HIPAA Compliance & Sinch

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law developed to improve the efficiency and effectiveness of the healthcare system, while also establishing national standards for privacy and security protections for health information.

The following information regarding HIPAA is not legal advice and is provided for information purposes only. Sinch encourages you to seek legal advice from an attorney for specific guidance-related compliance with HIPAA and the requirements relevant to your business.

HIPAA rules

The most important things to remember under HIPAA rules are ensuring privacy and security plus taking responsibility to notify patients if a data breach happens.

The Privacy Rule

Establishes standards for the protection of certain protected health information (PHI).

The Security Rule

Establishes security standards for protecting the confidentiality, integrity, and availability of PHI held or transmitted in electronic form, otherwise known as electronic protected health information (ePHI).

PHI and ePHI include the following types of data: 

An individual’s past, present, or future physical or mental health or condition 
Information regarding an individual’s treatment 
Payment arrangements for an individual’s healthcare

The Breach Notification Rule

Establishes standards for notification following a breach of unsecured PHI.

Which organizations does HIPAA cover?

HIPAA applies to any healthcare provider (covered entity) and their suppliers and vendors (business associates) based in the USA who “transmit, maintain, access, or store” PHI for people who live in the United States.

In short, if you’re working in an industry handling medical information, you need to be HIPAA-compliant.

You can learn more about HIPAA requirements from the Department of Health and Human Services (HHS).

Sinch commitment to compliance

Sinch is committed to protecting your data, including the PHI of your patients. Sinch has various products and solutions where the HIPAA compliance framework has been implemented and validated by a third party to support you in complying with HIPAA, while also enabling you to make the most of your communications with patients.

However, primary responsibility for compliance with HIPAA rests with you. You are responsible for your use of the Sinch service and for ensuring those services comply with HIPAA and other applicable laws, including: 

Taking your own steps to maintain appropriate security and privacy protections, including properly limiting access to the Sinch service.
Coordinating Sinch products are aligned with your expectations, to ensure compliance with the HIPAA Privacy and Security Rules, including calls, texts, faxes, and email marketing messages.
Notifying Sinch of any of your policies, agreements, or restrictions that may affect Sinch performance of services, and any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent those changes may affect Sinch use or disclosure of PHI.

Our legal, compliance, and security teams work across the company and alongside our customers to understand and meet customer needs.

Sinch has implemented administrative, technical, and physical safeguards to protect PHI and regularly reviews and enhances these based on risk assessments. Safeguards in place include:

Sinch has established and implemented policies governing the protection and use of PHI.
Logical and physical access controls are used to ensure only authorized personnel access PHI.
Encryption of data in-transit and at rest — Sinch employs industry standards when transferring data between subscribers and Sinch infrastructure.
Incident detection and response capability to detect and respond to security incidents and appropriately report any unauthorized access or use of PHI.
Data is regularly backed up and replicated to geographically dispersed locations, which allows us to quickly recover and restore data and systems in the case of data corruption or loss.
Sinch safeguards are reviewed and assessed by independent advisors.
Sinch has product level business associate agreements (BAA), which is an addendum to our standard Terms of Service. Our Terms of Service and BAA are designed to address Sinch commitments for protection and use of personal information and PHI, per HIPAA, and other applicable privacy laws and regulations. Sinch only uses your data to provide the Sinch service to you, except with your prior written consent or as otherwise expressly permitted under the Terms of Service or BAA.
Sinch ensures its subcontractors and personnel authorized to access PHI are bound by appropriate obligations of confidentiality or a BAA.

Additional information

More information on HIPAA privacy rules is available on the Department of Health and Human Services websites at:

Telco transformed

The actionable guide to increasing customer loyalty with mobile messaging

Two-factor authentication: Why SMS is here to stay

Building a smooth, secure experience with SMS-based 2FA

Signaling threats: SS7 and beyond

Gartner® names Sinch a Magic Quadrant™ Leader for CPaaS

Sinch named a Leader in IDC MarketScape 2023