Saturday 10 February 2018

Can I Use SendGrid and be HIPAA Compliant?

Can I Use SendGrid and be HIPAA Compliant? - Paubox

We’ve been getting asked by customers and prospects about SendGrid and their ability to use it in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if SendGrid offers HIPAA compliant email service or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About SendGrid

SendGrid is a cloud-based customer communication platform for transactional and marketing email. The company was founded by Isaac Saldana, Jose Lopez, and Tim Jenkins in 2009. It was incubated through the TechStars accelerator program and went public November 2017.

SendGrid has offices in Denver,CO, Boulder,CO, Orange,CA, Redwood City, CA and London.

SEE ALSO: SaaStr Speaker Series with Sameer Dholakia and Ajay Agarwal: The Rule of 40 and More

SendGrid and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked SendGrid’s site and found a Documentation page called Is Sendgrid HIPAA Compliant?

On that page, they clearly state:


No, we are not.

SendGrid does not natively support HIPAA compliant data transmission. We do not offer any encryption or security measures surrounding message transmission beyond those included in the SMTP RFC, which was not designed with HIPAA compliancy in mind.


Furthermore, on their Terms of Service page, they say:

SendGrid does not intend uses of the Service to create obligations under The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”) or similar Laws (as defined below) and makes no representations that the Service satisfies the requirements of such laws. If You are (or become) a Covered Entity or Business Associate (as defined in HIPAA) or a Financial Institution (as defined in GLBA), You agree not to use the Service for any purpose or in any manner involving Protected Health Information (as defined in HIPAA) or Nonpublic Personal Information (as defined in GLBA). You will not allow any access to or use of the Services by anyone other than Your authorized Users or OEM Users (as applicable), and any such use will be consistent with the terms, conditions and restrictions set forth in this Agreement.

Does SendGrid Offer HIPAA Compliant Email Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

SendGrid clearly states they are not in the business of providing HIPAA Compliant email service.

Conclusion

SendGrid is not a HIPAA Compliant email solution.

No comments:

Post a Comment