ClientFlow

HIPAA Considerations - Healthcare & Therapy

15 min read

HIPAA Considerations

Version 1.3 | Last Updated: January 2025

Guide for US-based therapists, counselors, and healthcare providers who need to protect patient health information (PHI) when using ClientFlow.

Important Disclaimer: ClientFlow is HIPAA-ready (infrastructure meets requirements), but compliance is a shared responsibility. You must sign a Business Associate Agreement (BAA) and implement your own administrative and physical safeguards.

Executive Summary

QuestionAnswer
Is ClientFlow HIPAA-compliant?HIPAA-ready architecture (requires BAA)
Do I need a BAA?YES - if you're a HIPAA-covered entity
Does ClientFlow sign BAAs?YES - PRO/Team tier customers only
What PHI can I store?Client notes, session summaries, treatment plans
Can I use Free/Starter tier?NO - BAA requires PRO/Team tier

Who Needs to Comply?

Covered Entities (Must Comply)

  • Psychologists, psychiatrists, therapists, counselors
  • Licensed Clinical Social Workers (LCSW)
  • Marriage and Family Therapists (MFT)
  • Physicians, nurse practitioners
  • Physical therapists, occupational therapists

Generally NOT Covered

  • Life coaches (unless providing mental health treatment)
  • Personal trainers (unless providing physical therapy)
  • Unlicensed counselors (peer support, religious counseling)

HIPAA Safeguards

Technical Safeguards (ClientFlow Provides)

  • Access Controls: Unique user IDs, automatic logoff (15 min)
  • Audit Controls: Complete activity logging (2-year retention)
  • Integrity Controls: SHA-256 checksums, immutable audit logs
  • Transmission Security: TLS 1.3 encryption

Administrative Safeguards (YOU Implement)

  • Designate a Security Officer
  • Conduct risk assessments
  • Train workforce on HIPAA
  • Implement sanctions policy
  • Develop incident response plan

Physical Safeguards (YOU Implement)

  • Position monitors away from public view
  • Enable screen lock (5 min timeout)
  • Encrypt laptops (BitLocker/FileVault)
  • Enable remote wipe on mobile devices

Business Associate Agreement (BAA)

Eligibility: PRO or Team tier (BAA NOT available for Free/Starter)

How to Get a BAA

  1. Email sales@clientflow.center with subject "BAA Request"
  2. Provide: Name, practice name, NPI number, professional license
  3. Receive BAA within 2 business days (DocuSign)
  4. Sign electronically
  5. Keep countersigned copy for your records
Important: BAA must be signed BEFORE storing any PHI in ClientFlow.

What You Can Store

  • Session summaries and treatment notes
  • Clinical observations
  • Treatment plans
  • Client demographics (name, email, phone)
  • Appointment history
  • Payment records

What You Should NOT Store

  • CPT codes or ICD-10 codes (use EHR instead)
  • Insurance billing information
  • HIV status (stricter requirements)
  • Substance abuse records (42 CFR Part 2)

Breach Notification

If a breach occurs affecting PHI:

  1. ClientFlow notifies you: Within 24 hours
  2. You notify patients: Within 60 days
  3. You notify HHS: Within 60 days (via ocrportal.hhs.gov)
  4. Media notification: Required if breach affects 500+ people

Contact

BAA Requests: sales@clientflow.center

Security Questions: security@clientflow.center

Read time: ~15 minutes | Audience: Healthcare Providers, Therapists

Was this helpful?

Related Documents

Featured

Security Whitepaper - Encryption & Data Protection

Comprehensive security architecture, compliance, and best practices

25 minView Details
Featured

GDPR Compliance - Data Protection Guide

How ClientFlow ensures GDPR compliance for your client data

20 minView Details

Data Residency - Sovereignty & Compliance

Where your data is stored and how we ensure compliance

8 minView Details