Skip to main content

Is SimplePractice HIPAA compliant?

Is SimplePractice HIPAA compliant?

Yes, we are!

Security of your account and electronic Patient Health Information (ePHI) is fundamental to us, and we have gone above and beyond the standard security and privacy requirements to protect your data:

  • SimplePractice always transmits account information securely with multiple layers of encryption.
  • Your passwords are encrypted and not accessible to anyone but you.
  • Our servers are housed in a secure facility protected by proximity readers, biometric scanners, and security guards 24 hours a day, 7 days a week, 365 days a year.
  • We hack our own site. SimplePractice runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting.
  • Bank-level security.
  • SimplePractice has received the VeriSign security seal.
  • SimplePractice is HITRUST certified. The HITRUST framework is the gold standard of security certifications in the healthcare industry, and it incorporates the entirety of controls required by HIPAA, PCI, NIST CSF, ISO 27001 and ISO 27002. 

Security technology and practices

Your sensitive data is hosted in a Tier 1 secure hosting provider specializing in helping healthcare organizations achieve and maintain HIPAA and HITRUST security requirements:

  • Web pages and APIs are secured with 128-bit Secure Socket Layer encryption.
  • Our cloud infrastructure uses multi-factor authentication.
  • We use advanced key management and transparent data encryption.
  • Application level monitoring and intrusion protection.
  • HIPAA compliant encryption.
  • HIPAA compliant hosting architecture on enterprise level hardware.
  • HIPAA compliant system architecture with separate web and database environment.
  • Application and Database server isolation.
  • Firewall management.
  • Log retention with detailed audit trail.
  • Managed and secure backup and disaster recovery.
  • Managed patching, version control, and security updates.
  • Credit card transactions processed using secure encryption on a PCI compliant network.

Keep your account and data secure

Below are helpful precautions you should take to increase the security of your account:
  • Keep your computer and browsers current with the latest software and security updates.
  • Install and update anti-virus software.
  • Use personal firewalls to protect your computer and network.
  • Password protect your home and office computer network.
  • Do not enable automatic login to your account.
  • Change your password periodically and avoid using passwords that you use for other accounts.
  • Don’t share your login credentials with anyone.
  • Always make sure you are logged out of your account when you are finished.
  • When using computers that are not your own, make sure you are fully logged out and close the browser.

Data records

We are obligated to keep records for access of PHI information for up to 7 years depending on individual state law. This includes audit/log files. While the U.S. Health and Human Services department does not provide specific HIPAA record retention requirements for ePHI, it does, however, provide guidance within Section 164.316(b)(2)(i). This section requires HIPAA-related policies and procedures documents be retained for a recommended six years in the absence of more specific guidance.

If you choose to stop using SimplePractice, your account and all data with it is deleted. Prior to leaving SimplePractice, we recommend initiating a data export so that you still have access to your records after cancelling your account. Once your account is cancelled, all data associated with it is deleted, and we cannot recover it.

Additionally, while using SimplePractice you have the ability to delete an individual client’s information at any time by deleting the client's profile.

Related resources:


Still have questions?

Get more help