HIPAA & BAA · Patient communication
Is Spruce Health HIPAA compliant?
Conditionally. Spruce automatically includes a BAA in its terms of service for paid plans and trials when your organization requires one, but it does not execute a BAA for the free service tier.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Paid plans (and trials) automatically include a BAA when applicable; the free service tier does not
- Official source: Spruce Health Help Center — HIPAA and BAA — https://help.sprucehealth.com/hc/en-us/articles/23003297520027-HIPAA-and-BAA (verified 2026-06)
How to use Spruce Health in a HIPAA-compliant way
- Sign up for a Spruce trial or paid plan and create an organization
- Electronically accept the Spruce BAA, which is incorporated into the terms of service when applicable
- Review the BAA within the terms of service to confirm scope
- Upgrade off the free tier before using Spruce for PHI in your practice
- Configure security controls and favor Secure Messaging over riskier channels
Important caveats
- The free service tier does NOT include a BAA and cannot be used for PHI
- The BAA is accepted electronically as part of the org terms — verify it is in force before transmitting PHI
- Compliance is a shared responsibility; you must still implement your own safeguards and workflows
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Spruce Health correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Spruce Health.
Frequently asked questions
Does Spruce Health sign a BAA?
On specific plans. Paid plans (and trials) automatically include a BAA when applicable; the free service tier does not A signed BAA is required before any PHI is involved.
Is Spruce Health HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Spruce Health offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Spruce Health with PHI?
The free service tier does NOT include a BAA and cannot be used for PHI