Blog

Is Mailchimp HIPAA Compliant? (2026)

No, Mailchimp is not HIPAA compliant, and it will not sign a business associate agreement (BAA) to make it so. Mailchimp is owned by Intuit, and Intuit does not offer a BAA for Mailchimp on any plan, whether Free, Essentials, Standard, or Premium. Mailchimp's terms go a step further and prohibit using the platform to collect, store, or transmit protected health information (PHI). So if you are a covered entity or a business associate under HIPAA, you cannot use Mailchimp for anything that touches PHI, and no setting, add-on, or higher tier changes that.

Key Takeaways

  • 01No. Mailchimp, owned by Intuit, does not sign a HIPAA business associate agreement (BAA) on any plan, and its terms prohibit using it to handle protected health information (PHI).
  • 02This applies to every tier (Free, Essentials, Standard, and Premium). No add-on or setting makes Mailchimp HIPAA compliant, and Mailchimp Transactional (Mandrill) is no different.
  • 03For email that involves PHI, use a platform that signs a BAA, such as Paubox (purpose-built for HIPAA) or Constant Contact (BAA on request, with limits on sensitive PHI).
  • 04Your website is a separate HIPAA gap: analytics and ad trackers firing before consent on health pages. ConsentStack blocks those and signs a BAA on its published $79/mo Business plan.

That is a firm answer, but it is not the whole question. If you run a clinic, a therapy practice, a telehealth service, or a wellness brand, you still need somewhere to send email, and you probably have a second HIPAA gap you have not checked yet: what your website's trackers do before a visitor ever consents. Here is the full picture, and what to do about both halves of it.

Does Mailchimp sign a BAA?

No. A BAA is the contract that lets a vendor handle PHI on your behalf under HIPAA, and Mailchimp does not sign one. Intuit's position is the same across every Mailchimp plan: there is no tier, and no paid add-on, that unlocks a BAA. That is different from vendors like Google Workspace or Microsoft 365, which will sign a BAA for certain products on paid plans. With Mailchimp the answer is simply no, so a covered entity has to treat it as off-limits for PHI rather than something it can configure into compliance.

What counts as PHI in email marketing?

This is where teams get caught out, because PHI is easier to create than it looks. PHI is health information tied to an identifiable person, and in an email tool the person is already identified by their email address. The health part sneaks in through how you use the list. A newsletter segmented by diagnosis or medication, appointment or refill reminders, or an audience built from the patients of a specialty practice all reveal something about a person's health. Even the list itself can qualify: the subscriber list of a cardiology clinic implies a cardiac condition before you send a single campaign.

The list itself can be PHI

You do not have to write anything clinical for an email to involve PHI. If the list, the segment, or the sender implies a person's condition or care, that is protected health information, and it does not belong in a platform whose terms forbid it.

What to use instead for HIPAA email

If you need to send email that involves PHI, use a provider that will sign a BAA and is built to hold that data. Two mainstream options come up most often:

How common email platforms handle a HIPAA BAA, based on public terms and positioning as of July 2026. Confirm current terms with each vendor.
PlatformSigns a BAA?Notes
PauboxYesPurpose-built for HIPAA email. Signs a BAA, encrypts every message, and can segment by condition.
Constant ContactYes, on requestSigns a BAA through its legal team, but restricts sensitive PHI (mental health, substance use) and is not for medical records.
MailchimpNoNo BAA on any plan. Its terms prohibit PHI.
Mailchimp Transactional (Mandrill)NoSame Intuit terms. Not HIPAA compliant either.

Whichever you pick, confirm the current terms directly with the vendor and get the BAA signed before you send anything with PHI. A platform being HIPAA capable only helps once the BAA is actually in place and you have set the tool up correctly.

The HIPAA gap on your website most teams miss

Choosing a compliant email tool solves one channel. Your website is a separate exposure, and it is the one driving a wave of litigation. When someone visits a page about a condition, a treatment, or booking an appointment, the analytics and advertising trackers on that page can fire before the visitor agrees to anything, sending the page they viewed and their IP address to third parties like Meta and Google. On a health-related site, that browsing data can amount to PHI, and it is the exact fact pattern behind the pixel-tracking settlements against hospitals and health systems.

A cookie banner does not fix this on its own. Plenty of banners sit on the page while the trackers behind them fire immediately, before anyone clicks a thing. The question is not whether you have a banner. It is whether tracking is actually held until consent, which is a rarer thing than it sounds.

How ConsentStack fits (and where it doesn't)

ConsentStack is a consent platform, not an email tool, so it does not replace Mailchimp. What it does is close the website gap: it blocks analytics and advertising trackers until a visitor consents, keeps them off when someone clicks Reject, and it will sign a BAA covering that consent layer. That BAA comes on the published Business plan at $79 a month, not an enterprise contract and not a sales call. As far as we have found, it is the only consent tool that advertises a BAA on a self-serve plan.

If you want the healthcare-specific picture, pixels stopping on Reject, audit logs, and the exact BAA scope, the healthcare consent page covers it in depth. For how the rule itself treats website tracking, see our HIPAA overview.

A BAA covers one relationship, not your whole stack

ConsentStack's BAA names it as your business associate for the consent layer it operates for you. Your email platform, analytics, CRM, and other vendors each still need their own BAA. A consent tool with a BAA closes the tracking-before-consent gap. It does not, by itself, make your site HIPAA compliant.

Before you change anything, it is worth seeing what your current site actually does. Run it through our free compliance scanner and see exactly which trackers fire before and after someone clicks Reject. It takes about a minute and does not ask for an email. On a health-related site, that report is the quickest way to learn whether your banner is holding tracking back or just decorating the page.

Mailchimp and HIPAA FAQ

See what your site leaks before consent

Run a free compliance scan for HIPAA-relevant tracking and EU/US rules. See what fires before anyone clicks Accept. No signup.

Related Posts