๐ Key Takeaways
- HIPAA marketing needs a signed BAA, encryption in transit and at rest, and PHI-free bodies.
- Mailchimp, Constant Contact, and standard HubSpot exclude healthcare and refuse to sign a BAA.
- The real risk is content: any subject line or merge field that names a condition creates PHI.
- Keep marketing lists and clinical lists separate at the database level with role-based access.
- Run broadcasts on a BAA marketing tool; run individual PHI email on a HIPAA email service.
HIPAA compliant email marketing means running patient outreach through a platform that signs a business associate agreement, encrypts data in transit and at rest, and applies content controls that keep protected health information out of the message body.
Most mainstream marketing platforms do not sign a BAA. This guide covers the platforms that do, the content boundaries that keep PHI out of broadcast mail, and how a HIPAA secure email service covers the individual patient communication side.
The compliance picture has three parts: platform, content, and consent. All three matter. A compliant platform running unrestricted content is still a violation.
Three Requirements Define HIPAA Marketing Compliance
Compliant email marketing has three requirements. A signed business associate agreement with the platform vendor. Encryption of message content and list data in transit and at rest. Content controls that exclude PHI from broadcast material.
The BAA covers the platform’s legal obligation to protect any PHI it processes on behalf of the covered entity. Without a BAA, the platform is not authorized to handle PHI at all.
Encryption covers the technical safeguard. The list of subscribers, the message templates, and the outbound content should all be encrypted at rest and in transit. TLS is the baseline for delivery. At-rest encryption on the platform storage matters for the list itself.
Content controls cover the human decision on what to include. Even a compliant platform cannot make PHI-in-broadcast safe. Practices set editorial rules and train marketing staff on the distinction between general health content and PHI.
Mainstream Marketing Platforms Do Not Sign a BAA
Mailchimp, Constant Contact, ActiveCampaign, and standard HubSpot Marketing Hub do not sign a business associate agreement in their base plans. The acceptable use policy on each explicitly excludes handling of protected health information.
Mailchimp’s terms of service state that customers cannot use the service to transmit PHI. Constant Contact’s terms carry the same restriction. ActiveCampaign requires a specific plan tier for the BAA. Standard HubSpot excludes healthcare use.
Practices using any of these platforms for healthcare marketing must keep PHI out of the message body, the subject line, and every personalization field. Content that references a specific condition, treatment, or clinical field creates a violation regardless of the technical protection applied.
The workaround is generic content only. Newsletters about health topics that apply to a wider audience are not PHI. Personal condition messaging belongs in a different channel with a BAA in place.

Platforms That Do Sign a HIPAA BAA
Several platforms offer a HIPAA-signed configuration through an enterprise tier or a healthcare-specific product line. The table below summarizes the current options.
| Platform | BAA Available | Tier Required | Fits Best For |
|---|---|---|---|
| HubSpot | Yes with healthcare add-on | Enterprise | Larger practices with existing HubSpot |
| ActiveCampaign | Yes on Enterprise | Enterprise | Automation-heavy workflows |
| Salesforce Marketing Cloud | Yes with Health Cloud | Enterprise | Large health systems |
| Healthcare-focused platforms | Yes, standard plans | All tiers | Small to mid practices |
| Mailchimp, Constant Contact, standard HubSpot | No | N/A | Generic content only, no PHI |
The right platform depends on practice size, existing tooling, and the level of clinical content in outreach. Large systems tend to use HubSpot or Salesforce with the healthcare tier. Smaller practices use healthcare-focused tools that bundle the BAA into the standard plan.
Content Controls Keep PHI Out of Marketing Mail
Content controls are editorial rules for what marketing mail can and cannot reference. The rules cover the subject line, the body copy, the personalization fields, and any linked landing pages.
Recommended patterns include:
- Subject lines identify the practice, not the patient condition. A subject like “Your Practice Newsletter” is safe. “Your recent diabetes screening” is not.
- Body copy addresses a wider audience with general health content. Condition-specific detail belongs behind a portal link, not in the message body.
- Personalization fields use first name only. Clinical fields like diagnosis, medication, or provider name should not appear in merge tags.
- Linked landing pages that carry clinical detail require patient authentication. Public marketing pages carry no PHI.
- Images that show clinical procedures use stock or generic photography, not identifiable patient images.
Marketing staff review each broadcast against these patterns before sending. Practices with a formal review process document the review on a checklist attached to the send record.
