Harmony ConnectHarmony Connect is built from the ground up to safeguard Protected Health Information (PHI) with technical controls, strict access policies, and a commitment to transparency.
This page is maintained by Harmony Connect to answer common security and privacy questions.
The information below describes the controls and practices we have in place today. It is not an independent certification, legal advice, or a guarantee of compliance. Every clinic retains its own responsibility for HIPAA compliance, workforce training, and policies.
Under HIPAA, a covered entity (such as an ABA therapy clinic) must obtain a Business Associate Agreement from any vendor that creates, receives, maintains, or transmits PHI on its behalf. The BAA contractually obligates the vendor to:
We are actively working to finalize a signed Business Associate Agreement with our hosting provider before any go-live date. No PHI will be stored in production until the BAA is fully executed. We will update this page once the agreement is in place.
These controls are enabled in the platform today and apply to every clinic workspace.
PHI is stored in encrypted databases and private storage buckets. Encryption keys are managed by the hosting platform and never exposed to application code.
Every database table that holds PHI is protected by row-level security policies. Users can only read or modify records their role explicitly allows.
Four distinct roles — admin, BCBA, RBT, and parent — each with carefully scoped permissions. A parent cannot view another family's records; an RBT cannot edit a treatment plan without co-sign.
All access to PHI is logged with a timestamp, user ID, and action type. Logs are append-only and available to clinic administrators for review.
Sessions expire automatically after a period of inactivity. Multi-factor authentication is supported. Leaked-password checks run against known breach databases at sign-in.
Patient names, diagnosis codes, and other identifiers never appear in URLs, browser history, server logs, or error reporting.
Security and compliance are a partnership between the platform and the clinic. We provide the technical foundation; the clinic manages the human and procedural side.