We’ve been getting asked by customers and prospects about SendGrid and their ability to use it in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Apple iMessage
- Citrix ShareFile
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Slides
- Google Voice
- Office 365
- Return Path
Today, we will determine if SendGrid offers HIPAA compliant email service or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
SendGrid is a cloud-based customer communication platform for transactional and marketing email. The company was founded by Isaac Saldana, Jose Lopez, and Tim Jenkins in 2009. It was incubated through the TechStars accelerator program and went public November 2017.
SendGrid has offices in Denver,CO, Boulder,CO, Orange,CA, Redwood City, CA and London.
SendGrid and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We checked SendGrid’s site and found a Documentation page called Is Sendgrid HIPAA Compliant?
On that page, they clearly state:
No, we are not.
SendGrid does not natively support HIPAA compliant data transmission. We do not offer any encryption or security measures surrounding message transmission beyond those included in the SMTP RFC, which was not designed with HIPAA compliancy in mind.
Furthermore, on their Terms of Service page, they say:
SendGrid does not intend uses of the Service to create obligations under The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”) or similar Laws (as defined below) and makes no representations that the Service satisfies the requirements of such laws. If You are (or become) a Covered Entity or Business Associate (as defined in HIPAA) or a Financial Institution (as defined in GLBA), You agree not to use the Service for any purpose or in any manner involving Protected Health Information (as defined in HIPAA) or Nonpublic Personal Information (as defined in GLBA). You will not allow any access to or use of the Services by anyone other than Your authorized Users or OEM Users (as applicable), and any such use will be consistent with the terms, conditions and restrictions set forth in this Agreement.
Does SendGrid Offer HIPAA Compliant Email Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
SendGrid clearly states they are not in the business of providing HIPAA Compliant email service.
SendGrid is not a HIPAA Compliant email solution.