Return Path is not HIPAA compliant because the service, now integrated into Validity as part of the Everest email deliverability platform, does not sign a Business Associate Agreement and therefore cannot be used by a HIPAA Covered Entity or Business Associate to create, receive, maintain, or transmit protected health information.
Return Path is described as an email deliverability platform used to monitor and improve the performance of email marketing campaigns. The platform’s functions include analysis of deliverability, measurement of inbox placement, and reporting on engagement metrics. These functions involve handling email data associated with outbound communications programs, and the vendor relationship becomes regulated when protected health information is involved in the data processed through the service.
HIPAA compliance for a third party service that handles protected health information requires a written Business Associate Agreement when the vendor is acting as a business associate. A covered entity or business associate cannot rely on product features alone when protected health information is present, because the contractual requirement addresses responsibilities for safeguarding protected health information and establishes permitted uses and disclosures. Without a Business Associate Agreement, the service is not positioned for regulated handling of protected health information.
The referenced information describes Return Path as integrated into Validity alongside 250ok and BriteVerify to form Everest, and it states that Everest is not HIPAA compliant based on the research described in that source. It also states that Everest will not sign a Business Associate Agreement. That position removes the contractual basis required for use with protected health information and blocks HIPAA compliant deployment for communications that include identifiers linked to an individual’s health condition, care, or payment.
Organizations that use Return Path or Everest for marketing operations can still support HIPAA compliance by limiting the service to communications that do not involve protected health information and by enforcing controls that prevent protected health information from being entered into campaign content, contact lists, segmentation fields, or reporting exports. Compliance governance should address the full information lifecycle for email marketing operations, including template design, list management, audience targeting logic, and staff procedures for handling opt ins, opt outs, and responses.
When an organization requires an email deliverability platform for programs that involve protected health information, the vendor selection process should require a Business Associate Agreement and administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, with privacy controls that support the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule.