Is Mailchimp HIPAA Compliant?

Is Mailchimp HIPAA Compliant?

A hospital marketing team launches its monthly patient newsletter through Mailchimp. The workflow is familiar to anyone who has used the platform: import your subscriber list, create audience segments by department or condition type, design the email, and hit send. This month's edition includes a section on flu vaccine availability, a spotlight on the new cardiology wing, and a reminder about diabetes management workshops.

The marketing director has been careful. No medical records in the email. No appointment confirmations. Just "general health tips." But Mailchimp is already doing what it was built to do. Every open fires a tracking pixel that ties the recipient's email address to a timestamp, device, IP address, and location. Every link click routes through Mailchimp's servers before redirecting to the hospital's site. The audience segments sitting in the account have names like "Cardiology Patients," "Diabetes Education," and "Prenatal Care." And Mailchimp's website tracking pixel, installed on the hospital site last quarter, is quietly recording which pages each identified subscriber visits after clicking through.

For most businesses, this is just email marketing. For a healthcare organization, every one of those data points is a potential HIPAA violation.

The Newsletter That Looks Safe but Isn't

Mailchimp is the most widely used email marketing platform in the world. Owned by Intuit since 2021, it powers email campaigns for millions of organizations across every industry. Its ease of use is exactly what makes it attractive to healthcare marketing teams. It is also what makes it dangerous.

The compliance problem with Mailchimp is not about sending medical records through email. Almost no healthcare marketer would do that intentionally. The problem is subtler: Mailchimp's core features generate protected health information (PHI) as a byproduct of normal use.

Audience segmentation creates PHI at rest. Mailchimp encourages users to segment their audiences for better targeting. In healthcare, that means lists and tags like "Orthopedic Surgery Referrals," "Mental Health Program," or "Oncology Support Group." Each segment connects identifiable individuals (email addresses) to health conditions or treatment interests. That is PHI by HIPAA's definition, and it lives on Mailchimp's servers.

Open and click tracking creates PHI in transit. Mailchimp embeds a 1x1 tracking pixel in every email by default. When a subscriber opens your "Managing Your Child's Asthma" newsletter, Mailchimp logs that a specific person engaged with health-specific content. Click tracking adds another layer: if a patient clicks "Schedule Your Mammogram," that click event, the patient's email address, and the health context all pass through Mailchimp's infrastructure.

Mailchimp's website tracking pixel extends exposure beyond email. Mailchimp offers a JavaScript snippet that tracks subscribers' behavior on your website. Once installed, it connects email engagement with website browsing. A subscriber who clicked through your newsletter and then visited your oncology services page, your billing portal, and your patient intake form now has a behavioral health profile stored in Mailchimp's systems.

Landing pages host PHI on Mailchimp's domain. Mailchimp's landing page builder lets teams create signup forms, event registrations, and content downloads. When a hospital uses it to build a "Register for Our Diabetes Workshop" page, the form submissions, including names, emails, and the implicit health interest, are collected and stored entirely on Mailchimp's infrastructure.

Mailchimp's Terms Prohibit PHI Entirely

Unlike some platforms that are ambiguous about healthcare use, Mailchimp is direct. Their terms of service explicitly prohibit users from sending protected health information through the platform. They do not sign Business Associate Agreements (BAAs). They do not offer a HIPAA-compliant tier or healthcare plan.

This is important to understand clearly. Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate. That vendor must sign a BAA, which establishes legal accountability for safeguarding that data. Without a BAA, there is no contractual framework for compliance. The vendor has no HIPAA obligation to protect the data, no requirement to notify you of breaches, and no liability if PHI is exposed.

Mailchimp's position is not a gap they plan to close. It is a deliberate business decision. The platform was built for retail, e-commerce, and general marketing. Healthcare compliance would require fundamental changes to how Mailchimp processes, stores, and tracks data. Until those changes happen, using Mailchimp for any communication that involves PHI means the healthcare organization bears 100% of the compliance risk.

How Routine Marketing Tools Became $193M in Settlements

The enforcement landscape has made one thing clear: the tools that create the most risk are not exotic security vulnerabilities. They are routine marketing technologies, email pixels, analytics scripts, tracking tags, used exactly as intended.

BetterHelp ($7.8M FTC, 2023). BetterHelp shared email addresses, IP addresses, and mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest via tracking pixels. The company used the fact that users had previously been in therapy to build Facebook lookalike audiences. The FTC found that a recent college graduate with no marketing training was placed in charge of deciding what user data was uploaded to Facebook. Source

The BetterHelp case is directly relevant to Mailchimp usage because the enforcement centered on email addresses combined with health context. That is precisely what Mailchimp captures when healthcare teams segment lists by condition or service line.

Monument (FTC advertising ban, 2024). Monument, an alcohol addiction treatment platform, disclosed data of up to 84,000 users to ad platforms via tracking pixels. Their custom pixel events had descriptive titles like "Paid: Weekly Therapy" and "Paid: Med Management," revealing specific services alongside email addresses and IP addresses. The FTC banned Monument from sharing health data for advertising. Source

Monument's case illustrates how naming conventions become PHI vectors. Mailchimp audience segments named "Cardiac Rehab Patients" or campaign tags like "Post-Op Follow-Up" function identically to Monument's descriptive event names. The data structure itself carries the health context.

Advocate Aurora Health ($12.25M class action, 2024). Advocate Aurora installed Meta Pixel and Google Analytics on its website, app, and patient portal to "better understand patient needs." The tools exposed data of approximately 3 million patients to Meta and Google without consent, running from 2017 to 2022. Source

Advocate Aurora's case demonstrates a pattern that maps directly to Mailchimp's website tracking pixel. The health system installed standard marketing tools with good intentions. Those tools operated exactly as designed, sending behavioral data to third-party servers for years before anyone flagged the exposure.

