Is SparkPost HIPAA Compliant?

is sparkpost HIPAA compliant?

SparkPost is a well-known email delivery and analytics program used by a lot of businesses for communicating with their customers. Can healthcare organizations use SparkPost in connection with electronic protected health information (ePHI) without violating HIPAA Rules? Does SparkPost support HIPAA compliance?

This post is one of a series that reviews software solutions to determine whether they that are suitable for use by healthcare organizations that need to adhere to HIPAA Rules.

HIPAA Compliant Email Marketing for Healthcare Organizations

SparkPost is an email delivery and analytics platform that is used to send around 37% of all business-to consumer emails. The email solution suits companies of all sizes and provides in-depth analytics on email marketing campaigns. The platform offers message security and SparkPost has attained SOC 2 Type 2 certification. The platform also includes anti-phishing controls to minimize the danger of email impersonation attacks.

Marketing messages are only permitted by the HIPAA Privacy Rule if authorization is obtained from patients/plan members in advance. Healthcare organizations must also maintain documentation confirming that the authorizations to receive marketing communications have been received. Provided authorizations have been obtained, marketing emails can be sent, but if a marketing platform such as Sparkpost is used to communicate messages containing PHI, the platform provider will be classed as a HIPAA business associate and a business associate agreement will be required.

Is SparkPost HIPAA Compliant?

SparkPost mentions in its terms and conditions that the uploading of highly sensitive data to the platform is prohibited. The following information cannot be uploaded: Social Security numbers, financial data, insurance details, government issued ID numbers, and medical and health care data. SparkPost also states in its T&Cs that any information classified as protected health information under HIPAA Rules should not be stored or transmitted using the platform. In addition, SparkPost will not enter into a business associate agreement (BAA) with healthcare organizations.

Because SparkPost does not sign BAAs and prohibits the upload of ePHI, that means SparkPost does not support HIPAA-compliance. The platform can be used by healthcare organizations, just not in connection with any ePHI.