If your health organization has been investigating its options for promotional email services, you may be wondering, “Is SendGrid HIPAA compliant?” The popular service is used to send 50 billion emails each month, with major clients including Uber, Spotify and Yelp.
SendGrid offers convenient marketing campaign tools alongside its own email API, and its solutions help to both save time and offer scalability. But is SendGrid an appropriate tool for those that need to send HIPAA-compliant bulk email?
Is SendGrid HIPAA-Compliant?
“No, we are not.”
SendGrid makes this extremely clear on its Is SendGrid HIPAA-compliance page. The company should be commended for being so upfront about this. Some of its rivals take a bit of poking around to figure out whether their services can be used to protect ePHI within the confines of HIPAA regulations.
The company does not provide HIPAA-compliant marketing email software with appropriate safeguards for sensitive patient data. SendGrid goes on to say that, “We do not offer any encryption or security measures…beyond those included in the SMTP RFC, which was not designed with HIPAA compliance in mind.”
If that wasn’t enough to convince you, SendGrid’s Terms of Service certainly should:
If You are (or become) a Covered Entity or Business Associate (as defined in HIPAA) or a Financial Institution (as defined in GLBA), you agree not to use the Service for any purpose or in any manner involving Protected Health Information (as defined in HIPAA) or Nonpublic Personal Information (as defined in GLBA).
If you got lost in the legalese and you’re still wondering “Is SendGrid HIPAA compliant?” the paragraph is essentially just a fancy reiteration of the company’s earlier response of, “No, we are not.”
As one final nail in the coffin, SendGrid’s website has no current mentions of its willingness to sign a business associate agreement (BAA). BAAs are essential for HIPAA compliance whenever one company uses the service of another to transmit, store or process their ePHI in any way.
These agreements lay down the ground rules for how data will be shared, the protection measures that will be put in place, and which party is legally responsible in different circumstances. If a company is unwilling to sign one of these agreements, then it’s impossible to use its service to process ePHI and still remain HIPAA-compliant.
SendGrid HIPAA-Compliant Alternatives
Because SendGrid is not a HIPAA-compliant marketing email service, your organization will need to look for other options that provide secure bulk email solutions. At LuxSci, we specialize in HIPAA-compliant technologies that protect data and can meet the stringent regulatory requirements.
From our High Volume secure email sending service to our HIPAA-compliant web hosting, we design all of our offerings to make it as easy as possible for our clients to comply with the laws, without compromising on usability or effectiveness.