Constant Contact offers many security features that appear to align with HIPAA requirements, such as multiuser access, account management, and the ability to limit user access. The service has technical, physical, and administrative safeguards in place to protect email subscriber data. While these security features are sufficient for general email communication, they may not meet the privacy safeguards necessary for transmitting patient information.
The HIPAA Privacy Rule applies to protected health information (PHI), which includes any information found in a medical record that’s tied to the identity of an individual, including diagnoses, treatments, and billing. HIPAA rules don’t prohibit covered entities from sending marketing emails, as long as they don’t include protected health information. For example, a medical provider can email patients about changes in business hours or new office policies. However, patients must first give their permission to be added to the email marketing list.
Constant Contact is a good solution for general communication. But its email marketing platform doesn’t appear to support the transmission of highly sensitive PHI (personal health and medical information).
