Spruce Health BAA: Does Spruce Sign a Business Associate Agreement and How to Get One

Business Associate Agreement Overview

A Business Associate Agreement (BAA) is the contract required by HIPAA when a vendor handles Protected Health Information (PHI) on behalf of a covered entity or another business associate. It assigns responsibilities for safeguarding PHI, defines permitted uses and disclosures, and sets breach-notification and subcontractor obligations.

In practice, a Spruce Health BAA formalizes the vendor–customer relationship for clinical communications. It complements your internal policies to create a complete HIPAA compliance posture focused on healthcare data security, access controls, and minimum necessary principles.

Spruce Terms of Service for Organizations

Spruce incorporates its HIPAA BAA directly into the Terms of Service for Organizations. When the BAA applies to your use case, it is included within those terms, so your acceptance of the organizational account agreement also accepts the BAA provisions. ([help.sprucehealth.com](https://help.sprucehealth.com/hc/en-us/related/click?data=BAh7CjobZGVzdGluYXRpb25fYXJ0aWNsZV9pZGwrCJuZYN%2FrFDoYcmVmZXJyZXJfYXJ0aWNsZV9pZGwrCBufFd3rFDoLbG9jYWxlSSIKZW4tdXMGOgZFVDoIdXJsSSI0L2hjL2VuLXVzL2FydGljbGVzLzIzMDAzMjk3NTIwMDI3LUhJUEFBLWFuZC1CQUEGOwhUOglyYW5raQc%3D--b7e75b55703bf2a993e7f886dc47d1403a917f6d))

Within the Terms, you will find sections that read like a standard BAA (for example, permitted uses of PHI, safeguards, breach notification timelines, subcontractor requirements, and minimum necessary). These integrated clauses function as the operative BAA between you (“Covered Entity”) and Spruce (“Business Associate”). ([sprucehealth.com](https://sprucehealth.com/terms-organizations/?uca=sprucehealth-partner&uco=learnmore&ume=Partner-website&uso=Partner&ute=keragon))

Electronic Agreement Process

Spruce uses an electronic signature workflow: you agree to the organizational Terms of Service—and the embedded BAA—during the “create an organization” process. Spruce states that all trials and paid plans automatically include a BAA for organizations that require one, and you accept it electronically as part of onboarding. ([sprucehealth.com](https://sprucehealth.com/lp))

For documentation, save a copy of the Terms of Service Agreement at the time of acceptance, note the acceptance date in your compliance records, and export a PDF if your policies require version pinning for audits.

Creating an Organization on Spruce

Step-by-step

• Create your Spruce account and select the option to create an Organization (your practice or company name).
• Review and accept the Terms of Service for Organizations to finalize electronic acceptance of the Spruce BAA.
• Invite team members, assign role-based access, and configure inboxes, phone lines, and eFax if needed.
• From Plan & Billing, choose your plan after the trial and complete any required SMS registration before texting patients.

Completing these steps establishes the organizational account agreement, activates the BAA where applicable, and prepares your workspace for secure operations.

Compliance and HIPAA Considerations

Spruce can be used in a HIPAA-compliant manner, with clear distinctions between secure, in-app messaging and standard channels such as SMS, email, eFax, and voice. Secure app-to-app communication is fully controlled within Spruce; standard channels can be used compliantly when you document patient preference and apply safeguards. ([help.sprucehealth.com](https://help.sprucehealth.com/hc/en-us/related/click?data=BAh7CjobZGVzdGluYXRpb25fYXJ0aWNsZV9pZGwrCJuZYN%2FrFDoYcmVmZXJyZXJfYXJ0aWNsZV9pZGwrCBufFd3rFDoLbG9jYWxlSSIKZW4tdXMGOgZFVDoIdXJsSSI0L2hjL2VuLXVzL2FydGljbGVzLzIzMDAzMjk3NTIwMDI3LUhJUEFBLWFuZC1CQUEGOwhUOglyYW5raQc%3D--b7e75b55703bf2a993e7f886dc47d1403a917f6d))

After you have a BAA in place, communication that remains entirely inside Spruce (for example, secure messaging threads and telemedicine in those threads) is encrypted and aligned with HIPAA’s technical requirements; you remain responsible for configuring access controls, auditing, and workforce training. ([help.sprucehealth.com](https://help.sprucehealth.com/hc/en-us/articles/23003262910491-Spruce-Email?utm_source=openai))

If you use third-party tools alongside Spruce (e.g., AI-assisted features or other integrations), ensure you have BAAs with those vendors as appropriate and that their workflows match your compliance standards. Spruce’s Terms also note the platform is intended for entities operating under U.S. law, which matters for jurisdictional risk management. ([sprucehealth.com](https://sprucehealth.com/terms-organizations/?uca=sprucehealth-partner&uco=learnmore&ume=Partner-website&uso=Partner&ute=keragon))

