iContact is an email marketing platform used across many industries. However, businesses that handle protected health information (PHI) are subject to HIPAA regulations. iContact may not be HIPAA compliant and recommends that their users "not send email that contains information that is sensitive, confidential, or personal in nature."
What is iContact?
iContact is a cloud-based email marketing and automation platform that facilitates communication between businesses and subscribers. It caters to a wide range of industries and offers tools for email design, list management, automated workflows, and performance tracking.
iContact's privacy and security features
iContact states that they offer these privacy and security features:
- Secure infrastructure with industry-standard firewalls, encryption protocols, and intrusion detection systems to protect against unauthorized access.
- Data encryption using SSL/TLS ensures the secure transmission of information between users and iContact's servers.
- Permission-based access with user authentication mechanisms, such as unique usernames and strong passwords, to control access to user accounts.
- Compliance with privacy regulations like the General Data Protection Regulation (GDPR) and the CAN-SPAM Act.
- Features for managing subscriber consent, including opt-in forms, subscription preferences, and unsubscribe options, ensuring compliance with privacy laws and regulations.
Is iContact a business associate?
Under HIPAA, a business associate is an entity that handles PHI on behalf of a covered entity, such as a healthcare provider or health plan. If iContact is used in a way that involves the platform handling PHI, then it is considered a business associate under HIPAA. Business associates must sign a business associate agreement (BAA) with covered entities to ensure compliance with HIPAA regulations.
Related: How to know if you're a business associate
Business Associate Agreement (BAA) provisions
A business associate agreement (BAA) is a legally binding contract between a covered entity and a business associate that outlines the responsibilities, safeguards, and obligations of both parties regarding the handling of PHI. BAAs typically cover aspects such as :
- Data security
- Breach notification
- Access controls
- Employee training
- Compliance with HIPAA regulations.
Related: Business associate agreement provisions
iContact and the BAA
While iContact offers robust security and privacy features, its official website states that users should "not include patient medical records, test results, or healthcare records (iContact is not HIPAA compliant)." This statement indicates that iContact does not offer a specific BAA for handling PHI under HIPAA regulations.
Without a signed BAA, covered entities may face challenges in demonstrating compliance with HIPAA requirements when using iContact and may risk noncompliance penalties.
Is iContact HIPAA compliant?
Given iContact's indication on its website that it is not HIPAA compliant, organizations dealing with PHI must explore alternative HIPAA compliant email marketing solutions explicitly designed to meet HIPAA regulations.
Conclusion: iContact may not be HIPAA compliant.
A HIPAA compliant alternative to iContact
Paubox is a HIPAA compliant email platform that offers specific features and functionalities tailored to the healthcare industry and is designed to address the unique security and privacy requirements of handling PHI, including the capability to sign a BAA.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.