Data technology has advanced significantly over the past few decades to a point where companies of any size can collect personal data on a large scale.
At the same time, data regulations around the world are intensifying, mainly with the aim of keeping tech giants like Google in check, but the same rules also apply the smallest of businesses handling user data.
This has a major impact on the way businesses operate as an organisation and it also makes it harder than ever to choose software platforms that are compliant with regulations. So, in this article, we got the five best email marketing and CRM tools for HIPAA & GDPR compliance.
What are we looking at in this article?
In this article, we’re looking specifically at email marketing and CRM tools that are both GDPR and HIPAA compliant. While it’s increasingly easy to find software platforms that comply (or, at least, claim to) with the newer GDPR regulations, it’s not so easy to find software tools that are compliant with the older, more specialist HIPAA guidelines – and even more difficult to find platforms compliant with both.
So this article will help you if any of the following apply:
- You need HIPAA-compliant software for the US market
- You need GDPR-compliant software for the EU market
- You need both GDPR and HIPAA-compliant software as a single solution for the US and EU markets
Given that HIPAA is specific to the healthcare industry in the US, this article will be most beneficial to healthcare organisations operating in the US and EU with the need for a single platform to meet their email marketing and CRM needs – for example, a health insurance company looking to provide cover for customers in both markets.
Given that the US and the EU are the world’s biggest healthcare markets and they also happen to have the strictest data protection laws, having software that’s both GDPR and HIPAA-compliant is crucial for any company looking to expand across the international stage.
In this article, we look at the best five email marketing and CRM platforms for compliance with GDPR and HIPAA regulations. First, though, let’s take a closer look at what these regulations involve and how they differ.
GDPR & HIPAA – what are they & how are they different?
GDPR and HIPAA are two very different sets of data privacy regulations. In 2018, the EU introduced GDPR into law as a set of regulations to protect the data privacy of everyone in the European Union and hold businesses handling their data accountable for their capture, storage and use of this data.
Meanwhile, HIPAA is US federal law that dates back to 1996, regulating the protection of patient confidentiality and their personal data. So, HIPAA is specific to the healthcare industry in the US, GDPR applies to all personal data collected from European citizens – from people visiting your website to employee data of any EU citizens working at your company.
What is GDPR?
The General Data Protection Regulation (GDPR) is a set of laws introduced on May 25, 2018, by the European Union. The regulations grant EU citizens expanded rights and control over their personal data while placing compliance on any company or organisation that collects or stores such personal data.
In other words, if you collect and/or store personal data from individuals in the European Union, you are accountable for following GDPR guidelines as the data controller.
Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you. – GDPR.eu
It doesn’t matter whether you, as the data handler, are located inside or outside of the EU. If you’re handling personal data from people within the EU, you are accountable for complying to GDPR guidelines.
Failing to comply with GDPR can result in hefty fines of up to 4% of an organisation’s global annual revenue or up €20 million. To date, the largest fine has been handed to Google, to the sum of €50 million, in 2018.
Google made $33.74 billion in Q3 2018 alone.
Key to GDPR-compliance is understanding the EU’s definition of personal data. Here’s a brief summary from the official GDPR.eu website:
“Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.”
GDPR guidelines apply specifically to personal data so compliance is only required when you’re collecting or storing information that can be used to identify someone.
If you’re in any doubt over your GDPR-compliance obligations, seek professional legal advice – don’t rely on blog posts like these.
Here’s a quick summary of some of the key regulations defined by GDPR.
Data protection principles
If you process personal data of individuals in the EU, you must comply with seven protection and accountability guidelines defined in Article 5.1-2:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Under GDPR, data controllers must be able to demonstrate that they are compliant and the EU suggests several steps organisations can take to ensure they can prove their compliance:
- Designate data protection responsibilities to your team.
- Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
- Train your staff and implement technical and organizational security measures.
- Have Data Processing Agreement contracts in place with third parties you contract to process data for you.
- Appoint a Data Protection Officer (though not all organizations need one — more on that in this article).
The EU is very clear about the fact that, if you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant”.
To become and remain GDPR-compliant, data controllers must implement measures to protect the data of individuals from potential losses, leaks, hack and other vulnerabilities.
The regulations require data controllers to implement both “appropriate technical and organizational measures“.
- “Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.”
In the event of a data breach, you have 72 hours to inform the data subjects about the compromise or face penalties – although this requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.
Under GDPR guidelines, you can only collect personal information from users with their consent and the regulations set out specific requirements for acquiring consent that complies with its rules.
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honour their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
This is why anyone browsing the web in the European Union these days is bombarded with full-page consent forms, forcing them to either accept or go through the same process every time they visit any website or refresh the page.
That’s a story for another day, though.
