We've been getting asked by customers and prospects about SparkPost and their ability to use it in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
Today, we will determine if SparkPost offers HIPAA compliant email service or not. SEE ALSO: HIPAA Breaches and Cloud Providers
SparkPost is an email infrastructure provider that sends over 3 trillion messages a year. A direct competitor to SendGrid, SparkPost is located a mile away from us in San Francisco.
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We checked SparkPost's site and could not find any mention of their ability to sign a BAA. We did however, find a page called Messaging Policy. On that page, they state:
Sensitive Information. You will not import, or incorporate into, any contact lists or other content you upload to the Services or the Site, any of the following information: social security numbers, national insurance numbers, credit card data, passwords, security credentials, bank account numbers, or sensitive personal, health or financial information of any kind.
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. SparkPost's Messaging Policy clearly states they are not in the business of providing HIPAA Compliant email service.
SparkPost is not a HIPAA Compliant email solution.