Mailchimp

Use Case: Email list building, form-based lead capture, automated marketing campaigns, and behavioral email tracking

Why it matters:

Mailchimp is a widely used platform for email marketing, forms, and marketing automation. Many healthcare practices use Mailchimp to collect contact information via embedded forms or popups, and to send follow-up emails based on subscriber behavior.

However, Mailchimp does not sign a Business Associate Agreement (BAA), and its legal terms explicitly state that the platform is not intended for use with Protected Health Information (PHI). Even collecting an email address on a page related to healthcare services, symptoms, or appointments can be considered PHI under HIPAA if it reflects a patient’s intent to seek care.

Additionally, Mailchimp tracks user behavior (email opens, clicks, IP addresses), which adds to the compliance risk when used in healthcare contexts.

What HHS says:

Per HHS guidance, data that connects a user to health-related activity whether submitted through a form or collected through behavioral tracking may be classified as PHI.

HIPAA requires that any vendor handling such information sign a Business Associate Agreement and implement proper safeguards. Without a BAA, even basic data like email addresses tied to health service interactions may result in an impermissible disclosure.

Recommendation:

If you are using Mailchimp forms or marketing automation on your healthcare website, especially on pages where visitors are likely to engage in care-related activity (e.g., service inquiries, appointment scheduling, or symptom-related pages), we recommend discontinuing its use immediately.

Instead, use a HIPAA-compliant email service provider that:

• Signs a Business Associate Agreement (BAA)

• Encrypts data in transit and at rest

• Avoids PHI tracking without consent

• Offers secure, healthcare-specific form and email workflows

This is especially important if Mailchimp is integrated directly with your forms or website tracking tools.