Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if they are able to use Twilio SendGrid in a HIPAA compliant manner.
As context, in 2018 we wrote the post, Can I Use SendGrid and be HIPAA Compliant?
Now that SendGrid has been acquired, we’re doing an updated post in 2023 to see if circumstances have changed (SendGrid was not HIPAA compliant in 2018).
In fact, we’ve noticed more vendors, customers, and prospects asking about HIPAA compliant services.
This is especially true now as we see an accelerated, long overdue adoption of digital transformation in healthcare.
We know the HIPAA industry is vast, so we can empathize with just how many people need to use cloud services in this sector.
Today we will determine if Twilio SendGrid offers HIPAA compliant email service or not.
Twilio SendGrid is a cloud-based email delivery service that helps businesses to send emails that land in the recipient’s inbox. It provides a scalable, reliable, and cost-effective solution for businesses to send transactional emails without having to worry about the infrastructure and maintenance of an in-house email infrastructure. The company provides various features to help businesses send emails, such as APIs for integration with other systems, marketing campaigns, and real-time analytics.
It was acquired by Twilio in 2018 for $2 billion and shortly after, changed its name to Twilio Sendgrid.
Twilio SendGrid and the business associate agreement
There’s a primary item to consider when it comes to Twilio SendGrid and its ability to provide a HIPAA compliant email API.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
We once again checked the Twilio SendGrid site, as well as SendGrid’s standalone site, for mention of their ability to sign a BAA.
We found the following pages:
On those pages, we can see that:
- Twilio does offer HIPAA compliant products and services and is willing to sign a BAA for them.
- SendGrid is still not HIPAA compliant.
- SendGrid is not a product listed by Twilio as a HIPAA eligible product.
Does Twilio SendGrid offer HIPAA Compliant Service?
The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.
We were able to learn the following about Twilio SendGrid about their ability to be considered a HIPAA compliant solution:
- Twilio SendGrid is still not HIPAA compliant.
- While Twilio does offer HIPAA products and services, SendGrid Twilio is not one of them.
Conclusion: Twilio SendGrid remains not in compliance with HIPAA regulations.