We've been seeing more vendors, customers, and prospects asking about HIPAA compliant services. This is especially true now as we see an accelerated, long overdue adoption of digital transformation in healthcare. Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if they are able to use Grammarly in a HIPAA compliant manner.
We know the HIPAA industry is vast, so we can empathize with just how many people need to use cloud services in this sector. Today we will determine if Grammarly offers HIPAA compliant service or not.
Grammarly
Grammarly is a cloud service that automatically detects potential grammar, spelling, punctuation, word choice, and style mistakes. According to a blog post in 2018: Grammarly’s products are powered by an advanced system that combines rules, patterns, and artificial intelligence techniques like machine learning, deep learning, and natural language processing to improve your writing. The above snippet is important and will be revisited in this post. Grammarly was founded by Alex Shevchenko and Max Lytvyn in 2009.
What is a Business Associate?
A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule
Read full article: What does it mean to be a Business Associate?
Business Associate Agreement provisions
If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement (BAA) must be in place. A BAA is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance. At a minimum, a Business Associate Agreement contains 10 provisions.
Read full article: Business Associate Agreement Provisions
Grammarly and the Business Associate Agreement
As we previously mentioned, Grammarly uses machine learning, deep learning, and natural language processing to improve writing for its users. But in order to do that, vast amounts of user data must be stored in Grammarly's platform. We checked Grammarly's site for mention of their ability to sign a Business Associate Agreement (BAA). We weren't able to find any mention of a Business Associate Agreement, PHI, or HIPAA on the following pages:
Grammarly and HIPAA compliance
In July 2021 Grammarly published a statement: Grammarly's New Security Milestones Affirm Our Focus on Protecting User Data. The document states:We are compliant with the Health Insurance Portability and Accountability Act, demonstrating our commitment to protecting and securing sensitive user information.Although it does not, specifically mention signing a BAA, the company says it has a security and privacy-first culture and is committed "to securing and protecting the information of everyone using our product—whether you’re an individual, small business, or large enterprise." However, Grammarly's Privacy Page specifically states:
... we cannot ensure the security of Information you transmit to us, including Personal Data and User Content; accordingly, you acknowledge that you do so at your own risk.