Our Commitment
TheraFlow LLC is committed to maintaining the highest standards of privacy and security for Protected Health Information (PHI). We understand that therapists need to use real client names, situations, and session details to generate meaningful, personalized worksheets — and we have built our entire infrastructure to ensure that information is fully protected under HIPAA.
Business Associate Agreement (BAA)
TheraFlow provides a Business Associate Agreement (BAA) to all Covered Entity users as part of the registration process. This Agreement outlines our responsibilities for protecting PHI in compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as well as the HITECH Act. The BAA is presented and must be accepted electronically before any PHI is processed through our platform. You may request a copy of the executed BAA at any time by contacting us at info@theraflow.ai.
Technical Safeguards
- Encryption: All data is encrypted at rest and in transit using industry-standard encryption protocols.
- Access Controls: Role-based access controls ensure only authorized users can access PHI. Each user authenticates with unique credentials. Email verification is enabled for all accounts.
- Audit Logging: Comprehensive audit logs track all access to and modifications of PHI within the platform.
- Data Separation: Each user's data is logically separated, ensuring you can only access your own client information.
- Automatic Session Timeout: Sessions automatically expire after periods of inactivity to prevent unauthorized access.
Administrative Safeguards
- Documented policies and procedures for PHI handling, access, and disposal
- Incident response plan for identification, containment, and notification in the event of a data breach
- Regular risk assessments and security evaluations of our platform and infrastructure
- Workforce agreements requiring confidentiality and compliance with HIPAA requirements
Infrastructure and Physical Safeguards
TheraFlow is hosted on HIPAA-eligible cloud infrastructure with enterprise-grade physical security controls, including restricted data center access, 24/7 monitoring, and environmental protections. TheraFlow has executed Business Associate Agreements with all infrastructure and service providers that may access PHI in the course of delivering our Services.
AI and PHI
Session notes and client data submitted to TheraFlow are used solely for the purpose of generating personalized therapy worksheets as requested by you. This data is:
- Never used to train, improve, or develop any AI models, machine learning algorithms, or other generalized artificial intelligence systems
- Never shared with third parties for any purpose other than the direct delivery of the Service
- Never sold or monetized in any form
- Retained only as long as necessary to provide the Services and in accordance with our Business Associate Agreement
Breach Notification
In the event of a Breach of Unsecured PHI, TheraFlow will notify affected users without unreasonable delay and in no event later than ten (10) business days after discovery of the Breach, as set forth in our Business Associate Agreement. TheraFlow will also notify the Department of Health and Human Services (HHS) in accordance with the HIPAA Breach Notification Rule requirements.
Your Rights Under HIPAA
As a Covered Entity using TheraFlow, you retain all rights regarding the PHI you submit, including the right to: request access to PHI maintained by TheraFlow on your behalf; request amendment or correction of PHI; request an accounting of disclosures; and request return or destruction of PHI upon termination of your account. TheraFlow will respond to such requests within fifteen (15) business days.
Contact Us
For questions about our HIPAA compliance practices, to report a security concern, or to request a copy of your Business Associate Agreement, please contact us at:
TheraFlow LLC
5926 Erlanger Street, San Diego, CA 92122
Email: info@theraflow.ai