Does Twilio Sign a HIPAA Business Associate Agreement?

By BAA Generator Research Team  ·  Published Apr 19, 2026  ·  Last reviewed Apr 28, 2026  ·  3 min read

Twilio HIPAA-Eligible Products

Twilio Video HIPAA Eligibility

Twilio Programmable Video is HIPAA-eligible under the Twilio BAA. Healthcare organizations use it to power telehealth platforms — virtual visits between providers and patients, multi-party consults, and clinician-to-clinician case discussions involving PHI. Twilio Video is built on WebRTC and supports end-to-end encryption for media streams.

Important constraints when using Twilio Video for PHI:

• Recording storage — if you record sessions, you are responsible for where the recordings land. Twilio's default recording storage is in S3 buckets you control (Twilio writes to your AWS account). You'll need an AWS HIPAA BAA in place if recordings contain PHI.
• Composition — Twilio Video Composition (post-production rendering) operates on PHI when the source media contains PHI. It's covered under the BAA when used by qualifying customers.
• Network Traversal Service (NTS) — STUN/TURN routing is HIPAA-eligible; media streams traversing TURN servers are encrypted.

Common healthcare deployments: telepsychiatry platforms, virtual urgent care, post-discharge follow-up calls, specialist consultations.

Twilio Flex HIPAA Eligibility

Twilio Flex (Twilio's contact center platform) is HIPAA-eligible on a case-by-case basis. Most healthcare contact center deployments — patient access call centers, scheduling lines, prior-authorization workflows, and triage lines — can be built on Flex with a properly scoped BAA. The case-by-case nature comes from Flex's heavy customization: each deployment uses different add-on Twilio products (TaskRouter, Conversations, Studio, Voice Insights, etc.) and different storage configurations, each of which has to be verified as HIPAA-eligible for your specific architecture.

Before deploying Flex for healthcare, confirm with Twilio's enterprise team that:

• Your specific add-ons (Studio, TaskRouter, Conversations) are covered
• Voice recordings storage is BAA-compliant (typically your S3, not Twilio storage)
• Agent screen recordings, if used, don't capture PHI in non-eligible products
• Any Flex Plugins or third-party integrations have their own BAAs in place

Twilio Programmable SMS HIPAA Eligibility

Twilio Programmable SMS is HIPAA-eligible under the Twilio BAA. The most common healthcare use cases: appointment reminders, two-way patient messaging, prescription pickup notifications, and post-visit follow-ups. Healthcare orgs should be aware of the SMS-specific compliance considerations:

• SMS is not encrypted in transit at the carrier level. HHS guidance permits SMS for routine communications but cautions against sending detailed PHI. Best practice: minimize PHI in message body (e.g., "Reminder: appointment with Dr. Smith on 5/3 at 2pm" is OK; full diagnosis or test results in SMS is not).
• Patient consent for SMS communications is required and should be documented at intake.
• Delivery receipts and message logs Twilio stores are covered under the BAA. You can configure log retention to meet your records-retention policies.

For richer two-way conversations, consider Twilio Conversations (multi-channel messaging) which is also HIPAA-eligible and supports threaded messaging across SMS, WhatsApp, and chat.

SendGrid HIPAA Eligibility (now Twilio SendGrid)

SendGrid (acquired by Twilio in 2019, now branded Twilio SendGrid) is HIPAA-eligible under the Twilio BAA for qualifying customers. The BAA covers transactional and marketing email sent via the SendGrid API or Marketing Campaigns. Common healthcare email use cases: appointment confirmations, lab result notifications (with patient portal links rather than results in body), patient newsletters, intake-form follow-ups.

Key SendGrid HIPAA-specific considerations:

• Subuser BAA coverage — if your account has subusers (common for multi-tenant healthcare SaaS), the BAA must explicitly cover their sending too.
• Click tracking — disable or carefully scope when sending to patients, since redirect URLs can leak PHI in URL parameters or referer headers.
• Email body PHI — same SMS guidance applies: minimize PHI in plain-text email body (which travels through external SMTP relays). Sensitive info should live behind authenticated patient portal links.

How to Get a BAA from Twilio

Twilio's HIPAA BAA is not self-service. To execute it:

1. Identify which Twilio products you intend to use with PHI (SMS, Voice, Video, Flex, SendGrid, Conversations).
2. Contact Twilio's sales team via the standard sales contact form, noting "HIPAA BAA needed for healthcare use case."
3. Twilio's enterprise/legal team will send a BAA addendum to your existing Twilio Master Services Agreement. Review and sign.
4. Once the BAA is countersigned, your account is BAA-covered for the specified products. New products added later require a BAA amendment.

Typical timeline: 1–3 weeks depending on legal review on both sides. Twilio's BAA does not require you to be on a specific pricing tier, but the BAA process is geared toward customers spending enough volume to warrant enterprise contracts.

Common Healthcare Use Cases for Twilio

Twilio is widely used across healthcare and telehealth for:

• Appointment reminder SMS: Automated text messages reminding patients of upcoming appointments. Even if the message only includes "your appointment is tomorrow at 2pm," if it is linked to a patient identity in a covered entity's system, it may constitute PHI.
• Telehealth video: Twilio Programmable Video powers the video infrastructure for many telehealth platforms, allowing developers to embed video sessions in patient portals.
• Secure patient messaging: Two-way SMS between care teams and patients for care coordination, prescription reminders, and follow-up.
• IVR and phone trees: Healthcare organizations use Twilio Voice to build automated phone systems for appointment scheduling, refill requests, and nurse line routing.

How to Get a HIPAA BAA from Twilio

The Twilio BAA is not available through a self-service dashboard. To get a BAA:

• Step 1: Contact Twilio's sales team through their website or your existing account representative
• Step 2: Identify the specific Twilio products you need covered under the BAA
• Step 3: Verify each product is on Twilio's current HIPAA-eligible services list
• Step 4: Execute the BAA addendum as part of your enterprise agreement
• Step 5: Document the executed BAA in your HIPAA compliance records

Note: Twilio's standard developer accounts do not include HIPAA BAA coverage. You must explicitly execute the BAA — using Twilio's services for PHI before executing a BAA constitutes a HIPAA violation regardless of your own organization's internal HIPAA policies.

Twilio Segment and HIPAA

Twilio acquired Segment in 2020, making it a customer data platform under the Twilio umbrella. Segment is subject to a separate HIPAA evaluation from Twilio's communications products. If you use Segment in a healthcare context where PHI flows through it, contact Twilio specifically about Segment's HIPAA BAA status — do not assume it is covered under a general Twilio BAA.

Frequently Asked Questions

Does Twilio sign a HIPAA BAA?

Yes — for qualifying healthcare customers using HIPAA-eligible products. Contact Twilio sales to execute the BAA addendum. Not self-service.

Which Twilio products are HIPAA eligible?

Programmable SMS, Voice, Video, and certain Flex configurations are HIPAA eligible. SendGrid email is also available. Segment requires separate evaluation.

Does Twilio SendGrid sign a HIPAA BAA?

SendGrid email coverage runs through Twilio's enterprise BAA process. Contact Twilio sales to execute a BAA that covers both communications and email services.

How do I get a BAA from Twilio?

Contact Twilio sales directly. Identify the products you need covered, confirm HIPAA eligibility, and execute the BAA addendum as part of your enterprise agreement.

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.