Is Emma HIPAA Compliant? What You Need to Know

Emma's HIPAA Compliance Status

Short answer: no—Emma should not be used to handle Protected Health Information (PHI). Under its current services agreement, the platform is not configured to receive, process, or store PHI, and its standard terms do not provide for a Business Associate Agreement (BAA). Without a signed BAA and PHI‑specific safeguards, a vendor cannot be considered HIPAA compliant for PHI.

What this means in practice

• Do not upload Protected Health Information (PHI) (e.g., diagnoses, treatment details, medical record numbers) into lists, custom fields, or content.
• Avoid segmenting audiences on health conditions, visits, prescriptions, or insurance/member identifiers.
• Keep messages general; do not personalize on clinical facts that could reveal an individual’s health status.

The role of a Business Associate Agreement

HIPAA requires a Business Associate Agreement (BAA) when a vendor handles PHI on your behalf. Because Emma’s standard terms exclude PHI and do not offer a BAA, the platform falls outside HIPAA scope for PHI‑containing email.

Emma's Security Measures

Platform and infrastructure

Emma hosts data in a U.S.-based cloud environment whose providers maintain widely recognized certifications, including SOC 2 Type II and ISO 27001. Internally, Emma aligns security policies to ISO 27001 and measures its program against the NIST Cybersecurity Framework to strengthen confidentiality, integrity, and availability.

Application security controls

• OWASP security assurance: secure development practices aligned to OWASP principles and regular code reviews.
• Defense in depth: Web Application Firewall (WAF), continuous vulnerability scanning, and annual third‑party penetration testing.
• Coordinated disclosure: active bug bounty/vulnerability disclosure program.
• Encryption: AES‑256 encryption at rest; TLS 1.2+ in transit, with opportunistic TLS for email delivery.
• Account protections: multi‑factor authentication, least‑privilege access, and detailed audit logging of key actions.

These measures reduce risk for general marketing data, but they do not substitute for HIPAA’s BAA requirement or change the prohibition on PHI.

Emma's Data Protection Practices

Data handling and access

Access to customer content is restricted to authorized personnel for support and operational needs. Production environments are segmented from staging, sessions are protected with secure cookies, and sensitive elements (such as passwords) are stored using strong salted hashes to limit exposure in the event of credential compromise.

Security operations and monitoring

Emma centrally logs and monitors key application actions for auditing and incident response. Routine security awareness training, defined security policies, and ongoing control reviews support a culture of continuous improvement.

Important limitation: no PHI

Even with robust security, Emma’s terms exclude PHI from the service. Do not ingest or transmit PHI through Emma, and do not use the platform for workflows that would create, receive, maintain, or transmit PHI.

Emma's Compliance with Other Regulations

GDPR Compliance

Emma provides guidance and tools to help customers meet GDPR obligations as data controllers, including honoring data subject rights, breach notification processes, and a Data Processing Addendum for EU/UK personal data. You remain responsible for configuring your account and processes to satisfy GDPR Compliance requirements.

CAN-SPAM Act

Emma supports compliance with the CAN-SPAM Act by enabling essential controls such as unsubscribe handling, sender identification, and list hygiene. You are responsible for accurate sender details, truthful subject lines, honoring opt-outs, and avoiding purchased lists.

Industry standards

Emma’s environment leverages providers audited for SOC 2 Type II and ISO 27001, and the platform applies OWASP Security Assurance practices throughout its software lifecycle. These frameworks bolster baseline security but do not, by themselves, make a service HIPAA compliant.

Emma's Use in Healthcare Organizations

Appropriate uses (no PHI)

• General health education newsletters and wellness content that do not identify a person’s condition or care.
• Community outreach, events, volunteer and donor communications, and brand updates.
• Recruitment or employer communications that do not include patient information.

Avoid using Emma for

• Appointment reminders or notices that include identifying clinical details or identifiers.
• Lab results, treatment plans, or any message personalized on diagnoses or services received.
• Segments, tags, or custom fields that reveal or infer PHI.

Bottom line: Emma offers strong security and helpful compliance features for general marketing and operational email. However, because it does not sign a Business Associate Agreement and prohibits PHI, it is not HIPAA compliant for PHI‑containing workflows. If you must email PHI, choose a vendor that explicitly signs a BAA and supports PHI‑safe features end to end.

FAQs.

Why is Emma not HIPAA compliant?

Emma’s standard terms exclude PHI and the platform is not configured to process, receive, or store it. HIPAA compliance for vendors that handle PHI requires a signed Business Associate Agreement and PHI‑specific safeguards, which are not available under Emma’s standard offering.

Can Emma sign a Business Associate Agreement?

No. As of now, Emma does not offer a Business Associate Agreement under its standard terms, and its services agreement expressly prohibits the use of PHI. Organizations needing a BAA should select an email platform that explicitly signs one.

What security standards does Emma meet?

Emma aligns internal policies with ISO 27001 and the NIST Cybersecurity Framework, applies OWASP Security Assurance practices, and uses a U.S.-based cloud environment whose providers maintain certifications such as SOC 2 Type II and ISO 27001. The platform also implements encryption (AES‑256 at rest, TLS 1.2+ in transit), WAF, routine scanning, annual third‑party penetration tests, MFA, and comprehensive logging.

Is Emma suitable for healthcare email marketing?

Yes—when you do not include PHI. Emma is well‑suited for general healthcare marketing like newsletters, community updates, and events. It is not suitable for messages that contain or reveal PHI. For PHI‑related email, use a vendor that signs a BAA and supports HIPAA‑compliant workflows.