Enterprise-Grade HIPAA Compliance
Your clients trust you with their most personal stories. We protect that trust with enterprise-grade security and full HIPAA compliance.
Last updated: December 2025
Security at a Glance
Key compliance metrics that matter for your practice
You Focus on Clients. We Handle Compliance.
HIPAA compliance should not keep you up at night. TheraFocus handles the technical complexity of protecting PHI so you can dedicate your energy to your clients.
If you are like most therapists, you chose this profession to help people, not to become a compliance expert. But as a mental health provider, you are responsible for protecting your clients' Protected Health Information (PHI) under HIPAA law.
Here is the good news: when you use TheraFocus, you are partnering with a platform that takes this responsibility as seriously as you do. We act as your Business Associate, which means we are legally and contractually obligated to protect every piece of client information you entrust to us.
In plain terms: Your clients' names, session notes, treatment plans, billing records, and communications are protected by the same security measures used by major healthcare systems and financial institutions.
Comprehensive HIPAA Safeguards
TheraFocus implements all three categories of HIPAA-required safeguards to protect your client data
Technical Safeguards
- AES-256 encryption
Military-grade encryption for data at rest
- TLS 1.3 encryption
Latest protocol for data in transit
- Unique user identification
Every user has a unique audit trail
- Automatic logoff
15-minute inactivity timeout
- Audit controls
Comprehensive logging of all PHI access
Administrative Safeguards
- Designated Security Officer
Dedicated HIPAA compliance leadership
- Workforce training
Annual HIPAA certification for all staff
- Access authorization
Role-based access procedures
- Contingency planning
Disaster recovery protocols
- Security assessments
Regular risk analysis and audits
Physical Safeguards
- Secure data centers
Enterprise-grade facilities
- Workstation security
Encrypted devices and secure policies
- Device controls
Media handling and disposal procedures
- Facility access
Biometric and badge-controlled entry
- Environmental protections
Fire, flood, and power redundancy
Protected Health Information We Secure
All PHI in TheraFocus is encrypted, access-controlled, and fully audited
Client demographics
Name, address, contact details
Clinical notes
Session notes and treatment plans
Appointment records
Scheduling and attendance
Billing information
Insurance and payment data
Our Breach Notification Commitment
In the unlikely event of a security incident, here is exactly how we respond
Step 1: Discovery
0 hoursContinuous monitoring detects potential incident
Step 2: Investigation
0-12 hoursSecurity team analyzes scope and impact
Step 3: Notification
Within 24 hoursYou are notified with full details
Step 4: Remediation
OngoingCorrective actions implemented
Our commitment: Notify within 24 hours vs. HIPAA's 60-day requirement. That's 59 days faster than required by law.
Business Associate Agreement Included
Many practice management platforms make you jump through hoops to get a Business Associate Agreement. Not us. Your BAA is automatically included with every TheraFocus subscription, with no extra fees, no lengthy negotiations, and no waiting.
HIPAA Compliance Questions
Common questions about HIPAA and how TheraFocus keeps you compliant
Questions About HIPAA Compliance?
Our designated HIPAA Privacy Officer is available to answer your questions about our compliance practices and security measures.
HIPAA & Privacy: hipaa@therafocus.com
General Legal: legal@therafocus.com