is MailChimp HIPAA Compliant?

Is MailChimp HIPAA compliant? No, MailChimp is not HIPAA compliant. Even though they have the required security features to safeguard PHI, they are not willing to sign a BAA, and therefore cannot be used by healthcare organizations.