Klaviyo

Use Case: Email capture forms, subscriber tracking, and behavior-triggered email marketing

Why it matters:

Klaviyo is a popular platform for email marketing, audience segmentation, and behavior-based automation. Many healthcare websites use Klaviyo’s embedded forms or popups to collect email addresses, trigger automated follow-ups, and track user behavior for marketing purposes.

However, Klaviyo does not offer a Business Associate Agreement (BAA) and explicitly states that its platform is not designed for HIPAA-regulated use cases. This creates a serious risk if forms are used to collect any information that could qualify as Protected Health Information (PHI) including inquiries about care, appointment interest, or condition-specific topics.

Even if only an email address is collected, it may be considered PHI if tied to health-related behavior or services.

What HHS says:

According to HHS guidance, any third-party service that collects or receives user information especially when linked to health-related webpages or actions may be handling PHI and must comply with HIPAA.

This includes form submissions, tracked user behavior, or email addresses when connected to care-related topics. Tools that do not sign a Business Associate Agreement or secure PHI as required by HIPAA may result in impermissible disclosures.

Recommendation:

If you're using Klaviyo forms or behavior-based tracking on your website especially on pages related to healthcare services, treatment options, or appointments we recommend removing them immediately or replacing them with a HIPAA-compliant solution.

Klaviyo does not offer a Business Associate Agreement, making it unsuitable for collecting or processing any form of PHI. Even seemingly low-risk actions like newsletter signups should be carefully evaluated for context and content. For healthcare marketing and email automation, choose a vendor that provides a BAA and includes HIPAA-aligned security measures.