HIPAA & BAA · Email marketing / automation
Is ActiveCampaign HIPAA compliant?
Conditionally. ActiveCampaign offers a BAA on eligible plans to cover the use and disclosure of PHI, but it must be requested and executed; the qualifying plan tier is not published, so confirm with their sales team.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: BAA available on eligible plans to cover PHI; the exact qualifying tier is not stated in official docs — contact ActiveCampaign sales
- Official source: ActiveCampaign — HIPAA-Compliant Marketing Guide — https://www.activecampaign.com/blog/hipaa-compliant-marketing (verified 2026-06)
How to use ActiveCampaign in a HIPAA-compliant way
- Contact ActiveCampaign sales to confirm BAA eligibility and the required plan.
- Request and execute the Business Associate Agreement before sending any PHI.
- Enable the HIPAA configuration ActiveCampaign provides for your account.
- Restrict PHI to supported, BAA-covered functionality.
- Maintain your own access controls, audit, and minimum-necessary practices.
Important caveats
- Being on a paid plan does not automatically grant a BAA — it must be requested and executed.
- Official docs do not name the required tier or enumerate disabled features; confirm specifics with ActiveCampaign.
- A signed BAA does not by itself make a marketing workflow HIPAA-compliant.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring ActiveCampaign correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with ActiveCampaign.
Frequently asked questions
Does ActiveCampaign sign a BAA?
On specific plans. BAA available on eligible plans to cover PHI; the exact qualifying tier is not stated in official docs — contact ActiveCampaign sales A signed BAA is required before any PHI is involved.
Is ActiveCampaign HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when ActiveCampaign offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using ActiveCampaign with PHI?
Being on a paid plan does not automatically grant a BAA — it must be requested and executed.
