HIPAA Compliance & SendGrid

SendGrid is an email marketing service that allows businesses to quickly and easily communicate their marketing alerts to clients, but can the platform be used by healthcare groups? Is SendGrid compliant with HIPAA regulations?

Suppliers of cloud-based email services are not omitted from compliance with HIPAA under the conduit exception rule.

If a HIPAA-covered group wants to use an email service to correspond with patients, no protected health information (PHI) can be sent in the messages unless the requirements of HIPAA are adhered with. If PHI needs to be sent in emails, the email service provider would be classed as a business associate and a business associate agreement (BAA) would need to be completed by both parties.

The business associate agreement (BAA) outlines the duties of the business associate with respect to HIPAA and provides the covered entity with ‘reasonable assurances’ that HIPAA Rules will be adhered to by staff and the platform includes appropriate security controls to guarantee the confidentiality, integrity, and availability of ePHI.

Along with security controls to stop messages from being intercepted by unauthorized individuals, access controls are required, and an audit trail must be kept.

Will SendGrid Complete a Business Associate Agreement?

At the time of publication, SendGrid does not complete business associate agreements with HIPAA-covered entities, as the company’s platform does not natively support HIPAA-compliant data transmission. While the email service does incorporate security measures through SMTP, messages are not encrypted on the move and the platform is not intended for use with PHI.

So can SendGrid be Classified as HIPAA Compliant?

SendGrid can be implemented for marketing purposes, although PHI must not be sent in any emails. The company clearly outlines on its website, “SendGrid does not intend uses of the service to create obligations under The Health Insurance Portability and Accountability Act of 1996” and that its service should not be used “for any purpose or in any manner involving Protected Health Information (as defined in HIPAA).”

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.