For a more comprehensive look at GDPR guidelines, head to the official GDPR.eu website and, once again, if you’re in any doubt over your obligations or compliance, get the necessary legal help.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States of America, setting out national standards to protect patient information from being disclosed without their consent or knowledge.
So this is specific to healthcare organisations in the US and completely independent from GDPR. However, in cases where healthcare organisations handle data from individuals in the US and the EU, said organisations are obliged to follow regulations in their respective regions.
This will be the case for global health companies operating in the US and the EU, handling personal information protected by both sets of regulations.
HIPAA is applicable to four types of organisations and individuals, known as “covered entities”:
- Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
- Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
There are two primary components of HIPAA: the HIPAA Privacy Rule and the HIPAA Security Rule. Failure to comply with HIPAA can result in fines ranging from $100 to $50,000 per violation.
HIPAA Privacy Rule
The HIPAA Privacy Rule covers the use and disclosure of individuals’ health information, known a “protected health information” (PHI). Both the organisation and individuals are called “covered entities,” confirming that HIPAA standards apply to them respectively.
The HIPAA Privacy Rule defines the actions organisations must take to comply with the HIPAA laws and individuals’ rights to understand how their information is being used.
Essentially, organisations must protect the personal information of patients and refrain from disclosing it to other parties.
“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”Source: HHS.gov
For a more comprehensive breakdown of the HIPAA Privacy Rule, you can find guidance and links to official sources via HHS.gov.
HIPAA Security Rule
The HIPAA Security Rule defines regulations for the management of electronic data (ePHI).
“The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”Source: HHS.gov
The Security Rule is the more comprehensive set of regulations and, while covered entities need to ensure they’re compliant across both rules, the Security Rule is what you need to pay attention to when you’re choosing email marketing, CRM and other software tools.
Top 5 HIPAA Compliant Email Marketing Tools & CRMs
Now that we’ve covered the basics of HIPAA, we’re ready to look at the top five email marketing and CRM platforms that are compliant with both sets of regulations.
Here’s a quick summary of the five platform’s we’ll be looking at in this section:
- ActiveCampaign: The best all-in-one email marketing and CRM solution with robust compliance and security – but no dedicated features for managing your data.
- Salesforce: The famous CRM provider which also offers dedicated tools for you to protect your data while it’s stored on your server (this is only half the battle).
- Zendesk: Excellent customer service products with advanced security add-ons which provide a certain level of support for compliance.
- Enquire: The specialist CRM for healthcare providers which taps into Microsoft’s impressive security data.
- Paubox: The only email system for healthcare providers that aims to provide complete HIPAA compliance.
As you can see, there are pros and cons to each of these options with ActiveCampaign offering the best marketing solution but also the weakest compliance features.
Something you’ll notice with software providers that claim to be GDPR and HIPAA compliant, though, is that they’re only capable of offering partial compliance and only Paubox claims to be fully HIPAA-compliant – and there are caveats here, too.
All will be explained throughout the remainder of this article.
ActiveCampaign is our top pick for an all-in-one email marketing and CRM platform for enterprise businesses that need HIPAA compliance.
Having surveyed over 1,700 Marketing Directors on their choice of email marketing software, ActiveCampaign is the only tool that both made our list of top ten vendors and offers HIPAA compliance.
There aren’t many all-in-one platforms that provide as much as ActiveCampaign, with such a level of consistency, and fewer still that are this competitively priced, enabling a far better ROI on your email marketing budget.
It’s not that ActiveCampaign is the cheapest option on the market but more to do with how the prices increase between plans. The point of an all-in-one email marketing and CRM platform is that it should help your business automate growth, meaning you’ll naturally bump up to more advanced (and expensive) plans as your business grows.
A lot of providers offer low entry prices but hit you hard once you’re bumped up to more expensive plans. By this time, you’re locked into the platform because it houses all of your data and your team knows how to use it.
ActiveCampaign, on the other hand, pries its plans with incremental increases, so you’re not hit with unaffordable bills for hovering over your contact limits for one month. The company wants to remain good-value at every price point so that businesses will continue to use its platform as they grow and this philosophy has been crucial to its success in a market otherwise dominated by more expensive options.
How is ActiveCampaign compliant with GDPR & HIPAA?
You can find out how ActiveCampaign protects your data by visiting the data protection and security page on the company’s website. On this page, you’ll see ActiveCampaign specifically lists compliance with GDPR and HIPAA, as well as SOC 2 data protection.
“ActiveCampaign is heavily focused on GDPR, SOC 2, and HIPAA compliance. We constantly improve our security to go above and beyond compliance standards.”
ActiveCampaign uses the following techniques to protect your data (and your customers’) from vulnerabilities:
- Information classification: All our data is classified and restricted, which lets us prioritize the most sensitive information. Single-tenancy architecture means that each person’s data is kept separate from everyone else’s. Along with secure, world-class data centers, this data separation helps keep your data secure.
