June 16, 2018
SendGrid is an electronic mail marketing platform that lets businesses easily and quickly transmit their marketing messages to clients, however, can the platform be used by healthcare companies? Is SendGrid HIPAA conforming?
HIPAA Conforming Electronic mail Facilities
Suppliers of cloud-based electronic mail facilities aren’t exempted from conformity with HIPAA under the conduit exception law.
If a HIPAA-covered unit desires to use an electronic mail facility to communicate with patients, no protected health information (PHI) can be incorporated in the messages unless the prerequisites of HIPAA are satisfied. If PHI must be incorporated in electronic mails, the electronic mail service supplier would be categorized as a business associate and a business associate agreement (BAA) would require to be entered into by both parties.
The business associate agreement (BAA) outlines the duties of the business associate with respect to HIPAA and provides the protected unit with ‘rational assurances’ that HIPAA Laws will be followed by staff and the platform includes proper safety controls to make sure the integrity, secrecy, and availability of ePHI.
In addition to safety controls to avoid messages from being interrupted by illegal people, access controls are essential, and an audit trail should be maintained.
Will SendGrid Initial a Business Associate Contract?
At the time of writing, SendGrid doesn’t sign business associate contracts with HIPAA-covered units, as the company’s platform doesn’t natively support HIPAA-compliant data transmission. Although the electronic mail facility does contain safety measures through SMTP, messages aren’t encrypted in transit and the platform isn’t meant for use with PHI.
Is SendGrid HIPAA Conforming?
SendGrid can be used for advertising purposes, even though PHI must not be included in any electronic mails. The firm clearly states on its website, “SendGrid doesn’t expect uses of the facility to create responsibilities under The Health Insurance Portability and Accountability Law of 1996” and that its facility must not be used “for any objective or in any way involving Protected Health Information (as defined in HIPAA).”