Security isn't a feature. It's the foundation.
TherapyTracked is a HIPAA Business Associate, and it was designed and built by an information-security architect — the exact discipline the HIPAA Security Rule is made of. The safeguards aren't bolted on; they're the starting point.
We sign a Business Associate Agreement before you store a single record.Where we stand.
HIPAA posture
Business Associate. A BAA is signed with every practice before any PHI is loaded.
Hosting
Amazon Web Services, United States — HIPAA-eligible services under a signed AWS BAA.
Encryption
TLS + HSTS in transit; AWS KMS-managed encryption at rest for the database, documents, and secrets.
Tenant isolation
Role-based access plus database-enforced row-level security between every practice.
Authentication
MFA required for every staff account — authenticator app or passkey — before any PHI.
Audit trail
Append-only log of PHI access, changes, logins, and authentication events.
Four controls we won't compromise on.
- Encrypted in transit and at rest. Your data is protected while it travels and while it is stored, on HIPAA-eligible cloud infrastructure.
- Multi-factor sign-in for everyone. Every login needs a second step — a passkey or authenticator app. No exceptions, no opt-out.
- Your data stays yours alone. Each practice's records are walled off from every other practice's — enforced deep in the database, not just the app.
- A tamper-evident trail. Every time protected data is opened, it is recorded to a log the application cannot edit or erase.
A written program, not a checkbox.
As a Business Associate we maintain administrative, physical, and technical safeguards aligned to the HIPAA Security Rule, documented in writing.
Security Risk Assessment
A NIST 800-30 / HHS-SRA-style risk analysis with a tracked risk register and remediation plan.
Incident response & breach notification
Detection, triage, containment, and a Business-Associate breach-notification procedure to the covered entity.
Designated Security Official
Accountability for the program is fixed in a single named role, in writing.
Subprocessor register
A written inventory of every third party that may handle PHI — each under a BAA or a documented no-PHI determination.
Who else touches the data.
Any subprocessor that can handle PHI does so only under a signed BAA, and we notify practices before adding one. The list is public and versioned.
What we'll send your compliance team.
- Our Business Associate Agreement, before any PHI is loaded
- This security overview and the subprocessor list
- A live walkthrough of our safeguards and compliance program
Security questions or disclosures: security@therapytracked.com
Reviewing us? Let's talk.
We'll walk your compliance team through every safeguard and share our full security documentation. It starts with a signed BAA.