Campaign Monitor is a global technology company that provides an easy-to-use email marketing platform. Many healthcare organizations use email marketing platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Campaign Monitor does not mention a BAA on its website and may not be HIPAA compliant.
Campaign Monitor was originally part of the CM group but was purchased by Marigold as a Marigold Engage Express product. It offers cost-effective, automated email marketing for organizations. With Campaign Monitor, users can great customizable emails and personalize their customers’ journeys. Moreover, it can trigger automatic emails to handle appointments and transactions.
Strong healthcare email marketing can influence patients by providing tailored information, fostering trust, and engaging recipients.
LEARN ABOUT: The dos and don’ts of email marketing for patient engagement
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Campaign Monitor and its ability to be HIPAA compliant. Campaign Monitor (Marigold) is a business associate of a healthcare organization if it accesses any PHI, like a name or email address.
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2019 blog, we stated that we could not find information to indicate that Campaign Monitor would sign a BAA. Then in 2022, it appeared that Campaign Monitor would sign a BAA with its health customers though it also stated that customers could not use its service to send email containing PHI.
As of 2024, there is no mention of a BAA or HIPAA on the Campaign Monitor website. Moreover, Marigold does not specifically mention a BAA. Some of its other products (i.e., companies purchased such as Cheetah Digital and Sailthru) can be accompanied by an agreement.
RELATED: How to know if you're a business associate
The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” HIPAA compliance for marketing concerns the safe storage and transmission of sensitive information. Moreover, covered entities and business associates must have written consent from patients to share and disclose PHI.
Campaign Monitor emphasizes its commitment to data security and that it currently works with healthcare providers. In fact, its security web page lists strong operational, physical, and application security currently utilized. Its Terms of Use page, however, explicitly states that customers must acknowledge “that the Services are not configured to process, receive, and/or store Sensitive [personally identifiable information (PII)]” including PHI.
The BAA is a necessary component of HIPAA compliance and Campaign Monitor does not currently mention a BAA on its website. Moreover, the company states in its terms of use that customers must acknowledge not using its services with any PHI.
Conclusion: Campaign Monitor may not be HIPAA compliant.
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA: