Paubox blog: HIPAA compliant email made easy

Is Sprout Social HIPAA compliant? (Update 2024)

Written by Kapua Iao | August 13, 2020

Sprout Social is a unified social media management platform that enables teams to manage their social media from a central location. Many healthcare organizations use social media platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Sprout Social has created a tailored BAA for its healthcare customers but still holds the stance that PHI should not be used on social media. While the company offers a BAA, it may not be HIPAA compliant.

 

What is Sprout Social?

Sprout Social, launched in 2010, is a central social media management platform for organizations. It can be used to schedule social media posts, respond to messages via social media platforms, analyze data, and study trends. Other features named on its website include:

  • A social content calendar and library
  • Suggested posting times
  • Artificial Intelligence (AI)-generated responses
  • Alerts for message activity
  • Auto-tagging in inboxes
  • Profile and keyword monitoring
  • Access to reports on content/data

Social media platforms that Sprout Social monitors and engages with include TikTok, FacebookTwitterInstagram, LinkedIn, and WhatsApp. Users can also connect to Google Analytics, TripAdvisor, or Glassdoor to further analyze accounts. It is one of the most popular social media tools on the market.

LEARN ABOUTThe importance of social media literacy among healthcare staff

 

Is Sprout Social considered a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

  • Permitted uses and disclosures of PHI
  • Safeguards for protecting PHI
  • Reporting and mitigation of security incidents
  • Compliance with HIPAA regulations
  • Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Sprout Social and its ability to be HIPAA compliant. Sprout Social is a business associate of a healthcare organization if it accesses or stores any PHI, like a name or email address.

RELATEDHow to know if you're a business associate

 

Sprout Social and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2020 blog, we stated that we could not find information to indicate that Sprout Social would sign a BAA. In early 2023, however, Sprout Social created a healthcare team to better understand its healthcare customers.

According to the company, its position on sensitive information (e.g., PHI) on its platform hasn’t changed. Sprout Social’s Terms of Service still prohibits customers from sharing, collecting, transmitting, or storing sensitive information. While stating that its “position on the necessity of a BAA has not changed,” Sprout Social has prepared a tailored BAA to limit healthcare risks and the inadvertent uploading of sensitive information by users and end users.

 

Sprout Social, social media, and data security

Social media tools are great at managing social media posts, responding to messages in bulk or using AI, and analyzing audience data. Like other tools used to connect with patients and business partners, healthcare professionals should be careful when using such tools. Maintaining social media HIPAA compliance requires an understanding of the rules and how to violate them. Adopting best practices helps organizations mitigate the risks of breaches.

When discussing its stance on PHI, Sprout Social included a list of its cybersecurity features. The platform is entirely on the cloud and is unable to access an organization’s local network or connect to any medical records. Furthermore, all data processed by the company is encrypted in transit and at rest. Additionally, public communication is conducted securely over transport layer security (TLS) and Hypertext Transfer Protocol Secure (HTTPS).

Nevertheless, Sprout Social is firm about keeping sensitive data off its platforms stating, “Unlike other vendors you may be accustomed to working with, Sprout Social is not designed for HIPAA compliance.” The company emphasizes its position by outlining methods to eliminate PHI on social media and providing a cheat sheet to support healthcare organizations.

LEARN ABOUTFAQs: All about HIPAA and social media

 

Is Sprout Social HIPAA compliant?

The BAA is a necessary component of HIPAA compliance. Sprout Social will now sign a BAA with its healthcare customers but states emphatically that its platform is not designed for HIPAA compliance.

Conclusion: Sprout Social may not be HIPAA compliant.

 

Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

  • Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
  • Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
  • Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
  • Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.