HIPAA and BAA
IN THIS ARTICLE
Your Business Associate Agreement with Spruce
The Spruce HIPAA Business Associate Agreement (BAA) is included automatically, when applicable, in our standard terms of service for organizations. If you already have a Spruce account, then you are already operating under these terms. See the Spruce Terms of Service for Organizations, including our BAA, for complete information.
Is Spruce HIPAA Compliant?
Yes, Spruce can be used in a HIPAA-compliant manner, and it is designed for this use. Spruce was created with security and privacy in mind, and both secure and standard communication can be used in a HIPAA-compliant manner.
Secure Communication
Secure communication refers to conversations that happen entirely within the Spruce app. Specifically, this is when both you and your patient use the app to send messages to one another. To have a secure conversation on Spruce, you must invite your patient to create a secure Spruce account with your clinic. After receiving your invitation, your patient will create a username and password, and they will be able to access their secure Spruce account from the Spruce mobile app or from a web browser.
Once you have made a secure connection, you and your patient can exchange secure messages and have video calls. All information related to such interactions will be stored with Spruce, and the conversations are fully secure.
Standard ("Non-Secure") Communication
Standard communication includes SMS texting, fax, email, and phone calls. All of these communication modalities require that information leave Spruce's control before it can reach its intended recipient. Because of this, Spruce cannot guarantee the security of standard communication along its complete journey. Importantly, this is not unique to Spruce; these communication channels have this limitation no matter which provider is powering them. Despite this, standard communication channels can still be used in a HIPAA-compliant manner, provided that you take care to use them correctly. For more detail, please see our white paper on Using Spruce in a HIPAA-Compliant Way.
A few key standard communication channels:
Phone Calls
The technology underlying Spruce telephony, including voicemail storage and transcription, is HIPAA-compliant.
All PHI is stored within the Spruce app and not in insecure areas of your personal phone, such as your phone's general contact book. Patient names and phone numbers, call history, and voicemails are stored securely within Spruce.
Your personal phone number is hidden from patients. When you make an outbound call through the Spruce app, the call forwards to a temporary number, which then forwards and connects you to your patient. This action protects your personal phone number from ever being visible to the call recipient.
Fax
The technology underlying eFax on Spruce is HIPAA-compliant. Spruce stores your fax contacts and transmission logs, as well as digital copies of all of your incoming and outgoing faxes, identically to how we store all other medical data. This means that your fax information is protected by the same technical, administrative, and physical safeguards that HIPAA demands and that we use regularly throughout our entire system.
Text Messages (SMS)
You can send traditional SMS text messages on Spruce. On your end, you still compose messages in the Spruce app, but the recipient will receive them as standard SMS text message on their personal device. With this type of messaging, the text recipient does not need to have a secure Spruce account. Because of limitations in SMS itself, we cannot guarantee the full security of messages sent with this technology. Despite this, SMS texting can still be used in a HIPAA-compliant manner in many cases. Typically, establishing patient preference for this channel is an important step in regulatory compliance, and good news: this is straightforward to do.
Establishing Patient Preference
Your patients may prefer to use standard channels, such as SMS texting, to communicate with you. If this is the case, and you have also made those patients aware of potential security limitations and offered secure alternatives, you have a strong argument that your use of such channels is compliant with the requirements of HIPAA. In such cases, you might prefer to document this patient preference for your records.
You can use this template to document your patients' written consent and preference for the use of standard, unencrypted email and text messaging (SMS) for medical communication:
I, [Patient Name], hereby consent and state my preference to have my physician, [Physician Name], and other staff at [Practice Name] communicate with me by email or standard SMS messaging regarding various aspects of my medical care, which may include, but shall not be limited to, test results, prescriptions, appointments, and billing.
I understand that email and standard SMS messaging are not confidential methods of communication and may be insecure. I further understand that, because of this, there is a risk that email and standard SMS messaging regarding my medical care might be intercepted and read by a third party.
Please Note: This template is not legal advice and is provided for general guidance ONLY. Please consult with legal counsel to consider the specifics of your situation.
Additional HIPAA Resources
Please see our white paper on Using Spruce in a HIPAA-Compliant Way, which discusses HIPAA compliance and Spruce in more detail.
You can also find more information about the importance of HIPAA compliance, and how it can be maintained in your practice, on the Spruce Blog.