Whether you love it or hate it, social media is everywhere, making it an easy way to communicate general updates about your practice, education pieces, or office closures with patients outside of an office visit. The importance of sending HIPAA compliant email might be obvious, but it’s also important to stay compliant when using social media or other communication avenues with patients. Let’s take a look at Sprout Social, a popular social media scheduling and analytics tool, to see if it is HIPAA compliant.
About Sprout Social
Launched in 2010, Sprout Social can be used to schedule social media posts, respond to messages via social media platforms, analyze data, and study trends. Per Sprout Social’s website , its platform is for “ deep listening and analytics, social management, customer care and advocacy solutions.”
Sprout Social and the business associate agreement
A business associate agreement (BAA) is a written contract between a covered entity and a business associate . It is required for HIPAA compliance. We found no information online about Sprout Social executing a BAA.
Sprout Social and protected health information
Protecting patients' protected health information (PHI) is an important part of HIPAA compliance. PHI is any information that can be used to reasonably identify a patient and is used during patient care. The company’s Terms of Service states:By accessing or using the Products, you represent and warrant that your activities are lawful in every jurisdiction where you access or use the Products. Our Products are not intended to hold any Sensitive Information. You represent and warrant that you will not use our Products to transmit, upload, collect, manage, or otherwise process any Sensitive Information. WE WILL NOT BE LIABLE FOR ANY DAMAGES THAT MAY RESULT FROM YOUR USE OF OUR PRODUCTS IN TRANSMITTING, COLLECTING, MANAGING, OR PROCESSING ANY SENSITIVE INFORMATION.
Both the Terms of Service and Service Subscription Agreement define sensitive information:
“Sensitive Information” means any passwords, credit card or debit card information, personal financial account information, personal health information, social security numbers, passport numbers, driver’s license numbers, employment records, physical or mental health condition or information, any information that would classify as “Special Categories of Information” under EU data protection laws, or any other information that would be subject to Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standards (PCI DSS), or other laws, regulations, or industry standards designed to protect similar information.
Protected health information would be considered sensitive information by Sprout Social’s definition, and the Terms of Service states that its products are not intended to store that kind of information. However, Sprout states on its website that the information processed on its platforms is encrypted. Per Sprout Social’s security page : " All communications over public networks with Sprout Social applications and APIs is conducted over TLS/HTTPS. All data is stored encrypted at rest, including for backups." Additional security information about Sprout Social can be found here . Keep in mind that encryption alone does not make a product HIPAA compliant.
Conclusion
An executed BAA is a crucial component of HIPAA compliance. Because we found no evidence of Sprout Social’s willingness to sign or even discuss executing a BAA, Sprout Social does not offer HIPAA compliant services.
How to use Sprout Social without violating HIPAA
Healthcare providers can still use social media to foster open communication with their patients! Your practice can share many types of general information via social media, such as health and wellness tips, COVID-19 updates, or information about your practice or events. However, your practice must never disclose anything that could be considered PHI, allude to someone’s specific illness or unique medical case, and should not address individuals or their individual health histories through social media (even if someone offers the information up willingly). This includes private or direct messages, too. A healthcare provider should never direct or private message any patient on any social media platform. Creating a social media plan can help ensure you and your staff are only sharing information in a HIPAA compliant manner. Are you feeling a little confused about social media and HIPAA compliance? Don’t be — we made a guide for that.
HIPAA compliant email as a complement to social media
You might not be able to send PHI via a social media platform, but you can directly communicate with your patients via HIPAA compliant email solution, like Paubox Email Suite . Outbound emails are encrypted by default and sent from your existing email platform (such as Google Workspace or Microsoft 365 ), so the solution does not require any change in user behavior. Emails are delivered directly to a patient’s email inbox, no password or portal required . Your patients will never have to worry about logging into and out of an email portal again.