3 min read

Is Sprout Social HIPAA compliant? (Update 2024)

Kapua Iao August 13, 2020

HIPAA Compliance HIPAA compliant software

Is Sprout Social HIPAA compliant? (Update 2024)

Sprout Social is a unified social media management platform that enables teams to manage their social media from a central location. Many healthcare organizations use social media platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Sprout Social has created a tailored BAA for its healthcare customers but still holds the stance that PHI should not be used on social media. While the company offers a BAA, it may not be HIPAA compliant.

What is Sprout Social?

Sprout Social, launched in 2010, is a central social media management platform for organizations. It can be used to schedule social media posts, respond to messages via social media platforms, analyze data, and study trends. Other features named on its website include:

A social content calendar and library
Suggested posting times
Artificial Intelligence (AI)-generated responses
Alerts for message activity
Auto-tagging in inboxes
Profile and keyword monitoring
Access to reports on content/data

Social media platforms that Sprout Social monitors and engages with include TikTok, Facebook, Twitter, Instagram, LinkedIn, and WhatsApp. Users can also connect to Google Analytics, TripAdvisor, or Glassdoor to further analyze accounts. It is one of the most popular social media tools on the market.

LEARN ABOUT: The importance of social media literacy among healthcare staff

Is Sprout Social considered a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

Permitted uses and disclosures of PHI
Safeguards for protecting PHI
Reporting and mitigation of security incidents
Compliance with HIPAA regulations
Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Sprout Social and its ability to be HIPAA compliant. Sprout Social is a business associate of a healthcare organization if it accesses or stores any PHI, like a name or email address.

Sprout Social and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2020 blog, we stated that we could not find information to indicate that Sprout Social would sign a BAA. In early 2023, however, Sprout Social created a healthcare team to better understand its healthcare customers.

According to the company, its position on sensitive information (e.g., PHI) on its platform hasn’t changed. Sprout Social’s Terms of Service still prohibits customers from sharing, collecting, transmitting, or storing sensitive information. While stating that its “position on the necessity of a BAA has not changed,” Sprout Social has prepared a tailored BAA to limit healthcare risks and the inadvertent uploading of sensitive information by users and end users.

Sprout Social, social media, and data security

Social media tools are great at managing social media posts, responding to messages in bulk or using AI, and analyzing audience data. Like other tools used to connect with patients and business partners, healthcare professionals should be careful when using such tools. Maintaining social media HIPAA compliance requires an understanding of the rules and how to violate them. Adopting best practices helps organizations mitigate the risks of breaches.

When discussing its stance on PHI, Sprout Social included a list of its cybersecurity features. The platform is entirely on the cloud and is unable to access an organization’s local network or connect to any medical records. Furthermore, all data processed by the company is encrypted in transit and at rest. Additionally, public communication is conducted securely over transport layer security (TLS) and Hypertext Transfer Protocol Secure (HTTPS).

Nevertheless, Sprout Social is firm about keeping sensitive data off its platforms stating, “Unlike other vendors you may be accustomed to working with, Sprout Social is not designed for HIPAA compliance.” The company emphasizes its position by outlining methods to eliminate PHI on social media and providing a cheat sheet to support healthcare organizations.

LEARN ABOUT: FAQs: All about HIPAA and social media