Is Marketo HIPAA Compliant?

Marketo is Marketing Automation software focused on account-based marketings. In April 2018, Adobe purchased Marketo for $4.75 billion. The software has received widespread praise, such as featuring on the Wall Street Journal’s “Next Big Thing” list in 2012. It is unsurprising that many organisations have taken an interest in using Marketo. However, those covered by the Health Insurance Portability and Accountability Act (HIPAA) should be cautious before using the software. Marketo must adhere to HIPAA regulations if the platform is to be used in connection with electronic protected health data.

According to HIPAA’s Privacy Rule, healthcare organisations must seek out a business associate agreement (BAA) with the solution provider if the software is to be used in conjunction with ePHI.

HIPAA has strict rules regarding how and with whom healthcare organisations may share ePHI. For example, healthcare organisations can disclose ePHI to third parties without first obtaining the consent of the patient to provide treatment, for the payment for healthcare, or healthcare operations. If the covered entity wished to disclose ePHI for other reasons, which include marketing, they first must receive explicit consent from patients.

HIPAA’s Privacy Rule (45 CFR 164.501(1)) classifies marketing as “communication to an individual about a product or service that encourages the individual to purchase or use that product or service.”

Marketo and HIPAA Compliance

On its website, Marketo states that its platform has Privacy Shield certification and has been SOC2 certified. It further claims that the necessary safeguards are in place to ensure customer data are kept private and confidential.

All connections to Marketo are encrypted using high-grade 2048-bit certificates, and user sessions are secured by unique session tokens and require re-verification for each transaction. Marketo completes regular scans of its network and systems for flaws and patches are applied promptly. Marketo also carries out pen tests and has its products assessed by external companies. As required by HIPAA’s Security Rule, physical, technical and administrative safeguards are put in place to keep the software, hardware, and data secured, and all clients’ data are stored in different databases.

Marketo’s usage policy says that customers must not give Marketo access to or upload “any of the following categories of data: social security numbers; passport or visa numbers; driver’s license numbers; taxpayer or employee ID; financial account or payment card information; passwords; medical or health records or information reflecting the payment of such treatment.”

However, as the Marketo website and associated forums fail to mention a BAA, the software solution cannot be considered HIPAA compliant and should not be used with ePHI.

That does not mean that healthcare bodies may not implement Marketo. Many healthcare groups, including GE Healthcare, Kindred Healthcare, Boston Children’s Hospital and EHR provider Allscripts avail of the platform. Users of the platform must ensure that they are following HIPAA Rules while using Marketo.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA