HIPAA Compliance and BAAs


HIPAA compliance and Business Associate Agreements (BAA)

Spruce is designed with privacy in mind. Any communication that occurs entirely on Spruce is inherently secure and encrypted. Communication through standard channels that occurs over Spruce can also be HIPAA-compliant, but this is situation-dependent.

Standard telephone calls made via Spruce are compliant with the technical requirements of HIPAA, and Spruce stores any voicemails left for you in a way that is compatible with HIPAA.

Spruce protects your and your patients' privacy in a couple of important ways.

All patient PHI is stored within the Spruce app instead of on your personal phone. This means all messages and voicemails from your patients are kept in the Spruce app and are not mixed in with your personal phone messages. Patients' names and phone numbers do not appear in your phone's call history because they are all kept within the Spruce app.
Your personal phone number is hidden from patients. When you make an outbound call through the Spruce app, the call forwards to a temporary number, which then forwards and connects you to your patient. This action protects your personal phone number. 

When you create your Spruce account, you electronically consent to our Terms of Service which include our BAA. This allows Spruce to enable efficient, HIPAA-compliant, and secure communication with your patients. You can download the terms of service for a copy of your BAA: https://www.sprucehealth.com/terms-organizations/

HIPAA compliance and Spruce communication channels 

Secure conversations: 

Secure conversations are conversations that happen entirely within the Spruce app. No information leaves the Spruce app to reach the recipient. When you exchange messages with a patient who has downloaded the Spruce app, all information is stored within the app, and the conversation is secure. You can tell you are using a secure conversation if you see a Lock Icon next to the patient's name in your Spruce inbox. 

Secure conversations include:

  • App-to-app messaging
  • Video visits 
  • Telemedicine

Standard conversations: 

Standard conversations require information to leave the Spruce app to reach the recipient. Standard conversations can still be used in a HIPAA-compliant manner with the patient's consent.

Standard conversations include:

  • SMS text messaging
  • Fax
  • Email 

Additional HIPAA Resources 

Please read our White Paper that discusses HIPAA compliance in more detail. This document includes a template consent form that allows patients to indicate their desire to communicate through standard conversations.

You can also find more information about the importance of HIPAA compliance and how it can be maintained in your practice on the Spruce Blog.

Still need help? Contact Us Contact Us