Is SendGrid HIPAA Conforming?

June 16, 2018

SendGrid is an electronic mail marketing platform that lets businesses easily and quickly transmit their marketing messages to clients, however, can the platform be used by healthcare companies? Is SendGrid HIPAA conforming?
HIPAA Conforming Electronic mail Facilities
Suppliers of cloud-based electronic mail facilities aren’t exempted from conformity with HIPAA under the conduit exception law.
If a HIPAA-covered unit desires to use an electronic mail facility to communicate with patients, no protected health information (PHI) can be incorporated in the messages unless the prerequisites of HIPAA are satisfied. If PHI must be incorporated in electronic mails, the electronic mail service supplier would be categorized as a business associate and a business associate agreement (BAA) would require to be entered into by both parties.
The business associate agreement (BAA) outlines the duties of the business associate with respect to HIPAA and provides the protected unit with ‘rational assurances’ that HIPAA Laws will be followed by staff and the platform includes proper safety controls to make sure the integrity, secrecy, and availability of ePHI.
In addition to safety controls to avoid messages from being interrupted by illegal people, access controls are essential, and an audit trail should be maintained.
Will SendGrid Initial a Business Associate Contract?
At the time of writing, SendGrid doesn’t sign business associate contracts with HIPAA-covered units, as the company’s platform doesn’t natively support HIPAA-compliant data transmission. Although the electronic mail facility does contain safety measures through SMTP, messages aren’t encrypted in transit and the platform isn’t meant for use with PHI.
Is SendGrid HIPAA Conforming?
SendGrid can be used for advertising purposes, even though PHI must not be included in any electronic mails. The firm clearly states on its website, “SendGrid doesn’t expect uses of the facility to create responsibilities under The Health Insurance Portability and Accountability Law of 1996” and that its facility must not be used “for any objective or in any way involving Protected Health Information (as defined in HIPAA).”

Tags

Daniel Lopez

Daniel Lopez

Daniel Lopez stands out as an exceptional HIPAA trainer, dedicated to elevating standards in healthcare data protection and privacy. Daniel, recognized as a leading authority on HIPAA compliance, serves as the HIPAA specialist for Healthcare IT Journal. He consistently offers insightful and in-depth perspectives on a wide range of HIPAA-related topics, addressing both typical and complex compliance issues. With his extensive experience, Daniel has made significant contributions to multiple publications such as hipaacoach.com, ComplianceJunction, and The HIPAA Guide, enriching the field with his deep knowledge and practical advice in HIPAA regulations. Daniel offers a comprehensive training program that covers all facets of HIPAA compliance, including privacy, security, and breach notification rules. Daniel's educational background includes a degree in Health Information Management and certifications in data privacy and security. You can contact Daniel via HIPAAcoach.com.

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Scroll to Top

Get the free newsletter

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name