HIPAA & BAA · Communications API
Is Twilio HIPAA compliant?
Conditionally. Twilio signs a BAA only for customers on its Security Edition or Enterprise Edition, and PHI may be used only with Twilio's designated HIPAA-eligible products, following the shared-responsibility architecture guidance.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Requires Twilio Security Edition or Enterprise Edition to execute the Business Associate Addendum; PHI may only flow through HIPAA-Eligible Products and Services.
- Official source: Twilio — Twilio and HIPAA — https://www.twilio.com/en-us/hipaa (verified 2026-06)
How to use Twilio in a HIPAA-compliant way
- Upgrade your account to Twilio Security Edition or Enterprise Edition.
- Execute Twilio's Business Associate Addendum to the Terms of Service.
- Build workflows using only HIPAA-Eligible Products and Services (e.g., Programmable SMS/MMS, Voice, Video, SIP).
- Follow the 'Architecting for HIPAA on Twilio' guidance for customer-side responsibilities (logging, redaction, access controls).
- Avoid storing PHI in non-eligible products and document your safeguards.
Important caveats
- Only HIPAA-Eligible Products are covered; using non-eligible products/features with PHI is outside the BAA.
- A BAA requires the paid Security or Enterprise Edition — standard accounts cannot sign one.
- HIPAA compliance is explicitly a shared responsibility; Twilio's controls do not by themselves make your workflow compliant.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Twilio correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Twilio.
Frequently asked questions
Does Twilio sign a BAA?
On specific plans. Requires Twilio Security Edition or Enterprise Edition to execute the Business Associate Addendum; PHI may only flow through HIPAA-Eligible Products and Services. A signed BAA is required before any PHI is involved.
Is Twilio HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Twilio offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Twilio with PHI?
Only HIPAA-Eligible Products are covered; using non-eligible products/features with PHI is outside the BAA.