HIPAA Considerations

Version 1.3 | Last Updated: January 2025

Guide for US-based therapists, counselors, and healthcare providers who need to protect patient health information (PHI) when using ClientFlow.

Important Disclaimer (2026-04 update): ClientFlow is not HIPAA-certified and does not currently sign Business Associate Agreements. The earlier version of this document described a HIPAA-ready posture that has not been formally audited or contractually committed. If you are a US-based HIPAA-covered entity, you should not store Protected Health Information in ClientFlow without your own legal/compliance review, and you should consider tools that offer signed BAAs (for example, SimplePractice or TherapyNotes). This document is being retained as a planning artifact and does not represent a commercial commitment.

Executive Summary

Question	Answer
Is ClientFlow HIPAA-compliant?	No — not certified. Encrypted storage and access controls only.
Does ClientFlow sign BAAs?	No — not at this time.
Can I store PHI in ClientFlow?	If you are a HIPAA-covered entity, not without your own legal review and risk acceptance.
What ClientFlow does provide today	TLS-in-transit encryption, encryption-at-rest for sensitive fields, role-based access, EU data residency (GDPR-aligned).

Who Needs to Comply?

Covered Entities (Must Comply)

Psychologists, psychiatrists, therapists, counselors
Licensed Clinical Social Workers (LCSW)
Marriage and Family Therapists (MFT)
Physicians, nurse practitioners
Physical therapists, occupational therapists

Generally NOT Covered

Life coaches (unless providing mental health treatment)
Personal trainers (unless providing physical therapy)
Unlicensed counselors (peer support, religious counseling)

HIPAA Safeguards

Technical Safeguards (ClientFlow Provides)

Access Controls: Unique user IDs, automatic logoff (15 min)
Audit Controls: Complete activity logging (2-year retention)
Integrity Controls: SHA-256 checksums, immutable audit logs
Transmission Security: TLS 1.3 encryption

Administrative Safeguards (YOU Implement)

Designate a Security Officer
Conduct risk assessments
Train workforce on HIPAA
Implement sanctions policy
Develop incident response plan

Physical Safeguards (YOU Implement)

Position monitors away from public view
Enable screen lock (5 min timeout)
Encrypt laptops (BitLocker/FileVault)
Enable remote wipe on mobile devices

Business Associate Agreement (BAA)

Eligibility: PRO or Team tier (BAA NOT available for Free/Starter)

How to Get a BAA

Email sales@clientflow.center with subject "BAA Request"
Provide: Name, practice name, NPI number, professional license
Receive BAA within 2 business days (DocuSign)
Sign electronically
Keep countersigned copy for your records

Important: BAA must be signed BEFORE storing any PHI in ClientFlow.

What You Can Store

Session summaries and treatment notes
Clinical observations
Treatment plans
Client demographics (name, email, phone)
Appointment history
Payment records

What You Should NOT Store

CPT codes or ICD-10 codes (use EHR instead)
Insurance billing information
HIV status (stricter requirements)
Substance abuse records (42 CFR Part 2)

Breach Notification

If a breach occurs affecting PHI:

ClientFlow notifies you: Within 24 hours
You notify patients: Within 60 days
You notify HHS: Within 60 days (via ocrportal.hhs.gov)
Media notification: Required if breach affects 500+ people

Contact

BAA Requests: sales@clientflow.center

Security Questions: security@clientflow.center

Read time: ~15 minutes | Audience: Healthcare Providers, Therapists

HIPAA Considerations - Healthcare & Therapy