Marketo is a software provider that enables email marketing and lead management automation. But is Marketo HIPAA compliant? The answer is discussed below.
Is Marketo HIPAA Compliant: Business Associate Agreement
Under HIPAA a software provider is considered a business associate when a healthcare organization uses its platform in conjunction with protected health information (PHI). This includes the creation, storage, maintenance, receipt, and transmission of PHI. As such, a healthcare organization wishing to use a software platform in conjunction with PHI must ensure the provider’s HIPAA compliance.
A key component of determining a business associate’s HIPAA compliance is their willingness to sign a business associate agreement (BAA).
What is a business associate agreement?
A BAA is a legal document that HIPAA requires healthcare providers to sign with their business associates before PHI can be shared with them. The purpose of a BAA is to ensure that business associates are adequately protecting the PHI shared with them. As such, a BAA dictates the security measures that the business associate is required to have in place. A BAA also requires each of the signing parties to be responsible for maintaining their HIPAA compliance.
Is Marketo willing to sign a business associate agreement?
While this is unclear on their website, they do state, “We ask that you not send us or disclose any sensitive Personal Data (e.g., social security numbers, information related to racial or ethnic origin, sexual orientation, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership) on or through the Sites or via other means.”
Although there is no specific reference to PHI or patient data, from this statement we can infer that Marketo will not sign a BAA as they do not wish their clients to filter sensitive data through their platform.
Is Marketo HIPAA Compliant?
So is Marketo HIPAA compliant? No, Marketo email marketing is not HIPAA compliant. Although they have adequate security measures to protect sensitive data, they are not willing to sign a BAA. Therefore if a healthcare organization would like to use an email marketing or lead management automation solution in conjunction with PHI, they must choose a different, HIPAA compliant software provider to do so.
