Back to Trust Center

For Healthcare customers: HIPAA and Business Associate Agreement (BAA)

With over 900+ customers in the healthcare industry, we have a deep understanding that the data privacy and regulation landscape is constantly evolving, and want to reassure you, our customer, of our commitment to complying with all applicable laws and regulations.

Unlike other vendors you may be accustomed to working with, Sprout Social is not designed for HIPAA compliance. Consistent with our social network partners, Sprout Social’s Terms of Service prohibit customers from sharing, collecting, transmitting, or storing sensitive information, including protected health information (PHI) through the platform.

Sprout Social is entirely cloud-hosted – the platform does not access your local network or connect to any electronic medical record systems. All data processed through Sprout Social is encrypted both in transit and at rest. Sprout Social should be considered a processor of data, expanding the functionality of the native social networks to centralize interactions with your customers.

We take this responsibility, and our commitment to our social network partners, very seriously.

What is Sprout’s position on HIPAA and signing Business Associate Agreements (BAA)?

In early 2023, Sprout Social formed a dedicated Healthcare account team to better understand and address the challenges facing marketing, communications and customer service teams within major health systems. What we’ve uncovered is that our healthcare customers are struggling with the intersection of social media and HIPAA, the Bulletin issued in December 2022 from the OCR on tracking technologies, and BAA mandates from security & privacy teams.

To address these concerns, our team did an extensive evaluation of the social media landscape as it relates to HIPAA. Ultimately, the industry consensus appears to be that social media is not an appropriate forum for protected health information (PHI). To our knowledge, the social networks themselves do not sign BAAs and disclaim liability for content on their platforms.

To help healthcare customers tackle these issues, we’ve outlined several methods and product configurations that eliminate or minimize the likelihood of receiving PHI on social. We’ve walked a number of customers through these options as part of the contracting process, and can help customers enable them during onboarding. Using these methods, our customers have been successful in obtaining BAA exceptions across the board, given the low-risk nature of the data involved.

While our position on the necessity of a BAA has not changed, we understand there may be situations where internal policies will require a BAA despite the available risk mitigation features. As such, we have prepared a tailored BAA that is scoped to the nature and limited risk profile of the services we provide. The BAA is leveraged in case there is inadvertent uploading of sensitive information by a social media user that your organization cannot control.


Why does Sprout Social prohibit sensitive data, such as PHI, on its platform?

The social networks are not designed for compliance with the laws governing PHI and other sensitive data. To our knowledge, the social networks do not sign BAAs and their terms of use disclaim liability for all such content on their platforms. As such, our partnership agreements with the social networks necessitate that we prohibit processing of sensitive information, including PHI, on our platform.

Similar to Sprout Social, our competitors in the social media management space also prohibit their customers from processing sensitive data, including PHI, on their platforms. Ultimately, the consensus across the social media industry appears to be that social media is not an appropriate forum for sensitive data like PHI.


What types of data does Sprout Social process?

The vast majority of data processed by Sprout Social is already publicly available. As a processor, Sprout Social retrieves information from social media accounts that you choose to connect to our platform. This means that the information that you share with Sprout Social already exists on your social media accounts. For more detailed information on the data processed by Sprout Social and data received from the social networks, please download our Commitment to Data Privacy here.


How can we safely use Sprout Social as a healthcare organization?

To help healthcare customers tackle their compliance obligations, we’ve devised several methods and product configurations (outlined below) that minimize the likelihood of receiving sensitive data like PHI on social media. Our sales and solutions engineering teams can discuss each option in detail during the contracting process. Our support and integration teams can also help enable these options during onboarding.

  • Profile Disclaimers – Customers can add a disclaimer to their social profiles to request that social media users refrain from sharing any healthcare information and to inform them where to route such information
  • Direct Message Disclaimers – Similarly, customers can add a disclaimer that automatically pops up when social media users begin drafting a direct message to their profile. For example, the disclaimer may read “Thank you for reaching out to us. Please note that we are unable to answer medical questions or provide medical advice through social media. We will reply to any other questions shortly.”
  • Chatbots – Our platform provides a chatbot creation tool that can reroute social media users to an email address or other secure channel for healthcare-related conversations.
  • Smart Inbox – Our Smart Inbox can be configured to automatically tag messages that may contain healthcare information and route them to a folder for review and deletion.
  • Roles and Permissions – Customers can designate user roles and permissions that restrict access to profiles and tag folders, or to prevent users from responding to customer messages altogether.
  • Saved Replies – Customers can save pre-written replies that can be used to quickly respond to customers and redirect the conversation to a secure channel for healthcare-related conversations.


Frequently Asked Questions

Does Sprout Social connect to our local network or to any of our other systems?

No, Sprout Social is entirely cloud-hosted on Amazon Web Services (AWS) and does not access your local network.

Does Sprout Social encrypt the data it receives and transmits?

Yes, all data is stored co-mingled, logically separated, and encrypted-at-rest using AES-256 or greater, including backups. All communication over public networks with Sprout Social’s application and API utilize HTTPS with TLS 1.2 or higher enforced.

How does Sprout Social store and retain data?

Under Sprout Social’s data retention policy, we may retain customer data for a period of 13 months from the date of cancellation for the purposes of account reactivation. Customers can delete data on a self service basis within the platform. After termination, Sprout Social will delete customer data promptly upon written request.

Where can I find information on Sprout Social’s security standards?

Detailed information on our security standards is available here. Information on our security certifications is available in our customer trust portal. Finally, our DPA includes our standard security annex that is incorporated into all customer agreements.

Does Sprout collect social media users’ IP addresses?

No, the social networks do not provide us with social media users’ IP addresses. If we process a social media message from one of your patients or customers, we will not receive, process, or store their IP address. Like most cloud-based applications, we do receive the IP addresses of individuals who log in to the Sprout Social platform with Sprout Social credentials (i.e. the members of your social media management team).