Is Spark HIPAA compliant?

Spark is a personal email client that functions much like Outlook. It features a smart inbox, smart search, and email snoozing, and intelligent prioritization of emails. These features all promise to help you reach inbox zero.  But can healthcare providers use Spark to send HIPAA compliant email?

How Spark works with data

1. Purpose limitation: usage of your data is limited in scope to only what is absolutely necessary
2. Data minimization: data that is collected is the absolute minimum
3. Honesty and transparency: Spark tells users why, when, and which data will be collected and for what purpose
4. Security: the company uses “recommended practices” to keep your data safe
5. Respect for your rights: the company is General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliant

In addition to following these guidelines, Spark employs other security methods for working with data, such as encrypting a portion of the email subject and body for notifications and encrypting messages on a server for its Send Later feature. Spark deletes all encrypted data after it has served its purpose. 

Spark and the Business Associate Agreement

A business associate agreement (BAA) is a written contract between a business associate and a covered entity. It outlines the duties and responsibilities that a business associate has to keep protected health information (PHI) secure. A BAA must be signed for HIPAA compliance. We could find no evidence that Spark will sign a BAA.  Also, there is no mention of HIPAA compliance in Spark’s Terms of Use. The only mention of data protection corresponds to the GDPR. 

Is Spark HIPAA compliant?

We found no evidence that Spark will sign a BAA, and without a BAA a company cannot be HIPAA compliant.

Get HIPAA compliant email with Paubox