Is SendGrid HIPAA Compliant: Security Features
Although software can never be considered fully HIPAA compliant, as software compliance comes down to how it is used by the end user, there are certain security features that are required to secure PHI. One such security measure is encryption.
SendGrid clearly states on their website that they do not offer HIPAA compliant data transmission, “SendGrid does not natively support HIPAA compliant data transmission. We do not offer any encryption or security measures surrounding message transmission beyond those included in the SMTP RFC, which was not designed with HIPAA compliancy in mind.”
So SendGrid lacks the security measures required to be HIPAA compliant.
Is SendGrid HIPAA Compliant: Business Associate Agreements
In addition to security features, software providers that create, receive, transmit, store, or maintain PHI must be willing to sign a business associate agreement. SendGrid does not sign business associate agreements, stating, “SendGrid does not intend uses of the Service to create obligations under The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”) or similar laws and makes no representations that the Service satisfies the requirements of such laws. If You are (or become) a Covered Entity or Business Associate (as defined in HIPAA) or a Financial Institution (as defined in GLBA), You agree not to use the Service for any purpose or in any manner involving Protected Health Information (as defined in HIPAA) or Nonpublic Personal Information (as defined in GLBA).”
Is SendGrid HIPAA Compliant?
No, SendGrid is not HIPAA compliant. They lack the proper security measures and will not sign a business associate agreement, and therefore cannot be used in conjunction with PHI.