A question we hear a lot in the HIPAA industry is whether healthcare organizations can use Mailchimp and be HIPAA compliant. A related question is how Mailchimp Transactional, which offers a transactional email API, stacks up to Paubox Email API.
This post will compare and contrast Mailchimp Transactional and Paubox as it relates to HIPAA compliant email.
Mailchimp Transactional is a service offered by Mailchimp that allows users to send automated, personalized email messages to specific individuals or groups of people in response to specific actions or triggers, such as abandoned cart reminders, purchase receipts, and account updates. These types of emails are often referred to as “transactional emails” because they are triggered by a transaction or action, rather than being part of a bulk marketing campaign.
The service is built on top of the Mailchimp platform and uses the same user interface, but includes additional features and functionality specifically designed for sending transactional emails. Mailchimp Transactional was formerly known as Mandrill.
See related: Is Mailchimp HIPAA compliant?
Paubox Email API is a cloud-based secure email delivery service that helps healthcare organizations improve patient journeys. Common use cases include delivering test results, personalized appointment reminders, automating e-consent forms, and managing clinical trial recruitment.
Paubox provides various methods to help healthcare organizations send secure emails, such as developer docs, client libraries (SDKs), and real-time analytics.
Paubox launched in 2015 and currently has over four thousand customers in all 50 states.
There’s a primary item to consider when it comes to Mailchimp Transactional and its ability to provide HIPAA compliant email.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
We’ve written in the past about Mailchimp and its stance on HIPAA compliance. In a nutshell, Mailchimp will not sign a BAA with its customers. We can evidence of that on the Mailchimp Terms of Use page:
Of particular note is:
“If you’re subject to regulations (like HIPAA) and you use the Service, then we won’t be liable if the Service doesn’t meet those requirements.”
It’s a natural conclusion that if Mailchimp does not offer a BAA to its customers, then all services provided by the company will not meet HIPAA compliance requirements.
So when it comes sending HIPAA compliant email via Mailchimp Transactional, it is not recommended from a risk and compliance standpoint.
Paubox was built around the Paubox Foundations, three big ideas, and a mission to become the market leader for HIPAA compliant communication.
Paubox provides a BAA for all paid and freemium customers.
In addition, the following solutions are HITRUST CSF certified:
While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. In a nutshell, not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.
Both Mailchimp Transactional and Paubox offer a transactional email API that alleviates the need for customers to fret about infrastructure and maintenance of in-house email systems.
Mailchimp Transactional however, is not tailored for U.S. healthcare. This is apparent from its its compliance statements.
Paubox on the other hand, was built from the ground up to provide secure, easy-to-use, HIPAA compliant email. This is apparent from its technical design (four patents and counting), HITRUST CSF certification since 2019, and inclusion of a business associate agreement for all customers (paid and freemium).