Autopilot, now branded as Ortto, is not HIPAA compliant for HIPAA Covered Entities or Business Associates because the service is not offered with a HIPAA Business Associate Agreement for handling electronic protected health information and the platform’s marketing automation features can store and transmit data elements that constitute protected health information.
HIPAA permits a regulated organization to use a cloud service provider or other vendor to handle electronic protected health information only when a written business associate contract is in place that meets the HIPAA Privacy Rule requirements for business associate contracts and the parties implement safeguards required by the HIPAA Security Rule. When a vendor will not execute a HIPAA Business Associate Agreement for the specific service being used, the regulated organization cannot use that service to create, receive, maintain, or transmit electronic protected health information.
Marketing automation platforms commonly ingest patient identifiers and engagement data through list imports, web forms, landing pages, tracking scripts, segmentation fields, automated journeys, and integrations with customer relationship management systems and analytics tools. Names, email addresses, phone numbers, device identifiers, and IP addresses can become protected health information when they link an identifiable individual to treatment, payment, or healthcare operations. Message content can also create protected health information when it references appointment status, care coordination, diagnoses, medications, test results, referrals, or billing context.
Operational risk increases when the platform enables tracking pixels, link tracking parameters, website event capture, and automated profiling. Those functions can disclose regulated context to third parties through redirects, logs, and downstream systems, and they can create persistent records that fall outside the regulated organization’s access control, retention, and audit practices. Campaign assets such as templates and dynamic fields add exposure when workforce members insert patient-specific details into subject lines, preview text, or body content.
Autopilot may be used by healthcare organizations only for workflows that exclude protected health information and that do not connect identifiable individuals to healthcare services or payment. Patient outreach that involves protected health information requires a vendor that will execute a HIPAA Business Associate Agreement for the services in scope and support access controls, audit controls, transmission security, and incident response procedures aligned with HIPAA obligations.