Accessing Existing BAA Terms

You can review the BAA language by opening the Spruce Terms of Service for Organizations and navigating to the BAA sections (e.g., “Permitted Uses and Disclosures of PHI,” “Safeguards,” “Breach Notification,” “Subcontractors,” and “Minimum Necessary”). These sections outline HIPAA-required obligations and serve as your executed BAA once accepted electronically. ([sprucehealth.com](https://sprucehealth.com/terms-organizations/?uca=sprucehealth-partner&uco=learnmore&ume=Partner-website&uso=Partner&ute=keragon))

If you already have a Spruce account under an Organization, you are operating under these organizational terms and can reference them at any time for audits and vendor due diligence. ([help.sprucehealth.com](https://help.sprucehealth.com/hc/en-us/related/click?data=BAh7CjobZGVzdGluYXRpb25fYXJ0aWNsZV9pZGwrCJuZYN%2FrFDoYcmVmZXJyZXJfYXJ0aWNsZV9pZGwrCBufFd3rFDoLbG9jYWxlSSIKZW4tdXMGOgZFVDoIdXJsSSI0L2hjL2VuLXVzL2FydGljbGVzLzIzMDAzMjk3NTIwMDI3LUhJUEFBLWFuZC1CQUEGOwhUOglyYW5raQc%3D--b7e75b55703bf2a993e7f886dc47d1403a917f6d))

Benefits of Spruce BAA Implementation

• Clear allocation of HIPAA responsibilities between you and Spruce as Business Associate, improving risk management and audit readiness. ([sprucehealth.com](https://sprucehealth.com/terms-organizations/?uca=sprucehealth-partner&uco=learnmore&ume=Partner-website&uso=Partner&ute=keragon))
• Streamlined onboarding via electronic signature, reducing contract friction without sacrificing legal enforceability. ([sprucehealth.com](https://sprucehealth.com/lp))
• Alignment of secure messaging, telephony, and eFax services with healthcare data security practices inside a single communications platform. ([help.sprucehealth.com](https://help.sprucehealth.com/hc/en-us/related/click?data=BAh7CjobZGVzdGluYXRpb25fYXJ0aWNsZV9pZGwrCJuZYN%2FrFDoYcmVmZXJyZXJfYXJ0aWNsZV9pZGwrCBufFd3rFDoLbG9jYWxlSSIKZW4tdXMGOgZFVDoIdXJsSSI0L2hjL2VuLXVzL2FydGljbGVzLzIzMDAzMjk3NTIwMDI3LUhJUEFBLWFuZC1CQUEGOwhUOglyYW5raQc%3D--b7e75b55703bf2a993e7f886dc47d1403a917f6d))

Conclusion

The Spruce Health BAA is delivered through the organizational Terms of Service and accepted electronically when you create an Organization. By reviewing those terms, configuring secure workflows, and documenting your acceptance, you put a solid HIPAA compliance foundation in place for everyday patient communication.

FAQs

Does Spruce automatically provide a BAA when signing up?

Yes. For organizations that require one, Spruce states that all trials and paid plans automatically include a BAA, which you accept electronically during the organization-creation process. ([sprucehealth.com](https://sprucehealth.com/lp))

How can organizations review the Spruce BAA?

Open the Spruce Terms of Service for Organizations and read the integrated BAA sections (e.g., permitted uses of PHI, safeguards, breach notification). These clauses constitute your BAA once you have accepted the organizational terms. ([sprucehealth.com](https://sprucehealth.com/terms-organizations/?uca=sprucehealth-partner&uco=learnmore&ume=Partner-website&uso=Partner&ute=keragon))

What steps are required to obtain a BAA with Spruce?

Create an Organization in Spruce, review the Terms of Service for Organizations, and accept them electronically to execute the embedded BAA; then complete any plan selection and configuration steps required for your workflows. ([help.sprucehealth.com](https://help.sprucehealth.com/hc/en-us/related/click?data=BAh7CjobZGVzdGluYXRpb25fYXJ0aWNsZV9pZGwrCJuZYN%2FrFDoYcmVmZXJyZXJfYXJ0aWNsZV9pZGwrCBufFd3rFDoLbG9jYWxlSSIKZW4tdXMGOgZFVDoIdXJsSSI0L2hjL2VuLXVzL2FydGljbGVzLzIzMDAzMjk3NTIwMDI3LUhJUEFBLWFuZC1CQUEGOwhUOglyYW5raQc%3D--b7e75b55703bf2a993e7f886dc47d1403a917f6d))

Is the Spruce BAA compliant with HIPAA regulations?

The BAA language in Spruce’s organizational terms tracks HIPAA requirements by defining permitted uses and disclosures, safeguards, breach notifications, subcontractor agreements, and minimum necessary obligations, enabling HIPAA-compliant use of the platform when configured appropriately. ([sprucehealth.com](https://sprucehealth.com/terms-organizations/?uca=sprucehealth-partner&uco=learnmore&ume=Partner-website&uso=Partner&ute=keragon))