Security & Compliance at TheraPrac

TheraPrac is EHR software for therapists designed with security, privacy, and compliance as foundational principles. The platform supports therapy practices and is designed for independent clinicians and small practices that need clear, reliable safeguards around sensitive data.

This page provides an overview of TheraPrac's approach to security and compliance. For how sensitive data is organized in the product, see secure client records.

HIPAA Compliance & Business Associate Agreements

TheraPrac is built for healthcare use cases and supports compliance with the Health Insurance Portability and Accountability Act (HIPAA).

TheraPrac operates as a business associate to healthcare customers that qualify as covered entities under HIPAA. We implement administrative, physical, and technical safeguards designed to protect protected health information (PHI) throughout its lifecycle.

As part of our standard onboarding process, TheraPrac executes a Business Associate Agreement (BAA) with covered entity customers.

Our HIPAA-aligned practices include:

  • Administrative, physical, and technical safeguards
  • Role-based access controls and least-privilege enforcement
  • Encryption of data in transit and at rest
  • Audit logging and security monitoring
  • Incident response and breach notification procedures
  • Vendor and subprocessor risk management

Security Architecture & Data Protection

TheraPrac protects sensitive healthcare data using a layered security approach designed to support confidentiality, integrity, and availability.

Core security practices include:

  • Encryption in transit and at rest
  • Logical tenant data isolation
  • Multi-factor authentication (MFA) available, with required enrollment for administrative users
  • Role-based access control (RBAC)
  • Audit logging and monitoring
  • Secure backup and recovery processes

Security controls are reviewed periodically and evolve as the platform and threat landscape change.

Security Standards and Roadmap

TheraPrac is built to support HIPAA-covered workflows, and our Business Associate Agreement governs the handling of Protected Health Information. Our security and engineering practices are informed by widely recognized industry guidance, including the HIPAA Security Rule, NIST SP 800-53 control families relevant to small healthcare-technology providers, and the SOC 2 Trust Services Criteria.

TheraPrac is not currently SOC 2 attested and is not ISO/IEC 27001 certified. We plan to pursue formal third-party attestation as our customer base and resources grow. Customers requiring specific security assurance documentation should contact compliance@theraprac.com.

Shared Responsibility

Security and compliance are a shared responsibility between TheraPrac and each practice.

  • TheraPrac provides technical safeguards, access controls, audit logging, monitoring, and secure application infrastructure.
  • Providers are responsible for internal policies, appropriate user access management, and day-to-day usage that aligns with their clinical and regulatory obligations.
  • Cloud service providers are responsible for physical data center security and underlying infrastructure protections.

Subprocessors

TheraPrac uses the following third-party subprocessors to deliver the Services. Where a subprocessor processes Protected Health Information on TheraPrac's behalf, TheraPrac maintains a Business Associate Agreement with that subprocessor as required by HIPAA.

  • Amazon Web Services (AWS), United States (us-west-2 region). Cloud infrastructure, database hosting, encrypted storage, automated backups, identity and key management. BAA in place.
  • Stripe, United States. Payment processing for TheraPrac Pay. Stripe does not receive Protected Health Information.
  • Google (Google Tag Manager and Google Analytics), United States. Marketing-website analytics only. Does not receive Protected Health Information.
  • Adobe Fonts (Typekit), United States. Marketing-website font delivery only. Does not receive Protected Health Information.

This list reflects subprocessors in use as of the date of this page. TheraPrac may update its subprocessors from time to time and will reflect current subprocessors here. For the most current subprocessor list or to receive notice of subprocessor changes, contact compliance@theraprac.com.

Additional Compliance Documentation

Detailed security and compliance documentation, including our Security, Privacy & Compliance White Paper, is available upon request.

For security inquiries, compliance questions, or documentation requests, please contact:

compliance@theraprac.com

TheraPrac logo featuring a stylized medical cross symbol in gradient green and white, followed by the word 'TheraPrac' in modern, rounded font with 'Thera' in green and 'Prac' in white.
Elevate Care, Change Lives.

About

Privacy Statement Terms of Service

Contact Us

+1.801.599.3204 info@theraprac.com

3865 S Arroyo Rd,
Salt Lake City, UT 84106

Sign up for early access

Thank you! You have
been subscribed.
Oops! Something went wrong while submitting the form.
© Therapy Practice Corporation