Is SparkPost HIPAA Compliant?

SparkPost is a popular email delivery and analytics platform that is used by many enterprises to communicate with customers, but can SparkPost be used by healthcare organizations in connection with electronic protected health information (ePHI)? Is SparkPost HIPAA compliant?

HIPAA Compliant Email Solutions for Healthcare Organizations

As part of our series of posts assessing software solutions and cloud services for their suitability for use by healthcare organizations required to comply with HIPAA Rules, we have assessed SparkPost to determine whether the company supports HIPAA compliance and whether its platform can be used in a HIPAA compliant manner.

SparkPost is the leading worldwide email delivery and analytics platform and is used to send 37% of all business-to consumer emails. The email solution caters to organizations of all sizes and delivers powerful analytics. The platform incorporates a range of security measures, including anti-phishing controls to reduce the risk of email impersonation attacks and the company has achieved SOC 2 Type 2 certification.

For healthcare organizations looking for an email solution to communicate with patients and health plan members, email security is only part of the story. Other controls are required for HIPAA compliance, so does SparkPost satisfy those requirements?

Is SparkPost HIPAA Compliant?

The terms and conditions for users of SparkPost prohibit the uploading of highly sensitive information to the platform, including Social Security numbers, government issued ID numbers, financial information, insurance information, and medical and health data. SparkPost even specifically states in its T&Cs that the platform cannot be used in connection with any information classed as protected health information under HIPAA Rules. It is therefore no surprise that SparkPost does not offer healthcare organizations a business associate agreement (BAA) which is a requirement for HIPAA compliance.

No BAA and prohibition of uploading ePHI mean SparkPost is not a HIPAA-compliant email service.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.