- Authentication and access security: Personnel have the exact level of access required, and user access is regularly audited to ensure data protection. In keeping with National Institute of Standards and Technology (NIST) requirements, data access is protected by multi-factor authentication, password control, keys, and other best practices.
- Access zone security: Our networks use a layered access classification framework to provide data separation. Each client-protected single tenancy data store, whether physical or virtual private cloud, is a fully security-hardened stack that includes endpoint and network threat prevention, application firewalling, and vulnerability scanning.
- Secure software development lifecycle: Security is baked into our software development—developers are active participants in securing the code that they write. Security scanning tools and code analysis help them resolve any issues with open-source packaging, misconfigurations, and potential vulnerabilities.
- Internal offensive security: Our in-house Red Team engages in continuous penetration testing. We try to break our own production systems every day—so that we can stay ahead of the curve and address potential issues.
HIPAA compliance is available to all customers on ActiveCampaign’s enterprise plan and the company will sign its own Business Associate Agreement (BAA) with covered entities but it stresses that each customer is responsible for using the service in a HIPAA-compliant manner.
While other providers may offer dedicated features, like built-in apps to help you remain compliant, it’s important to understand that compliance is always your responsibility.
As part of our thorough review of ActiveCampaign it was clear that they’re one of the most advanced and accreditted email platforms. Crucially, it also signs its own Business Associate Agreement (BAA) with covered entities that need to comply with HIPAA regulations.
The potential downside is that it doesn’t provide built-in apps or features that actively help you achieve compliance on the front-end of the system. Instead, the company draws a clear line in the sand that it’s your responsibility to use the platform in a compliant manner while its system provides the security you need to achieve this.
There are pros and cons to this approach. The negative is that you don’t get any dedicated tools of frameworks for data compliance included with your plan. The positive is that you don’t end up with a system that only partially provides the tools you need to achieve and manage compliance, which can actually make things even more confusing – something we’ll explain in more detail as we look at our next platform.
Salesforce is one of the biggest names in customer relationship management (CRM) and data is at the heart of everything it does. Unlike ActiveCampaign, this isn’t an all-in-one email marketing and CRM platform so you would still need to integrate Salesforce with a third-party email marketing tool to manage this channel.
This can complicate GDPR and HIPAA compliance slightly as you’re then required to ensure that all platforms are compliant.
How is Salesforce compliant with GDPR & HIPAA?
You can find out how Salesforce complies with GDPR, HIPAA and other regulations by visiting the extensive compliance section of its website. Here, you’ll find a comprehensive breakdown of the platforms certificates, measures and services relevant to data regulations across the spectrum;
You can start with these two pages for information specific to GDPR and HIPAA:
Much like ActiveCampaign, Salesforce will sign its own Business Associate Addendum (BAA) with covered entities requiring HIPAA compliance. However, the company goes an extra step further in terms of providing tools to help you protect your data and, once again, there are pros and cons to this but, also, the perfect opportunity to explore the complexity of software compliance in more detail.
Salesforce provides a dedicated data security app, called Shield, that helps you protect the data housed on your CRM. With Shield, you can achieve compliance with both GDPR and HIPAA data protection requirements but only partially.
More specifically, under the HIPAA Security Rule, data stored on your server and viewed within a platform like Salesforce is considered “data at rest”. Shield will protect this data and help you achieve compliance for this type of data but it doesn’t help with “data in motion,” which refers to data being sent via emails and other communications or exchanges.
As Compliancy Group explains:
“HIPAA applies to data in motion as well as to data at rest. Data in motion is data that travels over a public network, like the Internet. Such data needs to be encrypted in transit… Covered entities must encrypt data in motion. The encryption must be performed before the message is sent, for HIPAA compliance to be achieved.”
To encrypt this data and achieve compliance across both forms of data, you’re going to need dedicated tools for encrypting data before it is sent anywhere. There are plenty of tools that can do this, such as DataMotion, but it’s important to understand this distinction and realise that you’re not going to get all of the tools you need to achieve compliance from Salesforce alone.
Zendesk is primarily a customer service platform but it also provides an extensive range of tools for sales teams, including a CRM platform, live chat, social messaging and omnichannel communication.
The glaring omission is that there’s no email marketing platform and the automation features provided are pretty basic by today’s standards. That said, Zendesk is a truly excellent customer service platform that also provides a quality CRM, making it ideal for integration with an email marketing and automation tool that doesn’t have a built-in CRM.
How is Zendesk compliant with GDPR & HIPAA?
Zendesk offers an Advanced Security add-on, available on its Professional and Enterprise plans, that helps you achieve HIPAA compliance with data stored on the platform. However, as this support page clarifies, “Adhering to HIPAA compliance while using Zendesk largely depends on how you use the software” – a common theme you’ll hear while assessing HIPAA-compliant software.
