Harmony Connect logoHarmony Connect
HIPAA-ready by design

How we protect your patients' information

Harmony Connect is built from the ground up to safeguard Protected Health Information (PHI) with technical controls, strict access policies, and a commitment to transparency.

This page is maintained by Harmony Connect to answer common security and privacy questions.

The information below describes the controls and practices we have in place today. It is not an independent certification, legal advice, or a guarantee of compliance. Every clinic retains its own responsibility for HIPAA compliance, workforce training, and policies.

What is a Business Associate Agreement (BAA)?

Under HIPAA, a covered entity (such as an ABA therapy clinic) must obtain a Business Associate Agreement from any vendor that creates, receives, maintains, or transmits PHI on its behalf. The BAA contractually obligates the vendor to:

  • Safeguard PHI with appropriate physical, technical, and administrative controls
  • Report breaches of unsecured PHI without unreasonable delay
  • Ensure any subcontractors with PHI access are also bound by BAAs
  • Return or destroy PHI at the end of the agreement
  • Allow the clinic to audit compliance with the agreement

BAA status

We are actively working to finalize a signed Business Associate Agreement with our hosting provider before any go-live date. No PHI will be stored in production until the BAA is fully executed. We will update this page once the agreement is in place.

Security controls that protect PHI

These controls are enabled in the platform today and apply to every clinic workspace.

Encrypted data at rest

PHI is stored in encrypted databases and private storage buckets. Encryption keys are managed by the hosting platform and never exposed to application code.

Row-level security

Every database table that holds PHI is protected by row-level security policies. Users can only read or modify records their role explicitly allows.

Role-based access

Four distinct roles — admin, BCBA, RBT, and parent — each with carefully scoped permissions. A parent cannot view another family's records; an RBT cannot edit a treatment plan without co-sign.

Immutable audit logging

All access to PHI is logged with a timestamp, user ID, and action type. Logs are append-only and available to clinic administrators for review.

Session security

Sessions expire automatically after a period of inactivity. Multi-factor authentication is supported. Leaked-password checks run against known breach databases at sign-in.

No PHI in URLs or logs

Patient names, diagnosis codes, and other identifiers never appear in URLs, browser history, server logs, or error reporting.

Shared responsibility

Security and compliance are a partnership between the platform and the clinic. We provide the technical foundation; the clinic manages the human and procedural side.

What the platform handles

  • Infrastructure security, patching, and availability
  • Database encryption and private storage buckets
  • Row-level security and authentication infrastructure
  • Audit log capture and retention
  • Session management and leaked-password screening

What the clinic handles

  • Workforce HIPAA training and policy enforcement
  • User provisioning, de-provisioning, and role assignments
  • Device and workstation security in the clinic
  • Physical security of offices and session locations
  • Timely breach notification to patients and regulators
Contact us

Questions or privacy requests?

If you have questions about how we handle PHI, want to request a copy of our BAA once signed, or need to submit a privacy or security concern, reach out directly.

Vulnerability reports

Please email the address above with details. We review every report and respond as quickly as possible.

Data access requests

Clinic administrators can export client records and audit logs from the admin dashboard at any time.

Retention & deletion

Records are retained per clinic policy and applicable state law. Contact us to discuss data deletion workflows.