A three-location pediatric practice runs monthly newsletters through Mailchimp with 4,200 subscribers. The marketing coordinator drafts an autumn asthma awareness email that references "your child's recent inhaler prescription." Because that merge field pulls from the EHR and Mailchimp has no BAA, the send would violate HIPAA. The practice rewrites the copy as general seasonal asthma education with no clinical merge fields, keeps Mailchimp for the newsletter, and routes any prescription-specific outreach through a HIPAA email service tied to the EHR export.
List Hygiene Under HIPAA Is Stricter Than Standard Marketing
List hygiene under HIPAA has stricter rules than standard marketing. The list source matters. The consent capture matters. The access controls matter.
Patients who opted in on an intake form with clear language on marketing use are one category. Patients whose email came in through a clinical touchpoint without a marketing opt-in are another. Mixing the two creates a compliance problem.
Practices maintain separate marketing and clinical email lists. The marketing list has documented consent capture. The clinical list has documented clinical necessity. The two lists live in different systems and have different access controls.
Unsubscribe requests apply to the marketing list only. A patient who unsubscribes from marketing still receives clinical communication such as appointment reminders and lab results. The two channels operate independently.
Consent Capture on the Intake Form
Consent capture on the intake form is the standard method for building a HIPAA-appropriate marketing list. The form includes a specific checkbox for marketing communication with clear language.
Suggested consent language:
I agree to receive marketing communication from [Practice Name] about health topics, practice news, and general wellness content. I understand this is separate from clinical communication about my care, and I can unsubscribe from marketing at any time without affecting my clinical services.
The checkbox is unchecked by default. Patients opt in actively. The consent record ties to the patient record with a timestamp and the form version.
Practices without a compliant intake form should not use the clinical email list for marketing. See the guide on website content strategy for healthcare for the intake and consent side of the digital footprint.

HubSpot Healthcare Add-On Enables Compliant Marketing
HubSpot offers a healthcare add-on through the enterprise tier. The add-on includes the BAA and applies additional data handling controls to the account. Standard HubSpot subscribers do not have this configuration.
The add-on enables sensitive data fields, restricts export of contact data, and applies stricter access logging. The marketing dashboard, the workflows, and the reporting all operate under the enhanced controls.
Practices with an existing HubSpot subscription can request an upgrade to the healthcare configuration. The upgrade is not automatic. It requires a contract addendum and a configuration review by the HubSpot compliance team.
Practices without an existing HubSpot investment may find a healthcare-specific platform simpler. Healthcare-focused tools bundle the BAA into every plan and design the workflows around clinical use cases from the ground up.
Separating Marketing From Individual Patient Communication
The cleanest compliance posture separates marketing from individual patient communication. Two systems, two lists, two sets of controls.
The marketing system handles broadcast newsletters, general health content, and practice announcements. The recipient list is opted-in through the intake form or a subscribe page. Content stays clear of PHI. Delivery uses standard TLS through a BAA-signed platform.
The individual communication system handles one-to-one patient email that references specific care. Appointment confirmations, lab results, treatment plans, and follow-up questions all live here. Delivery uses message-level encryption through a HIPAA email service.
Mailhippo covers the individual communication side. It works with existing Gmail and Outlook accounts, includes the BAA, and delivers encrypted mail to patients through a one-click portal. The marketing side runs through a separate compliant platform.
Mixing lists is how PHI slips into unencrypted broadcast mail. Store marketing consent in its own table with a timestamp, form version, and unsubscribe status. Query only that table when building broadcast segments. Clinical email addresses stay in the EHR and route through the HIPAA email service. Two databases, two access groups, zero accidental crossovers between the systems.
Automation Requires Extra Care Under HIPAA
Marketing automation adds triggered sends based on patient behavior. Under HIPAA, automation requires extra care because the trigger itself can reference PHI.
An automation that sends a follow-up after a specific diagnosis code is a PHI-driven trigger. An automation that sends a welcome sequence after list opt-in is not. The distinction matters for platform selection and content review.
PHI-driven automations belong in a compliant platform with the BAA in place. Non-PHI automations can run on any marketing platform with content controls to keep PHI out of the body.
Practices reviewing existing automation workflows should map each trigger to the source data and confirm whether the source is PHI. Any PHI-based trigger requires the compliant platform.
