Safety, Security, and HIPAA

Introduction to safety, security, and HIPAA

Safety, security, and HIPAA compliance are critical aspects of communication and documentation every moment of every day. To maintain safety, security, and integrity, we recommend that you use appropriate lock measures on your device, such as a passcode that is 6 digits or longer, particularly if you are not using Fingerprint or Face ID to protect your Spruce account.

The following is important information about some of the key safety and security features that Spruce uses to protect your account, as well as some additional safety measures you can take to further protect your privacy when using Spruce.

Logging in and out on the Spruce App

• If you log into your Spruce account daily, from any device, you will not be logged out automatically.
• If you do not use the Spruce app for 4 consecutive days, you will be logged out automatically.
• You will only be prompted to enter a two-factor authentication code once every 30 days.
• You can manually log out of the Spruce app at any time by clicking the "Log Out" option in the app.
• If you explicitly log out, you will be prompted for a two-factor authentication code when you next log in.
• You can be logged into your Spruce account on multiple devices at the same time. If you log out of the Spruce app on one device, you will not be logged out of the app on any other device (e.g., if you log out of the Spruce web app, you will not be logged out of the app on your phone).
• If your phone (or other device) has Face ID or Fingerprint ID and you have enabled its use on your Spruce app, the app will use that technology for login purposes. If you are using Face ID or Fingerprint ID, you will only need to enter your password once a year, unless you manually log out of the Spruce app. If you have not enabled Face ID or Fingerprint ID, you will need to re-enter your password every 4 days.
• If you reset your password, you will be logged out on all devices and 2FA verification will be required again.
• Outside of the Spruce app, we strongly recommend that you use your device's settings to enforce password-protected screen locking or device logout after a short period of inactivity.

iOS devices:

• If you switch to a different app for 2 or more minutes, you will be prompted for FaceID or Fingerprint ID authentication when you return. The 2-minute grace period is meant to allow for fluid usability while still ensuring strong security in case someone on your team leaves a device unattended.

Android devices:

• If you are logged into the Spruce app and you tap the Home button on your Android device, you will NOT be prompted for Face ID or Fingerprint ID when you return.
• If you tap the Back button on your Android device you will be prompted for FaceID or Fingerprint ID authentication when you return.
• If you Swipe up on your Android device to view all open apps and you Swipe up on the Spruce app image to close the app, you will be prompted for FaceID or Fingerprint ID authentication when you return.

Resetting your password

Please note that after you reset your password:

1. You will be logged out automatically on all devices.
2. The system will also send two-factor authorization (2FA) codes to you through SMS text when you log in on any device after the password reset.
3. Notifications will be turned off (besides calls) until you log in on your device again.

Locking your device screen (some examples)

To ensure the highest level of security with your Spruce account and HIPAA compliance, it is important to be aware of and take appropriate safety precautions based on the security settings of the devices you use to log into the Spruce app.

• Windows - Windows icon + L to lock your screen
  • 4 ways to lock your Windows 10 PC
  • Interactive logon: Machine inactivity limit
• MacBook - Apple Icon in the upper left corner and choose Sleep
  • 7 ways to lock your MacBook
  • Set Your Mac's Screen to Lock Automatically
  • How to set a password on your Mac computer and lock it, in 5 different ways
• Android - Settings → Lock screen → Screen lock and Secured lock time
  • Set screen lock on an Android device
  • How to Lock the Screen on Android
• iPhone - Settings → Tap on Display & Brightness → Auto Lock → Tap on preferred time
  • 6 ways to lock down your iPhone’s lock screen
  • Apple® iPhone® 6s / 6s Plus - Set Up Phone Lock

Two-factor authentication or 2-step verification

Spruce sends two-factor authentication (2FA) codes to you via SMS text as a way to verify your identity as an extra security measure in addition to email and password.

Two-factor authentication codes are used on Spruce when you create a new account, when you are logging into an existing account, and when you are attempting to reset your account password.

After you reset or change your password the system will send two-factor authorization (2FA) codes to you through SMS text.

Full Disk Encryption

To enhance your data security, we strongly recommend enabling full disk encryption on all your devices, if supported. Full disk encryption protects your information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. This is especially crucial if your device is lost or stolen, as it helps prevent access to your sensitive data. Most modern devices come with built-in encryption tools like BitLocker for Windows, FileVault for macOS, and encryption settings for Linux. For mobile devices, both iOS and Android offer robust encryption options. Always ensure your device's operating system is up to date to maintain the best security practices.

Additional Reading

• HITRUST blog post (easiest to digest)
• Using Spruce in a HIPAA-Compliant Way
• Spruce Completes SOC 2 Type II Audit
• Password Reset