Twilio and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 as part of a larger healthcare reform in the US. Part of the legislation is aimed at providing security and data privacy protections around access, use, and disclosure of protected health information (PHI). HIPAA covers any organizations that meet the definition of “covered entities” or “business associates.”

Twilio’s Commitment to Data Privacy and Security

HIPAA is another milestone for Twilio in elevating our data privacy and security to meet the needs of our HIPAA compliant customers. Twilio is committed to providing a platform trusted by customers and patients.

Twilio as a Business Associate

Under HIPAA, companies that use a service provider to process PHI on their behalf must put in place a business associate agreement with that service provider. Accordingly, customers that are subject to HIPAA and intend to utilize Twilio’s products and services to develop communication workflows containing PHI must execute a Business Associate Addendum (BAA) to Twilio’s Terms of Service . Twilio’s BAA has been developed taking into account the specific products and services that Twilio offers and considers HIPAA compliance as a shared responsibility between the customer and Twilio. To learn more about how to build a HIPAA compliant workflow using Twilio’s offerings, please refer to Architecting for HIPAA on Twilio.

What do I need to do to build a HIPAA compliant workflow using Twilio?

First, ensure that the Twilio products and services that you are interested in using for your HIPAA workflows are covered under our current list of HIPAA Eligible Products and Services. Then, sign Twilio’s Business Associate Addendum (BAA).

With a BAA signed, you can start building but we recommend following the guidelines we created on Architecting for HIPAA on Twilio that outlines the customer-side shared responsibilities and requirements for building and maintaining a HIPAA compliant workflow utilizing Twilio's tools.

What products can I use if I have a BAA in place with Twilio?

Customers wishing to build communication workflows that may contain PHI should only use HIPAA Eligible Products and Services. This list may be updated as additional products and services become HIPAA Eligible. Customers may use all other products and services that are not on this list, but there must be no potential for PHI being exchanged in violation of HIPAA as part of these workflows.

How can I get a BAA in place with Twilio?

Please contact your Twilio Account Representative or talk to an expert to learn more.

Is the HIPAA eligible version of Twilio’s products different from the non-HIPAA eligible version?

No. Twilio’s HIPAA eligible products and services have the necessary security controls to support HIPAA, but their functionality did not change. However, there may be customer requirements that need to be implemented when building a HIPAA compliant workflow. Please refer to Architecting for HIPAA on Twilio for more details.

Is there a separate charge for signing a BAA with Twilio?

Customers wishing to sign a BAA with Twilio must have our Enterprise Edition. Please contact your Twilio account representative or talk to an expert to learn more.

Resources

HIPAA Eligible Products and Services

Architecting for HIPAA on Twilio

Security at Twilio