Does SendGrid Comply With the HIPAA Law?

by

SendGrid is a service that businesses use for sending email messages. It is a very quick and easy way to communicate marketing messages to clients. Even so, can healthcare organizations use SendGrid without breaking HIPAA rules? Does SendGrid comply with HIPAA requirements?

The conduit exception rule does not cover businesses that offer cloud-based email marketing services so these businesses must follow HIPAA rules. HIPAA-covered entities using email platforms for patient communication should be certain not to include protected health information (PHI) in the emails if the email provider doesn’t meet HIPAA requirements. If it is necessary to include PHI in email messages, both parties should sign a business associate agreement (BAA) first because the email provider is classified as a business associate.

By entering into this BAA, the business associate concurs that it is aware of its obligations with regard to HIPAA. The BAA reasonably guarantees the covered entity that the service provider complies to the HIPAA Rules and that its employees and system has the required security controls to maintain the integrity, privacy and accessibility to ePH. Besides the security measures, the service provider need to make certain to keep unauthorized people from intercepting the emails. That’s why access controls and audit logs are required and should be monitored.

The issue is does SendGrid sign a business associate agreement? SendGrid is not yet prepared to sign a BAA with HIPAA-covered entities, as of this writing. Data transmission using SendGrid does not support HIPAA-compliance. There are security options set up via the SMTP, however, messages aren’t encrypted when transmitted. So, it must not be employed to send PHI to patients.

To sum up, SendGrid is a program designed for delivering marketing emails. It is plainly expressed on its site that the business doesn’t permit the use of its service for purposes that create responsibilities under the HIPAA law. It additionally mentioned that its services must not be used in any way that will involve Protected Health Information.  Hence, SendGrid is simply not HIPAA compliant.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]