Last week we had an interesting call with a dental practice in Boise, Idaho. The scope of the call was to learn more about a new product we recently launched, Paubox Marketing, our secure email marketing solution.
On the call, the owner mentioned using HubSpot in a roundabout way to send email marketing to his dental clients. Although his HubSpot account rep said it was ok to do, it was definitely not an ideal solution and the dental practice knew it.
By the end of the call, the owner became a Paubox Marketing customer.
This post is about why using solutions like HubSpot, which are not focused on addressing HIPAA compliant marketing, impose business risks to organizations that use them for such ends.
As we've covered before, HubSpot is a developer and marketer of software products for inbound marketing and sales. The company was founded by Brian Halligan and Dharmesh Shah in 2006. Under the HIPAA Privacy Rule regulations, a business associate is a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information for a covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a BAA.
As our research discovered, HubSpot is simply not in the business of providing HIPAA Compliant Marketing services. We can see for ourselves here on its Terms of Service page:
"You may not use the Subscription Service if you are legally prohibited from receiving or using the Subscription Service under the laws of the country in which you are resident or from which you access or use the Subscription Service. The Subscription Service is not designed to comply with industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Federal Information Security Management Act (FISMA), so you may not use the Subscription Service where your communications would be subject to such laws. "
Last week's call with the Idaho dental practice underscores a need in the market for HIPAA compliant email marketing. Large companies like HubSpot are unwilling to take on the risk, burden, and overhead of HIPAA compliance.
In addition, its email marketing solution is not built to send HIPAA compliant email in the first place.
In closing, what's arguably the biggest reason for covered entities to avoid companies like HubSpot? The valid threat of HIPAA fines. If a BAA is not in place with a vendor that stores or handles PHI, that's a recipe for a large HIPAA fine.
According to HIPAA, even just a name is PHI if it is in any way associated with a healthcare provider—such as in a marketing email coming from your practice.
Simply storing names and email addresses in a cloud marketing service like HubSpot can be interpreted as storing PHI in its cloud. And if the vendor will sign a BAA, it can leave an organization in an untenable position.
To meet the unmet need for HIPAA compliant email marketing, we created Paubox Marketing. It is the only solution that will:
In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing.
SEE ALSO: Why Paubox Marketing is the Best HIPAA Email Marketing Solution Available
| Company | Will they sign a BAA? | Can you send PHI? |
| Adobe Campaign | NO | NO |
| Campaign Monitor | NO | NO |
| Campaigner | NO | NO |
| GetResponse | NO | NO |
| Hubspot | NO | NO |
| Mad Mimi (GoDaddy) | NO | NO |
| Mailchimp | NO | NO |
| MailerLite | NO | NO |
| Marketo (Adobe) | NO | NO |
| Salesforce Pardot | NO | NO |
| Schedulicity | NO | NO |
| SendGrid (Twilio) | NO | NO |
| Yesware | NO | NO |
| ActiveCampaign | YES | NO |
| Constant Contact | YES | NO |
| Infusionsoft by Keap | YES | NO |
| Salesforce Marketing Cloud | YES | NO |
| Eloqua (Oracle) | YES | YES ** |
| Paubox Marketing | YES | YES |
(** To use Oracle Eloqua in a HIPAA compliant manner, recipients receive two emails for every message you send. Patients must also log into a secure message center to view your message— it does not appear in their inboxes. This creates friction and makes it less likely that your patients will read your marketing email.)