For Healthcare customers: HIPAA and Business Associate Agreement (BAA)

Without Guardian, why does Sprout Social prohibit sensitive data, such as PHI, directly on its platform?

The social networks are not designed for compliance with the laws governing PHI and other sensitive data. To our knowledge, the social networks do not sign BAAs and their terms of use disclaim liability for all such content on their platforms. As such, our partnership agreements with the social networks necessitate that we prohibit processing of sensitive information, including PHI, on our platform.

Similar to Sprout Social, our competitors in the social media management space also prohibit their customers from processing sensitive data, including PHI, on their platforms. Ultimately, the consensus across the social media industry is that social media platforms are not appropriate forums for the direct collection of sensitive data like PHI.

What is Sprout’s position on HIPAA and signing Business Associate Agreements (BAA)?

In early 2023, Sprout Social formed a dedicated Healthcare account team to better understand and address the challenges facing major health systems. What we’ve uncovered is that our healthcare customers are struggling with the intersection of social media and HIPAA, the Bulletin issued in December 2022 from the OCR on tracking technologies, and BAA mandates from security & privacy teams.

Following that review, we began offering a tailored BAA scoped to inadvertent uploading of PHI by a social media user. And, in 2025, we expanded our Secure Forms by Guardian product offering to support PHI leveraging an updated BAA setting out the relationship between customers, Sprout, and our secure third-party vendor (with whom Sprout has signed a Business Associate Subcontractor Agreement or BASA).

By reminding your social media users that they should not share sensitive information directly on social media, and leveraging Secure Forms by Guardian (including signing a BAA with Sprout if you intend to collect PHI via Secure Forms), you can significant reduce risk to your users while also building trust with them.

• Tailored BAA Purpose: The BAA is scoped to the nature and limited risk profile of the core Sprout Social services. It is leveraged in case there is inadvertent uploading of PHI by a social media user that your organization cannot control. It provides coverage and clear procedures for handling this rare, accidental exposure.
• BAA & Guardian Secure Forms: The provisions of this tailored BAA regarding inadvertent PHI are not relevant for data transmitted via Secure Forms. Because Secure Forms use a separate, secure vendor that doesn't involve the Sprout Social platform in data processing, the risk of inadvertent PHI exposure to Sprout Social is eliminated in that specific workflow.
• Access our BAA

What types of data does Sprout Social process?

The vast majority of data processed by Sprout Social is already publicly available. As a processor, Sprout Social retrieves information from social media accounts that you choose to connect to our platform. This means that the information that you share with Sprout Social already exists on your social media accounts. For more detailed information on the data processed by Sprout Social and data received from the social networks, please download our Commitment to Data Privacy here.

How can we safely use Sprout Social as a healthcare organization?

To help healthcare customers tackle their compliance obligations, we’ve devised several methods and product configurations (outlined below) that minimize the likelihood of receiving sensitive data like PHI on social media. Our sales and solutions engineering teams can discuss each option in detail during the contracting process. Our support and integration teams can also help enable these options during onboarding.

• Secure Forms (through Guardian) – Secure Forms enables customers to collect necessary PHI directly from users, leveraging a secure third-party platform. This information is never processed or retained by the Sprout Social platform.
• BAA – Sign a BAA with Sprout (either to cover inadvertent sharing of PHI by your users, or to cover intended sharing leveraging Secure Forms)
• Profile Disclaimers – Customers can add a disclaimer to their social profiles to request that social media users refrain from sharing any healthcare information and to inform them where to route such information
• Direct Message Disclaimers – Similarly, customers can add a disclaimer that automatically pops up when social media users begin drafting a direct message to their profile. For example, the disclaimer may read “Thank you for reaching out to us. Please note that we are unable to answer medical questions or provide medical advice through social media. We will reply to any other questions shortly.”
• Chatbots – Our platform provides a chatbot creation tool that can reroute social media users to an email address or other secure channel for healthcare-related conversations.
• Smart Inbox – Our Smart Inbox can be configured to automatically tag messages that may contain healthcare information and route them to a folder for review and deletion.
• Roles and Permissions – Customers can designate user roles and permissions that restrict access to profiles and tag folders, or to prevent users from responding to customer messages altogether.
• Saved Replies – Customers can save pre-written replies that can be used to quickly respond to customers and redirect the conversation to a secure channel for healthcare-related conversations.

Frequently Asked Questions