Skip to main content

Being HIPAA compliant with SimplePractice

Being HIPAA compliant with SimplePractice

Protecting your account and electronic Patient Health Information (ePHI) is fundamental to us at SimplePractice. When using SimplePractice, your account information is being stored securely in our platform.

In this guide, we’ll cover:


Trusting SimplePractice with your data

SimplePractice is a fully HIPAA compliant platform. Here are some ways that SimplePractice protects your account information:

  • SimplePractice always transmits account information securely with multiple layers of encryption.
  • Your passwords are encrypted and not accessible to anyone but you.
  • Our servers are housed in a secure facility protected by proximity readers, biometric scanners, and security guards 24 hours a day, 7 days a week, 365 days a year.
  • We hack our own site. SimplePractice runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting.
  • Bank-level security.
  • SimplePractice has received the VeriSign security seal.
  • SimplePractice is HITRUST certified. The HITRUST framework is the gold standard of security certifications in the healthcare industry, and it incorporates the entirety of controls required by HIPAA, PCI, NIST CSF, ISO 27001 and ISO 27002.

Reviewing our security technology and practices

With SimplePractice, your sensitive data is hosted in a Tier 1 secure hosting provider specializing in helping healthcare organizations achieve and maintain HIPAA and HITRUST security requirements.

Here are some of the security practices we follow at SimplePractice:

  • Web pages and APIs are secured with 128-bit Secure Socket Layer encryption.
  • Our cloud infrastructure uses multi-factor authentication.
  • We use advanced key management and transparent data encryption.
  • Application level monitoring and intrusion protection.
  • HIPAA compliant encryption.
  • HIPAA compliant hosting architecture on enterprise level hardware.
  • HIPAA compliant system architecture with separate web and database environment.
  • Application and Database server isolation.
  • Firewall management.
  • Log retention with detailed audit trail.
  • Managed and secure backup and disaster recovery.
  • Managed patching, version control, and security updates.
  • Credit card transactions processed using secure encryption on a PCI compliant network.

Protecting your account and data

There are also steps that you can take to protect your account information, including:

  • To prevent unauthorized access to your account, don’t share your login credentials with anyone
  • To help keep your account secure, change your password periodically and avoid using passwords that you use for other accounts
  • Keep your sensitive information secure by keeping your computer and browsers up-to-date with the latest software and security updates
  • Install and update anti-virus software so that your device is secure and protected
  • Password protect your home and office computer networks to prevent unauthorized access to your networks
  • Use personal firewalls to protect your devices and networks
  • To prevent unauthorized access to your account, don’t enable automatic login to your SimplePractice account
  • Enable 2-step verification for an additional security measure to protect you and your client’s information
  • To protect your account data, always log out of your account when you finish using it - especially when the computer you’re using isn’t your own

Keeping your data records

If you choose to cancel your account, you’ll no longer be in contract with SimplePractice. As noted in our Terms of Service, we retain the data associated with your account for up to 64 days after termination. After the 65th day, all PHI is fully de-identified in alignment with the Safe Harbor method, and then completely anonymized such that it can’t be reidentified or recovered by our team. 

We strongly recommend initiating a data export prior to canceling, so that you’ll have access to your records after your account is canceled. As a covered entity, you’re responsible for complying with various federal, state, and local laws, including but not limited to HIPAA. Data retention regulations require that you preserve the availability, accuracy, integrity, and confidentiality of protected health information. You accept full responsibility for the retention and security of exported client data.

Still have questions?

Get more help