Therachat is completely HIPAA compliant & secure. There is no “opting out” of this as a company or as a user.
As a company we take PHI and HIPAA compliance very seriously, and want you to feel secure in knowing that we are always watching out for your clients best interest.
How do we ensure HIPAA, and security in general?
We follow industry standard best practice with regards to security, data encryption both during transit and at rest, isolation of client PHI records from therapist records (meaning we can limit access to those client PHI records to only their therapist and to client themselves) and smaller items like password security and device level encryption. We also have auditing measures in place to self audit our services throughout the year, as well as to track access patterns and ensure that our data integrity is in place.
How do we protect PHI?
HIPAA compliance in this app is mainly focussed on not revealing any PHI. Any services we use that are outside of the HIPAA platform are never passed any PHI at all; not even an individual identifier than in any way could be reverse engineered to identify an individual. Client data is only able to be viewed by
- a. the therapist of the client
- b. in certain circumstances for debugging the software, the developers – however as per HIPAA compliance guidelines, every access attempt to the databases by developers is audited and logged.
A client account can be set up purely with an email address and name. The database that stores the email addresses and names is a separate database to where the client’s actual app-usage information is stored (such as their journal entries). Many rings of security would prevent an attacker from accessing the information and we treat that information as our number one priority as our business associate agreements bind our liability to that of the therapist; meaning we are jointly liable for breaches.
What PHI is required from clients or the therapist in order to use Therachat?
We only request an email address from clients to use the app. We do not ask a client’s name or any other personal identifier.
On the therapist side: we ask for you to input a client’s name (which can be initials or only a first name) and an email address to connect you & your client. All other information about a client is optional.
If at any time you notice something we can improve, we’ll always look into it & change it if possible.