Can SparkPost be Deemed HIPAA Compliant?

SparkPost is a widely-used email delivery and analytics platform that is implemented by many enterprises to send information to customers

Healthcare bodies are required to adhere with HIPAA Rules, so to determine is SparkPost supports HIPAA compliance and whether its platform can be used in a HIPAA compliant manner we have considered the following.

SparkPost is the largest global email delivery and analytics platform and is used to broadcast 37% of all business-to-consumer email correspondence. The email solution works with groups of all sizes and delivers powerful analytics. The platform includes a range of security measures, including anti-phishing measure to lessen the risk of email impersonation attacks and the company has been given SOC 2 Type 2 certification.

For healthcare groups seeking an email solution to communicate with patients and health plan members, email security is only part of the story. Other security features are necessary for HIPAA compliance, so does SparkPost include those requirements?

Cam SparkPost be Referred to as HIPAA Compliant?

The terms and conditions for SparkPost subscribers prohibit the uploading of highly sensitive data to the platform, including Social Security numbers, government issued ID numbers, financial details, insurance data, and medical and health data. SparkPost even specifically states in its T&Cs that the platform must not be used in connection with any information classified as protected health information under HIPAA Rules. It is therefore no shock that SparkPost does not offer healthcare groups a business associate agreement (BAA) which is necessary for HIPAA compliance.

Therefore, due to no BAA and prohibition of uploading ePHI mean SparkPost cannot be regarded as a HIPAA-compliant email service.

Author: Maria Perez