Twilio SendGrid is not HIPAA compliant and cannot be used to send email communications containing Protected Health Information because doing so violates HIPAA and SendGrid’s Terms of Service, but it can be used by healthcare organizations for general healthcare communications and marketing campaigns that do not include Protected Health Information.
SendGrid is an email communication platform that supports automated transactional messages and email campaigns. Since 2019, SendGrid has been part of the Twilio product family and is available as a standalone platform or within an integrated customer engagement offering. Twilio offers some HIPAA eligible products and services, but SendGrid is not among them.
SendGrid states that it does not natively support HIPAA compliant data transmission and points to a Terms of Service restriction that prohibits using the service for any purpose or in any manner involving Protected Health Information. Twilio has suggested approaches intended to avoid transmitting Protected Health Information through the platform, including encrypting the email message body or sending a download link to secure documents rather than transmitting documents by email. Encrypting only the message body does not address the subject line and message metadata unless those elements are also encrypted.
These approaches add administrative overhead and create error conditions that can result in impermissible disclosures of, or unauthorized access to, Protected Health Information. For workflows that require email communications involving Protected Health Information, a separate email service designed for collecting, storing, or transmitting Protected Health Information provides clearer operational boundaries than attempting to adapt SendGrid.
Healthcare organizations can use SendGrid to communicate with patients when messages exclude Protected Health Information. SendGrid provides healthcare-related templates for vaccination reminders, newsletters, and volunteer requests, and templates can be customized with HTML and WYSIWYG editing. If an organization uses SendGrid for mass email and a different solution for Protected Health Information, workforce members can confuse which tool is permitted for which communication. Risk reduction measures include applying multi-factor authentication to accounts with access to Protected Health Information, separating marketing teams from administrative teams, and providing additional HIPAA training.