Skip to main content

HIPAA Compliance

How TheraTouch+ protects your health information.

Our Commitment

TheraTouch+ is designed from the ground up to meet and exceed HIPAA (Health Insurance Portability and Accountability Act) requirements. We implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all Protected Health Information (PHI).

Technical Safeguards

Encryption at Rest

All PHI is encrypted using AES-256 encryption with CipherSweet searchable encryption, allowing secure data storage while maintaining query capabilities.

Encryption in Transit

All data transmitted between your browser and our servers is protected using TLS 1.3, the latest and most secure transport layer protocol.

Access Controls

Role-based access control (RBAC) ensures users can only access information relevant to their role. All access is authenticated and authorized at multiple levels.

Audit Logging

Every access to PHI is logged with user identity, timestamp, IP address, and action taken. Audit logs are immutable and retained for the required compliance period.

Two-Factor Authentication

MFA is enforced for all therapist and admin accounts using TOTP-based authentication, adding a critical second layer of security beyond passwords.

Session Security

Sessions automatically time out after 15 minutes of inactivity. Sessions are encrypted, use secure cookies, and cannot be hijacked or replayed.

Administrative Safeguards

Password Policies

Minimum 12 characters with complexity requirements, 90-day expiration, and prevention of reusing the last 5 passwords. Accounts lock after 5 failed attempts.

Credential Verification

All therapist credentials (licenses, certifications) are verified by our admin team before a provider can see patients on the platform.

Data Retention

Health records are retained for a minimum of 7 years in compliance with federal and state regulations. Data is never permanently deleted — soft-delete is used throughout the system.

HIPAA Consent

All users must review and digitally sign a HIPAA authorization form before accessing the platform. Consent records include timestamps and electronic signatures.

Your Rights Under HIPAA

  • Right to Access You may request a copy of your health records at any time.
  • Right to Amend You may request corrections to your health information.
  • Right to Restrict You may request restrictions on how your PHI is used or disclosed.
  • Right to Accounting You may request an accounting of all disclosures of your PHI.
  • Right to Confidential Communication You may request that we communicate with you by specific means or at specific locations.

Questions About Our Compliance?

Our privacy officer is available to answer any questions about our HIPAA compliance practices.

Contact Us