HIPAA-Compliant Therapy Software: How to Choose the Right Tool (2026)

HIPAA's Security Rule specifies three categories of safeguards that any software handling PHI must implement: **Technical safeguards:** - Encryption at rest (AES-256) and in transit (TLS 1.2+) - Unique user IDs and authentication - Automatic session timeouts - Audit logs of all access to PHI - Emergency access procedures **Administrative safeguards:** - Business Associate Agreement (BAA) signed by the vendor - Workforce training on data handling - Incident response and breach notification procedures - Regular risk assessments **Physical safeguards:** - Data center security (SOC 2 Type II certification is the standard) - Workstation security policies - Device and media controls The most common mistake therapists make: assuming a vendor is HIPAA compliant because they say so on their website. **If they won't sign a BAA, they are not HIPAA compliant for your purposes** — regardless of their encryption or security claims.

A Business Associate Agreement (BAA) is a legal contract between you (the covered entity) and the software vendor (the business associate). It specifies: - How the vendor will protect PHI - What they can and cannot do with your data - Their obligation to report breaches - Your right to audit their practices - Return or destruction of PHI upon contract termination Without a signed BAA, you are personally liable for any data breach involving that vendor — even if the breach was entirely their fault. HIPAA violations carry penalties of $100-$50,000 per violation, up to $1.5 million per year per violation category. CBT Assistant Pro signs a BAA with every subscriber. The agreement covers all data processing, including AI-powered features like hypothesis generation and voice transcription.

**Before purchasing any therapy software, verify:** 1. **BAA available?** Ask to see it before signing up. Read it. 2. **Encryption at rest?** AES-256 is the standard. Anything less is a red flag. 3. **Encryption in transit?** TLS 1.2 minimum. TLS 1.3 preferred. 4. **SOC 2 certified?** The infrastructure hosting your data should be SOC 2 Type II certified. 5. **Data residency?** Where are the servers physically located? Can you choose? 6. **Audit logs?** Can you see who accessed what data and when? 7. **Access controls?** Role-based permissions, not just one admin password. 8. **2FA/MFA?** Multi-factor authentication should be available (ideally mandatory). 9. **Data export?** Can you export all your data in a standard format? 10. **Breach notification?** What is their SLA for notifying you of a breach? 11. **AI data handling?** If AI features exist, is your data excluded from model training? 12. **Uptime SLA?** What availability do they guarantee? CBT Assistant Pro scores ✅ on all 12 points: signed BAA, AES-256 encryption, TLS 1.3, AWS US-East-1 with SOC 2, full audit logs, role-based access, data export, zero AI training on client data.

Here's how the major platforms compare (as of 2026): | Feature | CBT Assistant Pro | SimplePractice | TherapyNotes | Jane App | |---|---|---|---|---| | BAA | ✅ | ✅ | ✅ | ✅ | | Encryption at rest | AES-256 | AES-256 | AES-256 | AES-256 | | AI features | ✅ (formulations, transcription) | Limited | ❌ | ❌ | | AI data excluded from training | ✅ | N/A | N/A | N/A | | Audit logs | ✅ Full | ✅ Basic | ✅ Basic | ✅ Basic | | SOC 2 infrastructure | ✅ (AWS) | ✅ | ✅ | ✅ | | 2FA | ✅ | ✅ | ✅ | ✅ | | Data export | ✅ Full | ✅ | ✅ | ✅ | The key differentiator: CBT Assistant Pro is the only platform combining AI-powered clinical features (formulation, transcription, hypothesis generation) with full HIPAA compliance and a no-training guarantee on client data.