SendGrid is a platform that companies use for email marketing. It makes communicating marketing messages to customers quick and easy. However, can SendGrid be used by healthcare organizations without violating HIPAA Rules? Is SendGrid HIPAA compliant?
Companies that provide cloud-based email services are not covered by the conduit exception rule so they need to comply with HIPAA Rules. HIPAA-covered entities that use an email service for patient communication must be sure that protected health information (PHI) is not included in the messages if the service provider does not satisfy HIPAA requirements. In case there is a need to include PHI in emails, the two parties must enter into a business associate agreement (BAA) first because the email service provider will be classed as a business associate.
By signing a business associate agreement (BAA), the business associate confirms that it understands its responsibilities with respect to HIPAA. The BAA reasonably assures the covered entity that the email service provider follows the HIPAA Rules and that its platform has the necessary security controls to ensure the confidentiality, integrity, and availability of ePHI and that staff have been trained and are aware of their responsibilities with respect to HIPAA. The service provider must also implement access controls, secure data in transit and at rest, and must maintain an audit trail.
So, will SendGrid sign a BAA? At this time, SendGrid is not open to signing a BAA with HIPAA-covered entities. The reason for this is the fact that the platform does not support HIPAA-compliant data transmission. SendGrid has security measures in place, although messages are not encrypted in transit so cannot be used in connection with any ePHI.
In summary, SendGrid is a platform intended for sending marketing messages but it should not be used by HIPAA-covered entities to send ePHI. SendGrid clearly states on its website that the company does not authorize use of its platform in any manner that creates obligations under HIPAA. It further states that its service should not be used in any manner that involves Protected Health Information.