HIPAA Compliant Case Formulation Platform: How CBT Assistant Pro Protects Client Data

HIPAA compliance for a therapy documentation platform is not a single checkbox — it is a combination of administrative, physical, and technical safeguards defined in the HIPAA Security Rule. A genuinely compliant case formulation platform must:

• Encrypt all Protected Health Information (PHI) in transit (TLS 1.3) and at rest (AES-256-GCM)
• Sign a Business Associate Agreement (BAA) with every customer who needs one
• Implement role-based access control so only the treating clinician can view their client records
• Maintain audit logs of every access and modification to PHI
• Provide breach notification within 60 days of any confirmed incident
• Ensure that no PHI is ever used to train AI models — a contractual guarantee enforced through enterprise API agreements with model providers

CBT Assistant Pro meets every one of these requirements by design. The platform was built from day one for clinical use; it is not a generic tool retrofitted with a privacy policy.

Different jurisdictions have different health privacy laws, and CBT Assistant Pro is built to satisfy the strictest of them simultaneously:

HIPAA (United States): The Health Insurance Portability and Accountability Act governs PHI handling by covered entities and business associates. CBT Assistant Pro operates under a Business Associate Agreement model and meets all Security Rule technical safeguards.

PHIPA (Ontario, Canada): The Personal Health Information Protection Act regulates custodians of personal health information in Ontario. The platform supports lawful authority requirements, consent management, and the right of access to one's own record.

PIPEDA (Canada federal): The Personal Information Protection and Electronic Documents Act applies to private sector handling of personal information across Canada. CBT Assistant Pro's consent flows, transparency notices, and breach response procedures meet PIPEDA standards.

For most clinicians, this means: if you practice anywhere in the U.S. or Canada, you can use the platform without worrying about jurisdictional gaps.

The General Data Protection Regulation (GDPR) is the world's strictest privacy law. CBT Assistant Pro is GDPR compliant for European Economic Area clinicians and clients:

• Lawful basis for processing: Explicit consent for client records; legitimate interest for therapist accounts; contract necessity for service delivery.
• Right of access: Clients can request a full export of their data at any time.
• Right to erasure (right to be forgotten): Permanent deletion within 30 days of request, with verification logged.
• Data Protection Impact Assessment (DPIA): Available on request for institutional clients.
• Data Processing Agreement (DPA): Provided to all customers handling EU client data.
• Sub-processor transparency: Full list of sub-processors (hosting, AI inference, email delivery) published and updated within 30 days of any change.

If you treat any client residing in the EU, EEA, or UK, GDPR applies to you — regardless of where you are physically located. The platform handles this automatically.

Every byte of data moving in or out of CBT Assistant Pro is encrypted with TLS 1.3 — the latest and most secure transport protocol available. Every byte stored at rest is encrypted with AES-256-GCM, the same algorithm used to protect classified government data.

What does this mean in practice?

• An attacker intercepting your network traffic sees only encrypted bytes — no session notes, no client names, no assessment scores.
• A breach of the underlying storage layer yields encrypted ciphertext that cannot be decrypted without the platform's key management infrastructure.
• Even our own database administrators cannot read PHI by inspecting tables directly — access requires the application layer and is logged.

This is genuinely end-to-end protection: the data is encrypted before it leaves your browser, stays encrypted until it reaches the secure application, and is encrypted again before being written to disk.

CBT Assistant Pro encourages clinicians to use pseudonyms and unique client identifiers rather than real names whenever possible. The platform supports this with:

• Client codes (e.g. "C-0421") as the primary display identifier
• A separate, encrypted "real identity" field that is only revealed to the assigned clinician
• Automatic redaction of obvious identifiers (full names, phone numbers, addresses) in AI-generated drafts before review
• Reporting and analytics that operate exclusively on aggregated, de-identified data

If the database were ever compromised, the link between pseudonym and real-world identity would remain protected behind a second encryption layer.

CBT Assistant Pro offers voice transcription for session notes — a feature that lets clinicians dictate notes rather than type them. The privacy model here is critical:

Audio is transcribed, then permanently deleted. Once the session note text is generated and saved to the client record, the original audio file is securely overwritten and removed from all storage layers — including temporary processing buffers, cache, and any third-party transcription service.

This is fundamentally different from platforms that retain audio for "quality improvement" or "model training." Our contract with transcription providers explicitly prohibits retention beyond the minimum processing window. We do not store, archive, or analyze your clinical audio.

The transcribed text becomes part of the secure client record, encrypted and access-controlled like every other field.

You own your data. CBT Assistant Pro provides:

Full export at any time: Download every client record, formulation, assessment score, and progress note as JSON or PDF. No subscription required to export — even on cancelled accounts.

Granular edit and delete: Modify or permanently delete any individual record. Deletions are real deletions — not soft flags. Once confirmed, the data is gone from production systems within 24 hours and from backups within 30 days.

Account-level erasure: Close your account and request full erasure. Within 30 days, every byte associated with your account is permanently removed.

Audit trail: See every access and modification to your data, including by your own staff if you operate a clinic account.

This is not optional — these are baseline rights guaranteed by HIPAA, PHIPA, GDPR, and the platform Terms of Service. We make them genuinely usable, not buried in legal language.

Many clinicians have experimented with pasting session notes into ChatGPT, Claude, or other consumer AI tools. This is a significant HIPAA risk:

The cost of a HIPAA breach can exceed $50,000 per incident — far more than any subscription. Using a purpose-built compliant platform is not just safer, it is the only defensible choice for licensed clinicians handling PHI.