Audit Trail and Access Logging on the Marketing List
Access logging on the marketing list is a common gap. Practices often treat the marketing list as a normal contact database without audit controls. Under HIPAA, list access is part of the required access logging.
The log records who accessed the list, when, and what actions they took. Export events, edit events, and send events all belong in the log. Retention of the log follows the practice’s HIPAA retention policy.
Access to the marketing list is limited to marketing staff. Clinical staff do not need access. Cross-department access should require a documented reason and a supervisor approval.
Compliant marketing platforms include access logging as a standard feature. Non-compliant platforms may not. Practices using a non-compliant platform must layer the access log through a separate process, which is difficult in practice.
Building a Compliant Marketing Program From Scratch
A practice building a compliant marketing program from scratch follows a specific sequence. Pick the platform first. Configure the BAA. Set up the list with consent capture. Draft the editorial rules. Train the marketing staff.
The HHS Privacy Rule guidance covers the marketing use of PHI at a policy level. The Security Rule covers the technical safeguards. Together they set the framework for compliant program design.
Related reading covers the platform-specific compliance picture: hipaa compliant email marketing for dentists, hipaa compliant email service, hipaa compliant email, cisco hipaa compliant email, best hipaa compliant email, and free hipaa compliant email.
Practices building the wider healthcare marketing footprint coordinate the compliant marketing platform with a compliant site, portal, and individual communication channel. A healthcare marketing agency can pair the marketing strategy with the compliance stack from the start.
Frequently Asked Questions
Three things: a signed business associate agreement with the marketing platform, encryption of message content in transit and at rest, and content controls that keep protected health information out of the message body. The BAA covers the platform’s legal obligation to protect PHI. Encryption covers the technical safeguard. Content controls cover the human decision on what to include. Missing any one of the three creates a compliance gap. Practices also need list hygiene rules that separate marketing consent from clinical consent and log access to the marketing list.
Mailchimp does not sign a business associate agreement and its acceptable use policy explicitly excludes handling of protected health information. Practices using Mailchimp for healthcare marketing must keep PHI out of the message body, the subject line, and the personalization fields. Content that references a specific condition, treatment, or clinical field creates a compliance violation even without a BAA. Practices that need patient outreach with clinical detail move to a platform that signs a BAA, such as an enterprise HubSpot healthcare tier or a dedicated healthcare marketing tool.
Standard HubSpot Marketing Hub does not include a business associate agreement. HubSpot offers a healthcare add-on through the enterprise tier that includes the BAA and applies stricter data handling controls. Practices need to enable the add-on and configure the account with healthcare mode before sending any content that touches PHI. Standard HubSpot subscribers using healthcare content without the add-on create a compliance risk regardless of the content review. Confirm the account tier and the healthcare configuration before using HubSpot for any patient-related outreach.
Only with documented consent to marketing use. A patient whose email came in through an appointment intake form is not automatically consenting to marketing. Practices need a separate opt-in for marketing communication, either as a checkbox on the intake form with clear language or as a separate subscribe form. The consent record must be stored and accessible on request. Practices should also maintain a documented unsubscribe process. Sending marketing to a patient who only consented to clinical communication is a compliance violation and a privacy concern.
General health education content that applies to a wider audience is not PHI and can appear in marketing content. Condition-specific content, treatment recommendations, or personalization fields that pull from clinical records create PHI and belong in a HIPAA-compliant individual communication channel. The line is whether the content identifies a specific patient’s health status. A newsletter about seasonal allergies is not PHI. A message that starts with “your recent test results” is PHI. Practices set editorial rules and train marketing staff on the distinction.
Broadcast marketing content that contains no PHI can travel under standard TLS without message-level encryption. The compliance requirement kicks in when the content or the personalization fields reference clinical information. A HIPAA-compliant marketing platform should still encrypt list data at rest and encrypt access to the marketing dashboard. Encryption of the outbound message body matters when the content includes anything that could identify a patient’s health status. Practices without a signed BAA on the marketing platform should keep all content generic and add PHI only to the individual encrypted channel.
Marketing email is broadcast content to a list of subscribers, typically newsletters, promotions, and general education. Individual patient email is one-to-one communication that references a specific patient’s care, such as appointment confirmations, lab results, and treatment plans. The two channels have different compliance requirements. Marketing runs through a platform with a BAA and stays clear of PHI in content. Individual patient email requires encryption and typically runs through a HIPAA email service or a patient portal. Practices separate the two systems rather than trying to use one for both.

