No, Mailchimp is not HIPAA compliant, and it will not sign a business associate agreement (BAA) to make it so. Mailchimp is owned by Intuit, and Intuit does not offer a BAA for Mailchimp on any plan, whether Free, Essentials, Standard, or Premium. Mailchimp's terms go a step further and prohibit using the platform to collect, store, or transmit protected health information (PHI). So if you are a covered entity or a business associate under HIPAA, you cannot use Mailchimp for anything that touches PHI, and no setting, add-on, or higher tier changes that.
Key Takeaways
- 01No. Mailchimp, owned by Intuit, does not sign a HIPAA business associate agreement (BAA) on any plan, and its terms prohibit using it to handle protected health information (PHI).
- 02This applies to every tier (Free, Essentials, Standard, and Premium). No add-on or setting makes Mailchimp HIPAA compliant, and Mailchimp Transactional (Mandrill) is no different.
- 03For email that involves PHI, use a platform that signs a BAA, such as Paubox (purpose-built for HIPAA) or Constant Contact (BAA on request, with limits on sensitive PHI).
- 04Your website is a separate HIPAA gap: analytics and ad trackers firing before consent on health pages. ConsentStack blocks those and signs a BAA on its published $79/mo Business plan.
That is a firm answer, but it is not the whole question. If you run a clinic, a therapy practice, a telehealth service, or a wellness brand, you still need somewhere to send email, and you probably have a second HIPAA gap you have not checked yet: what your website's trackers do before a visitor ever consents. Here is the full picture, and what to do about both halves of it.
Does Mailchimp sign a BAA?
No. A BAA is the contract that lets a vendor handle PHI on your behalf under HIPAA, and Mailchimp does not sign one. Intuit's position is the same across every Mailchimp plan: there is no tier, and no paid add-on, that unlocks a BAA. That is different from vendors like Google Workspace or Microsoft 365, which will sign a BAA for certain products on paid plans. With Mailchimp the answer is simply no, so a covered entity has to treat it as off-limits for PHI rather than something it can configure into compliance.
What counts as PHI in email marketing?
This is where teams get caught out, because PHI is easier to create than it looks. PHI is health information tied to an identifiable person, and in an email tool the person is already identified by their email address. The health part sneaks in through how you use the list. A newsletter segmented by diagnosis or medication, appointment or refill reminders, or an audience built from the patients of a specialty practice all reveal something about a person's health. Even the list itself can qualify: the subscriber list of a cardiology clinic implies a cardiac condition before you send a single campaign.
You do not have to write anything clinical for an email to involve PHI. If the list, the segment, or the sender implies a person's condition or care, that is protected health information, and it does not belong in a platform whose terms forbid it.
What to use instead for HIPAA email
If you need to send email that involves PHI, use a provider that will sign a BAA and is built to hold that data. Two mainstream options come up most often:
| Platform | Signs a BAA? | Notes |
|---|---|---|
| Paubox | Yes | Purpose-built for HIPAA email. Signs a BAA, encrypts every message, and can segment by condition. |
| Constant Contact | Yes, on request | Signs a BAA through its legal team, but restricts sensitive PHI (mental health, substance use) and is not for medical records. |
| Mailchimp | No | No BAA on any plan. Its terms prohibit PHI. |
| Mailchimp Transactional (Mandrill) | No | Same Intuit terms. Not HIPAA compliant either. |
Whichever you pick, confirm the current terms directly with the vendor and get the BAA signed before you send anything with PHI. A platform being HIPAA capable only helps once the BAA is actually in place and you have set the tool up correctly.
The HIPAA gap on your website most teams miss
Choosing a compliant email tool solves one channel. Your website is a separate exposure, and it is the one driving a wave of litigation. When someone visits a page about a condition, a treatment, or booking an appointment, the analytics and advertising trackers on that page can fire before the visitor agrees to anything, sending the page they viewed and their IP address to third parties like Meta and Google. On a health-related site, that browsing data can amount to PHI, and it is the exact fact pattern behind the pixel-tracking settlements against hospitals and health systems.
A cookie banner does not fix this on its own. Plenty of banners sit on the page while the trackers behind them fire immediately, before anyone clicks a thing. The question is not whether you have a banner. It is whether tracking is actually held until consent, which is a rarer thing than it sounds.
How ConsentStack fits (and where it doesn't)
ConsentStack is a consent platform, not an email tool, so it does not replace Mailchimp. What it does is close the website gap: it blocks analytics and advertising trackers until a visitor consents, keeps them off when someone clicks Reject, and it will sign a BAA covering that consent layer. That BAA comes on the published Business plan at $79 a month, not an enterprise contract and not a sales call. As far as we have found, it is the only consent tool that advertises a BAA on a self-serve plan.
If you want the healthcare-specific picture, pixels stopping on Reject, audit logs, and the exact BAA scope, the healthcare consent page covers it in depth. For how the rule itself treats website tracking, see our HIPAA overview.
ConsentStack's BAA names it as your business associate for the consent layer it operates for you. Your email platform, analytics, CRM, and other vendors each still need their own BAA. A consent tool with a BAA closes the tracking-before-consent gap. It does not, by itself, make your site HIPAA compliant.
Check what your site leaks before consent
Before you change anything, it is worth seeing what your current site actually does. Run it through our free compliance scanner and see exactly which trackers fire before and after someone clicks Reject. It takes about a minute and does not ask for an email. On a health-related site, that report is the quickest way to learn whether your banner is holding tracking back or just decorating the page.
Mailchimp and HIPAA FAQ
No. Mailchimp does not sign a business associate agreement, and its terms prohibit protected health information. That holds on every plan, so covered entities and business associates cannot use it for PHI.
No. Intuit, which owns Mailchimp, does not offer a BAA for Mailchimp on any tier or as an add-on. If your use requires a BAA, Mailchimp is not an option.
Only if it contains no PHI. A general newsletter with no health specifics can be fine, but once your list or content reveals a recipient's condition, treatment, or provider type, it becomes PHI, and Mailchimp's terms prohibit that.
Providers that sign a BAA and are built to hold PHI. Paubox is purpose-built for HIPAA email, and Constant Contact will sign a BAA on request with limits on sensitive PHI. Sign the BAA and configure the tool before sending anything with PHI.
No. Mailchimp Transactional, formerly Mandrill, falls under the same Intuit terms and does not offer a BAA, so it is not suitable for PHI either.
If analytics or ad tags on health-related pages can transmit a visitor's browsing data before consent, the vendor handling them is acting as your business associate, and a BAA plus real consent blocking is what closes that gap. ConsentStack signs a BAA for the consent layer on its $79/mo Business plan.
See what your site leaks before consent
Run a free compliance scan for HIPAA-relevant tracking and EU/US rules. See what fires before anyone clicks Accept. No signup.
Related Posts
Which Cookie Consent Tools Sign a BAA? (2026)
Most cookie banners won't sign a BAA, and the ones that do usually gate it behind an enterprise contract. Here's who signs one, what it takes, and how ConsentStack does it on a published $79/mo plan.
How Cookie Consent Script Blocking Actually Works (And Why Most CMPs Fake It)
Most CMPs display a banner while tracking scripts fire freely. A technical breakdown of the three script blocking approaches and why only parse-time blocking actually works.
Meet the Free Compliance Scanner: See Where Your Site Leaks Consent
Enter your domain and in about a minute see whether your site respects visitor consent, checked from both the EU and the US. Free, no signup.