HIPAA Policy
Last updated: June 23, 2026
TheraForge is designed to help licensed mental health professionals comply with their obligations under the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations. When TheraForge processes Protected Health Information ("PHI") on your behalf, we act as a Business Associate. A signed Business Associate Agreement ("BAA") is required and is available to all paid customers on request at baa@theraforge.app.
Important: This page describes the controls we have implemented. It is not an attestation, certification, or legal guarantee. HIPAA compliance is a shared responsibility between you (the covered entity) and us (the business associate).
Administrative Safeguards
- Designated Security Officer and Privacy Officer.
- Annual workforce training on HIPAA, security, and incident response.
- Background checks for personnel with production access.
- Documented access provisioning and quarterly access reviews.
- Written incident response plan with a 60-day breach notification commitment to covered entities.
- Written subprocessor management program, including BAAs with each subprocessor that handles PHI.
Physical Safeguards
- Production infrastructure runs in SOC 2 and ISO 27001 audited data centers.
- No PHI is stored on workforce laptops; all production access is through secured browser consoles with full audit logging.
- Disk-level encryption and secure media destruction by our infrastructure providers.
Technical Safeguards
- Encryption in transit using TLS 1.2 or higher.
- Encryption at rest using AES-256 for databases, backups, and file storage.
- Row-level security enforced at the database layer; every PHI table requires an explicit, authenticated policy match before data is returned.
- MFA required for all workforce access to production systems.
- Least-privilege role-based access control for application users (therapist, practice owner, client portal).
- Continuous audit logging of clinical record access and AI actions; logs retained for 6 years.
- Automated daily backups with point-in-time recovery.
- Vulnerability scanning and annual third-party penetration testing.
AI Processing of PHI
When you use AI features, transcripts and text containing PHI may be sent to our AI inference subprocessors under BAAs or equivalent contractual protections. Those subprocessors are contractually prohibited from using customer content to train foundation models. You can disable AI features for individual clients or for your entire practice from Settings.
Client Rights Support
TheraForge provides tooling to help you respond to client requests for access, amendment, accounting of disclosures, and restrictions. You remain responsible for evaluating and responding to these requests as the covered entity.
Breach Notification
If we discover a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and in no event later than 60 calendar days from discovery, with the information required by 45 CFR § 164.410.
Contact
Privacy & Security: security@theraforge.app
Request a BAA: baa@theraforge.app