Security & Compliance
HIPAA-ready documentation infrastructure for therapy organizations.
TherapyAgent is designed to support ABA, I/DD, and therapy organizations that need structured documentation, auditability, secure file storage, and responsible clinician-reviewed AI assistance.
Important: HIPAA compliance is a shared operational responsibility. TherapyAgent provides technical and contractual controls intended to support covered entities and business associates, but each customer remains responsible for its own HIPAA policies, workforce training, access decisions, risk analysis, and permitted uses of PHI.
Security controls currently implemented
Encryption in transit
Production deployments should be served only over HTTPS/TLS. Browser-to-application and application-to-cloud traffic should remain encrypted in transit.
Encrypted file storage
Attachments are stored in AWS S3 with server-side encryption using AWS KMS when S3_KMS_KEY_ID is configured.
HIPAA-ready AWS storage pattern
The storage design uses HIPAA-eligible AWS services when deployed under an appropriate AWS Business Associate Addendum, with S3 bucket policies, KMS encryption, private objects, and least-privilege IAM role access.
EC2 IAM role credentials
The S3 integration supports EC2 instance role credentials, avoiding long-lived AWS secret keys in application configuration.
Organization isolation
Users, patients, records, review history, and files are scoped by organization. Attachments are stored under organization-specific S3 prefixes.
Role-based access
Users are assigned roles such as org admin, BCBA, supervisor, therapist, RBT, billing auditor, and read-only.
MFA support
MFA is available and recommended. The deployment can later enforce MFA using environment configuration.
Audit logging
Key actions such as record creation, updates, review actions, user administration, file upload, and S3 setup are written to audit history.
Authenticated downloads
Attachment downloads require a valid TherapyAgent session token and are streamed through the application after organization-level authorization.
Clinician-reviewed AI
AI assistance drafts documentation for review. TherapyAgent should not be used as an autonomous diagnosis, treatment, or medical necessity determination system.
HIPAA, BAA, and customer responsibilities
When TherapyAgent handles protected health information for a covered entity, the parties should execute a Business Associate Agreement before production PHI is entered. A draft template is available here: Business Associate Agreement Template.
- Customers are responsible for determining whether they are covered entities or business associates.
- Customers are responsible for appropriate user provisioning, minimum necessary access, workforce training, patient consent workflows, and local policies.
- TherapyAgent administrators should add only authorized workforce members or contractors and attest to the Terms for each invited user.
- Production deployments should include backups, monitoring, incident response procedures, and periodic access reviews.
Procurement-ready documentation
Available or planned materials include Terms and Conditions, BAA template, security overview, encryption architecture, incident response outline, and audit/access-control evidence.