Be prepared to pay $2,000/month for the privilege of using this add-on, though.
Another possible issue is that HIPAA regulations apply differently across Zendesk products, depending on the way they store and handle data. So the steps you need to take for one product can differ from another. Zendesk does provide a solid amount of documentation to help you achieve compliance across its products.
It’s a similar story with GDPR compliance on Zendesk. You can enhance the security features through add-ons but, ultimately, it’s your responsibility to ensure you meet compliance regulations as a data controller, as specified on the website:
“Zendesk customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR and uniquely determine what personal data is submitted to, and processed by, Zendesk in accordance with the Services.”
Much like Salesforce, Zendesk can provide some of the tools you need to achieve compliance in terms of protecting stored data but you’re still going to need to take care of data capture, consent and data usage through your own means.
Enquire is a specialist CRM, marketing automation and contact centre solution designed specifically for senior living and healthcare services. So, if any software provider is going to go all out in terms of HIPAA compliance, it’s going to be a company like Enquire.
Funnily enough, Enquire doesn’t specify the steps it takes to achieve or provide HIPAA compliance anywhere on its website although it constantly references compliance across every product and feature page on its website – without going into any great detail.
How is Enquire compliant with GDPR & HIPAA?
If you browse the Enquire website, you’ll see plenty of references made to HIPAA compliance but you’ll struggle to find any specific information. There are some clues scattered around the site that can point you in the right direction, though.
“Our system is HIPAA compliant and all data is hosted in Microsoft’s trust center so that you never have to worry about hosting, maintaining or losing data.”
So Enquire is actually tapping into Microsoft Trust Center for data security, which includes extensive support for compliance across every major region – including HIPAA and GDPR.
Here are some of the security measures you can expect:
- Microsoft proactively guards against threats in the cloud from both malicious software and cyberattacks.
- [It also] helps your organisation manage user identities and access privileges.
- Helps protect your data with encryption.
- Complies with applicable regulatory requirements.
- Helps support compliance with HIPAA and the HITECH Act.
- Helps protect the privacy of PHI and other data.
What isn’t clear is exactly how many of these features and measures Enquire brings into its own platform courtesy of Microsoft’s Trust Center. On the plus side, the company does provide more in-depth documentation related to GDPR compliance and the features it provides to help you remain compliant.
Paubox is the only email marketing provider in this article that specifically positions itself as the HIPAA-compliant platform for healthcare companies. In its own words, Paubox is the “HIPAA compliant email marketing solution” that healthcare companies have been waiting for.
In all honesty, the software itself makes for a drab experience but the company does deliver a dedicated email marketing platform for healthcare companies that need to achieve HIPAA compliance and, perhaps most importantly, easy-to-understand documentation.
Paubox has also impressed at the awards this year, living up to its aim of delivering a platform that makes the complex world of HIPAA compliance that bit easier.
How is Paubox compliant with GDPR & HIPAA?
Essentially, Paubox’s “HIPAA-compliant” revolves around email encryption, which brings us back to the “data in motion” side of compliance that platforms like Salesforce can’t provide.
There are four key components to this:
- Email encryption: The only HIPAA compliant email solution with zero-step encryption on all sent emails. Your staff will love you for it. Your recipients too.
- Inbound email security: Leverage ExecProtect, our patent-pending technology, to eliminate display name spoofing attacks. Ransomware and phishing protection also included.
- Email DLP: Set your own Data Loss Prevention (DLP) rules so no sensitive data gets sent or received.
- Email archiving: Archive Inbound and Outbound email for eDiscovery and disaster recovery compliance. Archived messages are stored encrypted at rest.
Paubox also signs Business Associate Agreements with covered entities and you can store PHI data on the platform securely.
As a result, Paubox provides some of the most comprehensive HIPAA compliance measures available, both for data at rest and data in motion. There are some caveats to this, though. Namely, Paubox isn’t going to provide all of the marketing, automation and other features you need to maximise the results of your email marketing strategy, which means you’re going to need other platforms, which might not offer the same compliance.
The other big issue here is that Paubox doesn’t offer any dedicated GDPR compliance measures – so you’ll need to choose carefully which tools you use alongside Paubox to ensure you have the coverage you need.
Which is the best email marketing & CRM tool for HIPAA compliance?
If anything, the key takeaway from this article should be that no single platform is going to take care of GDPR or HIPAA compliance for you. All of the tools we’ve looked at in this list provide partial compliance – at the very least, in terms of meeting their responsibilities as data processing tools.
Some go even further to provide dedicated tools to simplify compliance for you but it’s impossible for any of them to do all of the work.
These are the five email marketing and CRM that come closest to providing compliance measures for you, but there’s no getting past the fact that, as a data controller, you have to ensure that your organisation is compliant to all relevant data regulations.