Why "We Only Send General Content" Is Not a Safe Harbor

Healthcare marketing teams often argue that their Mailchimp usage is safe because they only send general health content. No appointment confirmations. No lab results. Just wellness tips and community health information.

This argument has three problems.

First, HIPAA's definition of PHI is broader than clinical data. PHI includes any individually identifiable health information. When a named individual (email address) engages with health-specific content (opens a newsletter about heart disease, clicks a link about cancer screening), that engagement data connects identity to health interest. Mailchimp captures and stores that connection.

Second, audience segmentation undermines the "general content" defense. Even if the email content is generic, the audience receiving it may be segmented by health criteria. Sending a "general wellness" email to a list called "Bariatric Surgery Leads" still means Mailchimp holds a list of identifiable people associated with a specific medical procedure.

Third, consent and privacy expectations are shifting. State privacy laws are expanding. Patient expectations around data handling are increasing. The FTC and OCR have both signaled that tracking technology enforcement is a priority, not a one-time sweep. Organizations that rely on the "general content" argument today may find that the regulatory environment has moved past them.

Building Email Engagement on a Compliant Foundation

If your organization needs to communicate with patients through email, the compliance requirements are clear. Meeting them requires more than choosing a different email tool. It requires rethinking how data flows through your marketing stack.

Start with a signed, comprehensive BAA. Any platform that touches PHI must accept liability as a Business Associate. The BAA must cover all data in the platform: contact records, engagement data, behavioral tracking, form submissions. Not just "stored content" with carve-outs for tracking and analytics.

Require SOC 2 Type II with all five trust criteria. Most vendors certify only Security, which is one of five trust criteria. Healthcare-grade vendors cover Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type II certification means compliance was sustained over a review period, not just checked at a single point in time.

Route data through server-side architecture. Client-side tracking (pixels, JavaScript snippets) sends data through the visitor's browser to third-party servers. This is the architectural pattern behind every enforcement case listed above. Server-side architecture routes data from your servers to vendor systems. The browser never communicates with third parties. This is not a preference; it is the structural difference between controlling your data flows and hoping they stay clean.

Gate all data flows on verified consent. Data should only move to downstream systems after consent has been confirmed server-side. Client-side consent checks can be delayed, bypassed, or broken by browser behavior. Server-side consent gating ensures no data flows until consent is verified, which is where healthcare compliance is heading as state privacy laws proliferate and patient expectations evolve.

Monitor your full tracking surface continuously. Installing a compliant tool does not guarantee ongoing compliance. Marketing teams add scripts. Plugins update. Third-party tags load other tags. A web scanner that crawls your site on an ongoing basis detects every cookie, script, localStorage entry, and tracking pixel across every page. It flags which scripts lack a BAA, which cookies come from third parties, and which pixels send data to platforms that should not receive it. Every enforcement case referenced above involved tracking that ran for years before anyone noticed.

FAQ

Does Mailchimp sign a BAA?

No. Mailchimp does not sign Business Associate Agreements. Their terms of service explicitly prohibit users from sending PHI through the platform. This means any healthcare organization using Mailchimp for communications that involve PHI has no contractual compliance framework with the vendor and bears full liability.

Can I use Mailchimp for patient newsletters if I keep the content generic?

The content of the email is only part of the risk. Mailchimp's tracking pixels log who opened the email, when, on what device, and from what location. If the email has any health context in its subject line, content, or if the recipient list is segmented by health criteria, engagement data constitutes PHI. Even a "general wellness" newsletter creates risk when the audience list is organized by department, condition, or care relationship.

What about Mailchimp's website tracking pixel on a hospital site?

Mailchimp's website tracking pixel is a client-side JavaScript snippet that records identified subscribers' browsing behavior and sends it to Mailchimp's servers. On a healthcare website, this means pages related to specific conditions, departments, or services become part of a subscriber's behavioral profile on Mailchimp's infrastructure. This is the same client-side tracking architecture that has generated $193M+ in enforcement actions across the healthcare industry since 2023.

Is it safe to use Mailchimp for internal staff communications at a healthcare organization?

If the communications are strictly internal, do not reference patient information, and the subscriber list contains only employee email addresses with no health-related segmentation, the HIPAA risk is lower. However, maintaining a strict boundary between staff and patient communications within the same Mailchimp account is difficult in practice. A single shared audience, tag, or automation that bridges the two creates compliance exposure for the entire account.

What should healthcare organizations use instead of Mailchimp for patient engagement?

Look for a platform that signs a comprehensive BAA covering all data in the system, maintains SOC 2 Type II certification across all five trust criteria, uses server-side architecture for data collection and routing, and supports consent-gated data flows. A HIPAA-compliant CDP can serve as the foundation for patient communication workflows, routing email sends and engagement tracking through a compliant infrastructure. See our guide to HIPAA-compliant tools for a broader evaluation framework.

Healthcare email marketing compliance is not about avoiding the most obvious risks. It is about understanding how standard marketing features generate PHI through normal use. If your team is evaluating its email marketing stack, Ours Privacy provides the server-side infrastructure, BAA coverage, and continuous monitoring that healthcare organizations require.

Related reading:

  • Is ActiveCampaign HIPAA Compliant?

  • Is HubSpot HIPAA Compliant?

  • Is Klaviyo HIPAA Compliant?

  • HIPAA-Compliant Tools