Is Twilio HIPAA Compliant?
by Ryan Ozawa
When software developers want their apps and tools to connect with users via text messages, they often turn to Twilio.
Based in San Francisco and founded in 2008, Twilio has become part of the communications infrastructure for many companies and brands you’d recognize, like Lyft and Airbnb.
The company’s services—which span video, voice, messaging and security—make it easy for businesses to do much more than send emails.
And in the time of COVID-19, Twilio has become a valued partner for the healthcare industry, allowing medical providers to extend their telehealth services.
From sending simple text messages to patients about medication refills, to incorporating video into remote appointments, the company’s communications services can help save lives.
Is Twilio HIPAA compliant?
Twilio recently announced that some of its offerings can now be part of a HIPAA compliant product or service. But in achieving this milestone, the answer as to whether or not Twilio itself is HIPAA compliant is more complicated than a simple yes or no answer.
Twilio is only part of a larger solution, such as a pharmacy app for an HMO or a contact tracing app for a government health agency. For that larger solution to be HIPAA compliant, Twilio must be established as a business associate of the covered entity that built it.
Twilio does offer a BAA for covered entities for some of its products. Customers that are subject to HIPAA and intend to utilize Twilio to develop communication workflows containing PHI must execute what it calls a “business associate addendum” (i.e. a BAA) to Twilio’s Terms of Service.
The company explains its BAA more closely here.
Also, customers requiring a BAA with Twilio must be signed up for its Enterprise Edition.
Conclusion: Some Twilio products can be used in a HIPAA complaint manner when a BAA is signed.
Which Twilio products can be HIPAA compliant?
Only certain Twilio products and services are eligible for HIPAA compliance: Programmable SMS, Programmable Video, Programmable Voice and SIP, and Runtime Tools.
If your company uses one or more of these eligible services, the company provides a guide for architecting for HIPAA on Twilio, requiring things like encrypted communications and signed webhook requests.
Note that Twilio’s HIPAA-eligible products and services do not have any unique features or functionality, with security controls the same across the board. The difference is in how its customers configure and use them. Twilio explains:
Twilio’s BAA has been developed taking into account the specific products and services that Twilio offers and considers HIPAA compliance as a shared responsibility between the customer and Twilio.
Some Twilio products can be used in a HIPAA compliant manner, but the company sees HIPAA compliance as a shared responsibility.
To achieve compliance, you will need to be an Enterprise Edition customer, sign a BAA, and be sure to follow Twilio’s HIPAA requirements and recommendations.