Is Twilio SendGrid HIPAA Compliant?
Twilio SendGrid is not HIPAA compliant and cannot be used to send email communications containing Protected Health Information (PHI) as to do so would not only be a violation of HIPAA but also a violation of SendGrid’s Terms of Service. However, SendGrid can be used by healthcare organizations to send general healthcare-related communications and marketing campaigns.
SendGrid is a versatile email communication platform with multiple features to help organizations automate transactional communications and run effective email marketing campaigns. Since 2019, SendGrid has been part of the Twilio product family and available as a standalone email platform or as part of an integrated customer engagement solution.
Making the Use of Twilio SendGrid HIPAA Compliant
Although Twilio does offer some HIPAA Eligible Products and Services, SendGrid is not among them. SendGrid states on its website that the platform does not natively support HIPAA compliant data transmission and refers visitors to a clause in its Terms of Service that prohibits customers from “using the service for any purpose or in any manner involving Protected Health Information”.
As options for making the use of Twilio SendGrid HIPAA compliant, the company suggests covered entities and business associates encrypt the message body of email sent through the platform (Note: this does not work unless you also encrypt the subject line and metadata) or sending a download link to secure documents rather than transmitting the document directly by email.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
How Healthcare Organizations Can Still Use SendGrid
The suggested options to make the use of Twilio SendGrid HIPAA compliant are both messy and subject to errors that could result in impermissible disclosures of – or unauthorized access to – PHI. Due to the administrative overhead and increased risks when making Twilio SendGrid HIPAA compliant, it is more practical to use a SendGrid alternative to collect, store, or transmit PHI by email.
However, this does not mean healthcare organizations cannot still use SendGrid to communicate with patients via email. Indeed, the site offers a wide range of healthcare-related templates for reminding patients to get their flu jabs, distributing newsletters, and requesting volunteer support. All of the templates are easy to customize with HTML and WYSIWYG editing.
Overcoming Potential Compliance Issues
Potentially the only issue with using Twilio SendGrid for mass email communications and a SendGrid alternative for sending PHI via email is that workforce members could be confused about which to use in which circumstances. There are a number of ways to overcome this potential issue – for example, by applying MFA to accounts with access to PHI, by separating marketing teams from administrative teams, or by providing additional HIPAA training.
Organizations who require assistance in reducing the risks of a HIPAA violation or improving HIPAA compliance should seek professional compliance advice.
