Is Spruce HIPAA Compliant? BAA, Security, and What Providers Need to Know

Whether Spruce is HIPAA compliant for your practice depends on having a signed Business Associate Agreement (BAA) and configuring the platform to safeguard Protected Health Information (PHI). This guide explains the BAA, security controls, and provider responsibilities so you can use Spruce within a sound compliance framework.

Below, you’ll find what to look for in Spruce’s BAA, how secure messaging should work, requirements for standard communications like SMS, device encryption and two-factor authentication (2FA), workflow tips for patient engagement, and the provider duties that ultimately determine compliance.

Spruce Business Associate Agreement Overview

What a BAA does

The Business Associate Agreement establishes how Spruce, as a business associate, will create, receive, maintain, or transmit PHI on your behalf. It defines permitted uses and disclosures, required safeguards, and how the vendor will support your HIPAA obligations.

• Permitted uses/disclosures: clarifies when PHI may be processed to deliver services and support.
• Safeguards: administrative, physical, and technical protections aligned to HIPAA Security Rule and relevant encryption standards.
• Subcontractors: requires downstream vendors to meet the same obligations.
• Breach notification: timelines, definitions, and cooperation for incident response.
• Patient rights support: assistance with access, amendment, and accounting of disclosures.
• Termination: return or destruction of PHI and post-termination safeguards if destruction is infeasible.
• Minimum necessary and confidentiality: limits use to what’s needed for operations.

How to scope and execute your BAA

• Verify legal entities, covered services (secure messaging, telephony, e-fax, telehealth), and data flows.
• Document retention settings, backups, and message export processes for compliance and e-discovery.
• Define incident contacts, notification channels, and escalation paths.
• Confirm how termination, data return, or destruction will be handled and scheduled.

Remember, a signed BAA is necessary but not sufficient. It allocates responsibilities; your operational controls complete the compliance framework.

Secure Messaging and Communication Features

Core safeguards for PHI

For secure communication, you should configure features that protect PHI end to end and reduce human error. Focus on technical controls that make secure workflows the default.

• Encryption standards: transport-level encryption (for example, TLS 1.2+ for data in transit) and strong encryption at rest (such as AES-256).
• Access controls: unique user IDs, role-based access, least-privilege permissions, and automatic session timeouts.
• Two-Factor Authentication: enforce 2FA for all workforce users, with secure recovery options.
• Audit trails: immutable logs for logins, message access, file downloads, and administrative changes.
• Retention controls: configurable message/file retention, export, and legal-hold capabilities.
• Notification hygiene: limit PHI in push, SMS, or email notifications; use secure links that require authentication.

Secure communication protocols and options

Use in-app secure messaging or a patient portal for PHI and file exchange. For calls, voicemails, video visits, and e-fax, ensure recordings and attachments remain inside secure workflows and are covered by your BAA and retention policies.

Handling attachments and media

• Transmit files only through secure channels; avoid unencrypted email or standard MMS for PHI.
• Standardize file naming, categorize content, and restrict downloads to approved devices.
• Periodically review storage for stale PHI and apply least-retention necessary.

Standard Communication Compliance Requirements

SMS and email: when and how

Standard SMS and unencrypted email are not secure channels and should not carry PHI. If you must reach patients on those channels, send non-PHI notifications or a secure link that requires authentication to view the message.

Patient consent requirements

• Obtain and document patient consent for text or email outreach, including the nature of messages and opt-out instructions.
• Honor preferences and keep consent logs up to date for audits.

Minimum necessary and content controls

• Use templates that exclude diagnosis, test results, or other PHI from standard SMS/email.
• Apply the minimum necessary standard to all outbound communications.
• Review bounce/failed delivery reports and follow up via secure channels when needed.

Device Encryption and Two-Factor Authentication

Mobile devices

• Enable full-device encryption and a strong passcode; set short auto-lock intervals and remote wipe.
• Disable notification previews to prevent PHI exposure on lock screens.
• Restrict copy/paste and file saving of PHI into personal apps; permit only approved, encrypted backups.

Laptops and desktops

• Turn on full-disk encryption (for example, FileVault or BitLocker) and require startup passwords.
• Keep operating systems, browsers, and security patches current; use endpoint protection and firewall rules.
• Apply screen-timeout policies and enforce device inventory with serial numbers and assignment records.

Two-Factor Authentication essentials

• Prefer app-based authenticators or security keys over SMS codes; store backup codes securely.
• Require 2FA for all admins and clinical users, and re-prompt 2FA on new devices or high-risk actions.

Workflow Integration for Patient Engagement

Intake, consent, and expectations

• Collect communication preferences and consent during intake; explain what will and won’t be sent via SMS/email.
• Surface secure portal enrollment early so patients default to protected channels.

Reminders, broadcasts, and follow-ups

• Send appointment reminders without PHI, or use secure links for details.
• Segment broadcasts to the right audiences, include opt-out language, and log campaign details for compliance.
• Automate follow-ups that direct patients back into secure messaging for care-related questions.

Triage and team collaboration

• Use shared inboxes, tags, and templates to route messages to the right role quickly and consistently.
• Escalate from SMS notifications to secure threads for PHI, images, forms, and care plans.

Provider Responsibilities for HIPAA Compliance

Your core duties

• Conduct a risk analysis and implement administrative, physical, and technical safeguards appropriate to your risks.
• Execute BAAs with all vendors that handle PHI, including Spruce and downstream services.
• Define access management, onboarding/offboarding, and sanction policies; train your workforce annually and on role change.
• Create and test an incident response and breach notification plan.
• Maintain retention schedules and secure disposal procedures for PHI across systems and devices.

Governance and continuous improvement

• Review audit logs, permission sets, and retention settings on a cadence; remediate gaps promptly.
• Track device inventory, encryption status, and 2FA enrollment; require attestations from staff.
• Document patient consent management and validate opt-outs across all outreach workflows.

Conclusion

Spruce can be used in a HIPAA-compliant manner when you have a signed Business Associate Agreement, enforce secure communication protocols, meet encryption standards, and operate within disciplined workflows. Compliance ultimately rests on how you configure the platform and uphold provider responsibilities across people, process, and technology.

FAQs

What is included in Spruce's Business Associate Agreement?

A Spruce BAA typically defines permitted uses and disclosures of PHI, requires administrative/technical safeguards, binds subcontractors to the same obligations, and sets breach notification duties and timelines. It also addresses assistance with access, amendment, and accounting requests, plus termination terms for returning or destroying PHI. Always confirm specifics in your executed agreement.

How does Spruce ensure secure messaging?

Secure messaging on Spruce relies on encryption in transit and at rest, role-based access controls, audit logging, and 2FA enforcement for workforce users. You can limit PHI in notifications and direct patients to authenticate via secure links before viewing sensitive content. Proper retention settings and monitoring complete the protection.

Can Spruce be used for standard SMS while maintaining HIPAA compliance?

Yes—if you avoid PHI in standard SMS and obtain documented patient consent for texting. Use SMS for brief notifications or to deliver a secure link that requires authentication to view details. Apply the minimum necessary standard, include opt‑out instructions, and move any PHI conversation into secure messaging.

What security measures does Spruce recommend for devices?

Enable full-device encryption, strong passcodes, and short auto-locks; disable notification previews; and ensure remote wipe is available. On computers, use full‑disk encryption and keep systems patched. Enforce two‑factor authentication for all workforce accounts and restrict saving PHI to unmanaged locations or personal backups.