Is it HIPAA Compliant to Use Marketo?

Marketo is an automated software solution for managing lead management and email marketing that was recently purchased by Adobe. Healthcare groups seeking a marketing automation platform need to be certain that the platform provider adheres with HIPAA compliance regulations if the platform is to be used in connection with electronic protected health data.

Healthcare groups can use marketing automation platforms for a variety of purposes without having to complete a business associate agreement (BAA) with the solution provider, but if the solution is to be implemented with ePHI, a BAA is vital.

HIPAA limits the use and disclosure of ePHI by HIPAA covered bodies. ePHI can be used and disclosed for the purposes of providing treatment, as regards payment for healthcare, or for healthcare operations (TPO) without having to obtain authorization from clients. Other uses and disclosures, which include marketing, require permission from patients.

HIPAA classifies marketing as “communication to an individual about a product or service that encourages the individual to purchase or use that product or service.” – See 45 CFR 164.501(1).

Before broadcasting any marketing communications, HIPAA-covered bodies must obtain authorization from patients/members in writing, either physically or digitally with an e-signature.

Can Marketo be Referred to as HIPAA Compliant?

Marketo says on its website that its platform has Privacy Shield certification and has been SOC2 certified and Marketo has put in place safeguards to ensure customer data are kept private and confidential.

All connections to Marketo are encrypted using high-grade 2048-bit certificates and user sessions are secured by unique session tokens and require re-verification for each transaction. Marketo completes constant scans of its network and systems for flaws and patches are applied promptly. Marketo also carries out pen tests and has its products assessed by external companies. Physical, technical and administrative safeguards are put in place to keep software, hardware, and data secured and all clients’ data are stored in difference databases.

Marketo’s usage policy says that customers must not give Marketo access to or upload “any of the following categories of data: social security numbers; passport or visa numbers; driver’s license numbers; taxpayer or employee ID; financial account or payment card information; passwords; medical or health records or information reflecting the payment of such treatment.”

As the Marketo website and associated forums included no mention of a BAA the software solution cannot be considered HIPAA compliant and should not be used with ePHI.

That does not mean Marketo may not be implemented by healthcare bodies. Many healthcare groups, including GE Healthcare, Kindred Healthcare, Boston Children’s Hospital and EHR provider Allscripts avail of the platform. It is the charge of users of the platform to make sure that HIPAA Rules are being adhered to.

Author: Security News