Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes for a couple of important points.
# of Caveats: 0 view caveats→
# of Usage Notes: 6 view notes→

Relevant Product Characteristics

  • This product is designed specifically with the healthcare industry in mind.
  • The leadership or management behind this product includes at least one health care professional (but no mental/behavioral health professionals that we could find.)

What Is This Product?

Spruce LogoSpruce is a nifty app that provides a simple and helpful platform for both secure texting and performing telehealth activities.

Spruce is a viable solution for clinicians who need:

  • Secure texting with clients.
  • A separate phone number for their practice that they can use on their own smartphone.
  • A simple platform for collaborating with clients on treatment plans.
  • A secure method of coordinating client care within an integrated health care team.

Our Impressions

Our overall impression of the company, in terms of attention towards security and risk management, was positive. We feel comfortable recommending them for your practice management and risk management needs.


Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.



Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Make sure to request the BAA from Spruce support.

Spruce does not automatically execute a BAA with you at signup. When you first start using the app, Spruce support will automatically initiate a support conversation with you. Use that conversation to request your BAA first thing.

2) Lean towards having clients use the Spruce app on their own phones for texting with you. Use collaborative risk analysis where this is not possible.

Spruce offers phone service through its app, and that includes the ability for you to send conventional SMS text messages (those are the nonsecure kind.) It also means clients can send unsecured SMS messages to your Spruce phone number.

It is best to lean towards secure communications. If you’re using Spruce, then secure texting with clients is just an app download away for the client. We strongly encourage therapists using Spruce to norm with clients that you’ll always use the app for all your texting with them.

We do have some tips on norming secure communication with clients in this article: Even Though They Have a Right Under HIPAA To Unencrypted Emails: A Case For Only Using Secure Email and Texting With Clients.

Some clients may not be able to use the app. Typically, this is because they don’t have smartphones or they can’t afford enough data for their smartphone to use apps like Spruce. There may also be other reasons that we haven’t anticipated.

If it turns out that you and a specific client need to fall back to unsecured text communications, and such communications are legally-ethically workable for you and that client, know that Spruce Health executes a Business Associate Agreement with you. That makes it legal for you to use the Spruce app for these nonsecure text message exchanges.

Read our article on unsecured communications here for some guidance on this issue. It is also covered in Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional, Module 4: Using Email, Text, Phone, and Video in a HIPAA-Compliant Manner in detail (and that training is included with your Person-Centered Tech Support membership!)

3) When using Spruce for phone service, make sure clients know not to send SMS (nonsecure) texts to your phone number.

This note is somewhat redundant with Note 2 above, but we just want to emphasize that we think that if you’re using Spruce for phone service, you should emphasize to clients that the phone number is just for voice calls.

You can also emphasize that leaving voicemails is acceptable and that the Spruce voicemail service is properly secured.

For clients who want to text you: except as noted above in Note 2, clients should use the Spruce app instead of sending SMS texts to your Spruce phone number.

4) When sending a message to a client who is using the Spruce app, always choose to send it through the Spruce app as a “Secure Conversation.”

Once again, we’re being redundant with Note 2. This time, we want to emphasize that Spruce can send several kinds of notifications to clients. These include messages, payment requests, payment receipts, etc.

When initiating any communication that would result in sending a message to a client, always choose to have it sent as a “Secure Conversation” through Spruce.

Once again, this except as noted above in Note 2.

5) Spruce email is intended for communicating with a care coordination team, and we recommending using it only for that

Part of the Spruce service is a simple little email account. It’s clear that this account is intended for communicating within a care team (remember that Spruce is designed to be used collaboratively by a team of clinicians.) We don’t recommend using this email service as your practice email.

6) You need to pay for Spruce to get what you need for HIPAA compliance

Spruce has a free service tier, but they do not execute a Business Associate Agreement with customers on the free tier. You will need to get one of the paid tiers to use it in your practice.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss