The leading automated email marketing platform Mandrill is a transactional email service that MailChimp provides. This software allows companies to automatically broadcast emails to customers and people that interact with their web apps and links to MailChimp via an API.
Transactional emails are the same as marketing emails in that they are programmed to be initiated by events including password resets, confirmation of placement of orders, welcome greetings and sending receipts. They are different to marketing emails, which require an opt-in from patients/plan members as per HIPAA Rules, in most instances, transactional emails do not.
That does not mean that there are no HIPAA obligations for healthcare groups that are considering using Mandrill. Any email service used by a healthcare group that requires electronic protected health information (ePHI) to be installed would have to have privacy and security measures built into the platform to stop unauthorized ePHI access and an audit trail would need to be managed. Any ePHI saved would need to be safeguard in transit, and stored data would have to be encrypted.
If the service is to be use to send any ePHI, the service provider would be classified as a business associate and a business associate agreement would have to be completed.
Most service providers that support HIPAA compliance and are willing to enter into a business associate agreement with HIPAA-covered bodies make it clear that they support HIPAA compliance and complete a BAA.
Can Mandrill be Considered HIPAA Compliant?
Mandrill users are subject to the terms and conditions of MailChimp. You can find out more regarding Mailchimp and HIPAA compliance here, but to summarize that post, MailChimp says that “You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA” and since, at the time of publishing, MailChimp does not offer a BAA, neither MailChimp or Mandrill can be considered HIPAA compliant.
MailChimp and Mandrill can be implemented by healthcare groups, but since they are not HIPAA compliant they cannot be used in connection with any ePHI.