Skip to main content

Being HIPAA compliant with SimplePractice

Being HIPAA compliant with SimplePractice

Protecting your account and electronic Patient Health Information (ePHI) is fundamental to us at SimplePractice. When using SimplePractice, your account information is being stored securely in our platform.

In this guide, we’ll cover:


Trusting SimplePractice with your data

SimplePractice is a fully HIPAA compliant platform. Here are some ways that SimplePractice protects your account information:

  • SimplePractice always transmits account information securely with multiple layers of encryption.
  • Your passwords are encrypted and not accessible to anyone but you.
  • Our servers are housed in a secure facility protected by proximity readers, biometric scanners, and security guards 24 hours a day, 7 days a week, 365 days a year.
  • We hack our own site. SimplePractice runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting.
  • Bank-level security.
  • SimplePractice has received the VeriSign security seal.
  • SimplePractice is HITRUST certified. The HITRUST framework is the gold standard of security certifications in the healthcare industry, and it incorporates the entirety of controls required by HIPAA, PCI, NIST CSF, ISO 27001 and ISO 27002.

Reviewing our security technology and practices

With SimplePractice, your sensitive data is hosted in a Tier 1 secure hosting provider specializing in helping healthcare organizations achieve and maintain HIPAA and HITRUST security requirements.

Here are some of the security practices we follow at SimplePractice:

  • Web pages and APIs are secured with 128-bit Secure Socket Layer encryption.
  • Our cloud infrastructure uses multi-factor authentication.
  • We use advanced key management and transparent data encryption.
  • Application level monitoring and intrusion protection.
  • HIPAA compliant encryption.
  • HIPAA compliant hosting architecture on enterprise level hardware.
  • HIPAA compliant system architecture with separate web and database environment.
  • Application and Database server isolation.
  • Firewall management.
  • Log retention with detailed audit trail.
  • Managed and secure backup and disaster recovery.
  • Managed patching, version control, and security updates.
  • Credit card transactions processed using secure encryption on a PCI compliant network.

Protecting your account and data

There are also steps that you can take to protect your account information, including:

  • To prevent unauthorized access to your account, don’t share your login credentials with anyone
  • To help keep your account secure, change your password periodically and avoid using passwords that you use for other accounts
  • Keep your sensitive information secure by keeping your computer and browsers up-to-date with the latest software and security updates
  • Install and update anti-virus software so that your device is secure and protected
  • Password protect your home and office computer networks to prevent unauthorized access to your networks
  • Use personal firewalls to protect your devices and networks
  • To prevent unauthorized access to your account, don’t enable automatic login to your SimplePractice account
  • Enable 2-step verification for an additional security measure to protect you and your client’s information
  • To protect your account data, always log out of your account when you finish using it - especially when the computer you’re using isn’t your own

Keeping your data records

We are obligated to keep records for access to PHI information for up to 7 years depending on individual state law. This includes audit/log files. While the U.S. Health and Human Services department does not provide specific HIPAA record retention requirements for ePHI, it does, however, provide guidance within Section 164.316(b)(2)(i). This section requires HIPAA-related policies and procedures documents be retained for a recommended six years in the absence of more specific guidance.

Important: If you choose to cancel your account, you will no longer be in contract with SimplePractice. When this occurs, we are obligated to remove all of your account data and PHI from our system. Prior to leaving SimplePractice, we strongly recommend initiating a data export so you still have access to your records after canceling your account. After this data is deleted, it cannot be recovered.

Still have questions?

Get more help