The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is SparkPost HIPAA Compliant?

Posted By on Feb 2, 2024

SparkPost is not HIPAA compliant because the terms and conditions of the now rebranded service prohibit violations of “any legal, regulatory, self-regulatory, governmental, statutory requirements of codes of practice”. As SparkPost lacks the safeguards to comply with HIPAA, any use of the service that discloses Protected Health Information (PHI) would be a violation of HIPAA.

SparkPost is an email service that enables customers to automate email processes (i.e., welcome emails), develop multi-step email campaigns, and send targeted bulk emails based on customer behaviors. Since the brand’s acquisition by MessageBird in April 2021, customers have also been able to take advantage of SMS marketing, WhatsApp marketing, and social media marketing capabilities.

The service’s appeal is likely to increase in the coming months following the announcement that MessageBird is being rebranded as Bird.com and reducing its pricing to below that of its main U.S. rivals. The motive behind the rebranding exercise is rumored to be an attempt to get a bigger foothold in the U.S. market for the Dutch-based company ahead of an IPO in 2024 or 2025.

Using SparkPost in the Healthcare Industry

For organizations in the healthcare industry that send bulk communications (i.e., newsletters), SparkPost can manage more outbound mail than most SMTP email services, has excellent delivery rates, and produces open and click tracking analyses. However, none of SparkPost’s services can be used to send PHI to contacts without the authorization(s) of the subject(s) of the PHI.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

This is because – at present – SparkPost does not have the necessary safeguards to comply with the requirements of the HIPAA Security Rule. In addition, SparkBird’s parent company – Bird.com – will not currently enter into a Business Associate Agreement with customers. This may change if the rebranding and price drop attracts the interest of the U.S. healthcare market.

However, until this happens, the answer to the question is SparkPost HIPAA compliant is a solid “no”. Covered entities and business associates can use the service for bulk emails and allowable marketing activities, but not to collect, maintain, or transmit PHI. Organizations wishing to use a HIPAA compliant bulk communication service should review the many other available options.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist