Sendinblue is a digital marketing tool that allows businesses to send automated emails, texts, and chats, among other services. Many businesses use these types of tools to attract new clients, or communicate with existing ones. But as an organization working in healthcare, you must consider whether or not the automation platform, like Sendinblue, offers a HIPAA compliant service. So is Sendinblue HIPAA compliant? Details are discussed below.
Why is HIPAA Compliance Important?
For a marketing tool to be effective, they often require the input of consumer data, but as a healthcare organization your consumers are patients. So for you to use an automation tool like Sendinblue, you would most likely need to filter patient data through the platform. As such, Sendinblue would be considered a business associate under HIPAA. As a business associate, Sendinblue is required to be HIPAA compliant to work with healthcare clients. This ensures the confidentiality, integrity, and availability of protected health information (PHI).
Sendinblue Security Features
As HIPAA requires the confidentiality, integrity, and availability of PHI, it is important to assess a business associate’s security features. This way you can be confident that the business associate is safeguarding the PHI that you share with them.
According to the Sendinblue terms of use, although they take measures to secure data, they don’t want their users filtering sensitive information through their platform, “Users shall undertake not to include in the distribution lists uploaded onto the Sendinblue platform any personal data known as “sensitive” within the meaning of Article 9 of the GDPR, and in particular no health data, but also no data relating to criminal convictions and offences, any social security number, or any bank card number.”
Furthermore, they state that should user information be compromised by a breach, the user is responsible for dealing with the consequences. This alone is enough to declare that Sendinblue is not HIPAA compliant.
Sendinblue Business Associate Agreement
To provide a definitive answer as to whether or not Sendinblue is HIPAA compliant, it is also important to consider their willingness to sign a business associate agreement (BAA). This is because HIPAA requires healthcare organizations to have signed business associate agreements with all of their vendors before it is permitted to share PHI with them. As there is no mention of HIPAA or BAAs on Sendinblue’s website, and they explicitly state that they don’t want users uploading sensitive information to their platform, it is fair to say that they would not sign a BAA.
Is Sendinblue HIPAA Compliant?
Is Sendinblue HIPAA compliant? No, Sendinblue is not HIPAA compliant and therefore cannot be used in conjunction with PHI. It is recommended that healthcare organizations choose a different, HIPAA compliant platform, rather than working with Sendinblue.
