Is Return Path HIPAA Compliant?

Return Path is an email marketing and optimization system that allows organizations to have autopilot management of their email marketing campaigns and analytics. A lot of organizations use Return Path. Can healthcare organizations do the same? Does Return Path support HIPAA compliance?

Sending Emails to Patients and Health Plan Members
There are guidelines that healthcare organizations must follow in case they would like to distribute marketing emails that contain electronic protected health information (ePHI). It is important to take note of the following before uploading ePHI to any marketing platform:

Patient or plan members consent must be obtained first before sending them marketing emails.

Use an email service provider that have proper security controls to protect the privacy of ePHI loaded to the platform.

Use methods with appropriate safeguards for uploading data to the platform to avoid data interception.

The service provider should sign a business associate agreement (BAA) with the HIPAA-covered entity.

The definition of HIPAA Privacy Rule’s TPO doesn’t include marketing communications. Therefore, patients/health plan members’ written consent must be acquired first before using ePHI for advertising reasons.

A BAA is required because uploading ePHI to a mailing service platform is regarded as PHI disclosure. It is necessary that the service provider is notified of its duties as a business associate to follow HIPAA Rules. As long as the preceding conditions are met, a HIPAA-covered entity can utilize a third-party system for sending marketing messages.

So, Can Return Path Be Used by Healthcare Organizations?
Return Path has a selection of security controls set up to make certain that the uploaded data to the platform is safe. Nonetheless, Return Path doesn’t seem to provide a BAA to covered entities and its website does not mention anything about HIPAA. Return Path does say that platform users are accountable for compliance with applicable rules and regulations. So, a covered entity is responsible in ensuring that no HIPAA Rules are violated.

In summary, Return Path does not support HIPAA compliance unless it provides a BAA. Healthcare providers can use Return Path if not associated with any ePHI.