Is Spruce Health Care Messenger HIPAA compliant?

Is Spruce Health Care Messenger HIPAA compliant? | Paubox

We’ve been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

Today we will determine if Spruce Health Care Messenger is a HIPAA compliant telehealth service or not.

About Spruce Health Care Messenger

Spruce Health Care Messenger is a messaging and collaboration platform developed specifically for the healthcare industry. It is designed to enable healthcare professionals to communicate and collaborate more efficiently by providing a secure and reliable way to exchange messages, documents, and other information.

Spruce Health Care Messenger includes features such as group messaging, secure file sharing, and integrations with other healthcare systems and tools. It is available on a range of devices, including desktop computers, mobile phones, and tablets, and can be accessed through a web browser or through dedicated mobile apps.

Spruce Health Care Messenger is designed to meet the strict security and privacy requirements of the healthcare industry, and it is compliant with relevant regulations such as HIPAA. It is intended to help healthcare professionals improve patient care by enabling them to more easily share information and collaborate with each other.

Spruce Health Care Messenger and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We checked the Spruce Health site and found a help center article entitled, “HIPAA and BAA.”

It succinctly states:


Your Business Associate Agreement with Spruce

The Spruce HIPAA Business Associate Agreement (BAA) is included automatically, when applicable, in our standard terms of service for organizations. If you already have a Spruce account, then you are already operating under these terms. See the Spruce Terms of Service for Organizations, including our BAA, for complete information.

Is Spruce HIPAA Compliant?

Yes, Spruce can be used in a HIPAA-compliant manner, and it is designed for this use. Spruce was created with security and privacy in mind, and both secure and standard communication can be used in a HIPAA-compliant manner.


Notification of Enforcement Discretion

When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Examples of non-public facing applications include:

  • Amazon Chime
  • Apple FaceTime
  • Doxy.me
  • Facebook Messenger
  • Google Hangouts video
  • Google Hangouts
  • iMessage
  • Jabber
  • Signal
  • Skype
  • Spruce Health Care Messenger
  • Updox
  • VSee
  • WhatsApp
  • Zoom

See also: HIPAA privacy and security guidelines as they relate to telehealth

Is Spruce Health Care Messenger HIPAA compliant?

The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.

As we noted earlier, Spruce Health is willing to sign a BAA with its customers for Spruce Health Care Messenger.

In addition, Spruce Health Care Messenger is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it would allow healthcare entities to use Spruce Health Care Messenger and not be liable for HIPAA fines even if they did not offer a BAA to their customers.

Conclusion: Spruce Health Care Messenger is HIPAA compliant.

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport