Skip to main content
SecurityHIPAA CompliancePrivacy PolicyCookie PolicyTerms of ServiceAccessibilityCalifornia PrivacyBAA
BAA Included Free

Your Business Associate Agreement

Your BAA is included with every TheraFocus subscription. No extra fees, no waiting, no legal back-and-forth. Just the protection your practice needs, ready from day one.

Start Free TrialView HIPAA Details

Last updated: December 2025

What is a BAA? (In Plain English)

A Business Associate Agreement is a contract that says TheraFocus will protect your clients' health information just like you do.

When you use TheraFocus to store session notes, manage appointments, or handle billing, you are sharing Protected Health Information (PHI) with us. HIPAA requires a legal agreement defining how we can use that information and what safeguards we must have in place.

The good news: We have already done the legal work. Our BAA meets and exceeds HIPAA requirements, and it is included with every subscription at no extra cost.

Why Our BAA is Different

Most software companies treat BAAs as an afterthought. We think that is backwards.

Limited PHI Use

We only use client data to provide our services. Never for marketing or sale.

24-Hour Breach Notice

If anything happens, you know within a day. No exceptions.

Subcontractor Compliance

Our vendors are held to the same HIPAA standards we follow.

Your Audit Rights

You can verify our compliance practices anytime you need to.

What Our BAA Covers

Comprehensive protection for every aspect of your practice

How We Can Use PHI

We are only permitted to use your clients' information to:

Provide the services you signed up for
Maintain and improve our platform
Comply with legal requirements
Create de-identified, aggregate data

We never sell PHI. We never use it for advertising. We never share it with third parties except as needed to provide our services.

Safeguards We Commit To

Administrative

  • Designated Security Officers
  • Workforce training
  • Access controls

Physical

  • Secure data centers
  • 24/7 monitoring
  • Facility access controls

Technical

  • AES-256 encryption
  • Unique authentication
  • Comprehensive audit logs

For complete details on our security measures, see our HIPAA Compliance and Security pages.

Breach Notification

Our Promise: You Will Know Fast

We have never had a HIPAA breach. But if something ever happens, here is exactly what we do.

Discovery: We continuously monitor for security incidents 24/7
Notification: You are notified within 24 hours of confirmed breach
Details: We explain exactly what happened and what PHI was involved
Assistance: We help you notify affected clients and regulators
Remediation: We fix the problem and prevent it from happening again

Your Responsibilities

A BAA is a two-way agreement. While we handle the technology side, you have responsibilities as the Covered Entity:

Obtain proper authorizations from clients before entering their information
Only share the minimum necessary PHI to accomplish the intended purpose
Let us know if a client revokes authorization or requests restrictions
Ensure your team members use TheraFocus appropriately
Maintain your own HIPAA compliance program for your practice

Note: TheraFocus provides the secure platform, but you remain responsible for how you use it. If you have questions about your HIPAA obligations, we recommend consulting with a healthcare compliance attorney.

Getting Your BAA is Simple

Three easy steps to full HIPAA protection

1

Start Your Subscription

Sign up for any TheraFocus plan. Your BAA is automatically included.

2

Review and Accept

During onboarding, you will review and accept the BAA as part of setup.

3

Access Anytime

Download your signed BAA from account settings whenever you need it.

Already a customer? Access your BAA from Settings > Legal Documents in your dashboard.

When You Leave (Data Return and Destruction)

If you ever decide to leave TheraFocus, here is exactly what happens:

30-Day Export Window

Export all your data in standard formats

Secure Destruction

PHI destroyed according to HIPAA standards

Written Certification

Documentation confirming destruction

Surviving Obligations

Our confidentiality obligations continue

You are never locked in, and your clients' data is never held hostage. We make leaving as straightforward as signing up.

Common Questions

BAA Questions Answered

Everything you need to know about Business Associate Agreements

The Bottom Line

Your clients trust you with their stories. You can trust us to protect them. Our BAA is not just a legal requirement - it is a reflection of how seriously we take that responsibility. Every safeguard, every audit log, every encryption standard exists because we believe your clients deserve the same level of protection they would get at a major healthcare system.

Ready to Get Started?

Your BAA is waiting. Sign up for TheraFocus and get the compliance protection your practice needs from day one.

Start Free TrialView HIPAA Details

TheraFocus Legal & Compliance

General Inquiries: legal@therafocus.com

HIPAA Questions: hipaa@therafocus.com