HIPAA Compliance

Effective Date: January 1, 2026

HIPAA Compliance and Trust at Therhappy

Therhappy is designed to protect Protected Health Information (PHI) in accordance with HIPAA standards. While we have not obtained formal third-party HIPAA certification, our platform implements administrative, physical, and technical safeguards aligned with best practices to secure your data.

Our Role as a Business Associate

Therhappy acts as a HIPAA Business Associate for Providers using our platform. We process PHI solely on behalf of Providers and in accordance with our Business Associate Agreement (BAA). Providers retain full ownership and control of Client data.

Technical and Operational Safeguards

Therhappy implements a multi-layered approach to secure PHI:

  • Cloud Infrastructure: We use AWS App Runner and MongoDB Atlas to host our platform. Both provide automatic scaling, automated backups, and multi-availability-zone deployments for high availability and disaster recovery.
  • Private Network & Access: No public SSH access to servers. All internal communications occur over secure private networks.
  • Encryption: TLS encryption for data in transit and AES-256 encryption for data at rest.
  • Access Control & Authentication: Role-based access controls, strict permission assignment, and multi-factor authentication (MFA) for all accounts accessing PHI.
  • Audit Logging & Monitoring: All system access and administrative actions are logged and continuously monitored for anomalies.
  • Automated Backups & Disaster Recovery: All databases and platform state are automatically backed up with geographic redundancy across multiple availability zones. Disaster recovery procedures are tested regularly.
  • Security Assessments: Regular vulnerability scans and penetration testing to identify and remediate security risks promptly.
  • Provider and Client Data Segregation: Multi-tenant isolation ensures that data from one Provider cannot be accessed by another.

Provider Responsibilities

  • Maintain appropriate internal HIPAA policies and procedures.
  • Obtain all necessary consents for telehealth and electronic communications.
  • Use the platform in accordance with our Terms of Service, Privacy Policy, and BAA.

Data Breach and Incident Response

In the unlikely event of a security incident or data breach, Therhappy has a documented incident response plan. Providers will be promptly notified in accordance with HIPAA rules, and steps will be taken to mitigate any potential harm.

Future Compliance Plans

Therhappy is committed to continuous improvement and plans to pursue formal HIPAA audits and certifications in the future to further enhance compliance and trust for Providers and Clients.

Learn More

Let's talk about
your practice.

Have questions about HIPAA compliance, pricing, or migration? Our team of experts is here to help you make the switch.

  • A question

    Whether it's a question about features, pricing, or HIPAA compliance, we're here to help.

  • Schedule a demo

    Let's set up a time to walk you through the platform and answer any questions you have.

  • Just to say Hi!

    We'd love to hear from you, whether it's feedback, a suggestion, or just a friendly hello.