Effective May 5, 2026

HIPAA Practices Summary

Heepsters Practice is designed for U.S. mental-health clinics. We act as a Business Associate to our customers (Covered Entities) and handle Protected Health Information (PHI) under a signed Business Associate Agreement (BAA).

Administrative safeguards

• Designated Security Officer and Privacy Officer.
• Annual workforce HIPAA + security training, tracked.
• Background checks on all employees with PHI access.
• Documented incident response, BCP, and DR plans, tested annually.

Physical safeguards

• All PHI is processed in audited cloud datacenters (AWS, U.S. regions).
• No on-prem servers. No employee laptops store PHI.
• Production access requires hardware-key MFA on company-managed devices.

Technical safeguards

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Append-only audit log of every read and write to a chart.
• Role-based access. SSO (SAML/OIDC) on Group plan.
• Separate encryption keys per customer where available, rotated quarterly.
• Automated vulnerability scanning + quarterly third-party pen test.

Breach notification

We notify affected customers within 24 hours of confirming a PHI security incident, including a preliminary impact assessment and the in-progress IR actions. Final notification meets the 60-day HIPAA requirement and includes full root-cause and remediation.

Patient rights

Patients exercise their HIPAA rights (access, amendment, accounting of disclosures, restrictions) through your practice as their Covered Entity. We provide tooling so your team can fulfill these requests inside the chart.

Want the BAA?

Read our standard BAA at /legal/baa. Customers on Group plans can request a redlined version through their onboarding manager.

Contact

Security and HIPAA inquiries: security@heepsterspractice.com
Heepsters Creative LLC · Provo, Utah