Is SparkPost HIPAA Compliant?
SparkPost is not HIPAA compliant because the terms and conditions of the now rebranded service prohibit violations of “any legal, regulatory, self-regulatory, governmental, statutory requirements of codes of practice”. As SparkPost lacks the safeguards to comply with HIPAA, any use of the service that discloses Protected Health Information (PHI) would be a violation of HIPAA.
SparkPost is an email service that enables customers to automate email processes (i.e., welcome emails), develop multi-step email campaigns, and send targeted bulk emails based on customer behaviors. Since the brand’s acquisition by MessageBird in April 2021, customers have also been able to take advantage of SMS marketing, WhatsApp marketing, and social media marketing capabilities.
The service’s appeal is likely to increase in the coming months following the announcement that MessageBird is being rebranded as Bird.com and reducing its pricing to below that of its main U.S. rivals. The motive behind the rebranding exercise is rumored to be an attempt to get a bigger foothold in the U.S. market for the Dutch-based company ahead of an IPO in 2024 or 2025.
Using SparkPost in the Healthcare Industry
For organizations in the healthcare industry that send bulk communications (i.e., newsletters), SparkPost can manage more outbound mail than most SMTP email services, has excellent delivery rates, and produces open and click tracking analyses. However, none of SparkPost’s services can be used to send PHI to contacts without the authorization(s) of the subject(s) of the PHI.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This is because – at present – SparkPost does not have the necessary safeguards to comply with the requirements of the HIPAA Security Rule. In addition, SparkBird’s parent company – Bird.com – will not currently enter into a Business Associate Agreement with customers. This may change if the rebranding and price drop attracts the interest of the U.S. healthcare market.
However, until this happens, the answer to the question is SparkPost HIPAA compliant is a solid “no”. Covered entities and business associates can use the service for bulk emails and allowable marketing activities, but not to collect, maintain, or transmit PHI. Organizations wishing to use a HIPAA compliant bulk communication service should review the many other available options.