HIPAA Compliant Platform
HIPAA Compliance
Last Updated: April 8, 2026
ChiroApp is built from the ground up with healthcare data security in mind. For practices treating human patients, ChiroApp operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HITECH Act and the Omnibus Rule.
1. Business Associate Agreement (BAA)
A Business Associate Agreement (BAA) is included with every ChiroApp plan — Starter, Professional, and Enterprise. The BAA is executed electronically at the time of account creation as part of the signup process. No additional paperwork is needed.
Under the BAA, ChiroApp agrees to:
- Use Protected Health Information (PHI) only to perform services on behalf of the Covered Entity (your practice)
- Implement administrative, physical, and technical safeguards to protect PHI
- Report any breach of unsecured PHI within 30 days of discovery
- Ensure that all subcontractors with access to PHI agree to equivalent protections
- Not use or disclose PHI except as permitted by the BAA or as required by law
- Make PHI available to the Covered Entity as needed to fulfill its obligations to individuals
- Return or destroy all PHI upon termination of the agreement
2. Security Safeguards
ChiroApp implements comprehensive safeguards across all three HIPAA categories:
Technical Safeguards
Encryption in Transit
All data is transmitted over TLS 1.2+ (HTTPS). API requests, form submissions, and file uploads are encrypted end-to-end between your device and our servers.
Authentication Controls
Passwords are stored using cryptographic hashing with salt. Two-factor authentication (TOTP) is available for all account types — practice owners, staff, and patient portal users.
Role-Based Access
Granular role-based access controls ensure that staff members only see data relevant to their role. Practice owners control permissions for each staff member.
Audit Logging
All administrative actions, data access, login attempts, and security events are logged with timestamps, IP addresses, and user identifiers for accountability and compliance.
Automatic Session Management
Sessions expire automatically. Account lockout triggers after repeated failed login attempts. IP-based blocking engages automatically after suspicious activity.
Encrypted Backups
Nightly automated backups are encrypted and stored securely on Google Drive. Backups can be restored in the event of data loss or disaster recovery.
Administrative Safeguards
- Security Management: Regular risk assessments and security reviews to identify and mitigate threats to PHI
- Workforce Training: All personnel with access to production systems are trained on HIPAA requirements and security best practices
- Access Authorization: Access to production databases and servers is limited to authorized personnel on a need-to-know basis
- Incident Response: Documented procedures for identifying, responding to, and mitigating security incidents
- Breach Notification: Compliance with the HIPAA Breach Notification Rule — affected individuals and HHS are notified within the required timeframe
Physical Safeguards
- Cloud Infrastructure: ChiroApp is hosted on AWS (Amazon Web Services), which maintains SOC 2, ISO 27001, and HIPAA compliance certifications for its data centers
- Facility Access: Physical access to AWS data centers is restricted by AWS's own physical security program, including biometric controls, 24/7 monitoring, and access logging
- Device Security: Development and administrative workstations use full-disk encryption and are secured with multi-factor authentication
3. Data Handling
What Data is Protected
Any data you store in ChiroApp that constitutes Protected Health Information (PHI) is protected under our BAA. This includes but is not limited to:
- Patient names, addresses, phone numbers, and email addresses
- Clinical notes (SOAP notes), diagnoses, and treatment plans
- Appointment records and scheduling data
- Billing records, invoices, and insurance claims
- Documents, images, and digital signatures
- Any other individually identifiable health information
Data Retention and Disposal
| Scenario | Retention Period |
|---|
| Active subscription | Data retained while subscription is active |
| Cancelled subscription | 30 days, then permanently deleted |
| Terminated for cause | May be deleted immediately |
| Audit and security logs | Retained for compliance purposes (up to 7 years) |
You may export your data at any time using the built-in data export tools. Upon account termination, PHI is securely destroyed in compliance with HIPAA disposal requirements.
4. Subcontractors and Third Parties
ChiroApp uses the following third-party services that may have access to PHI. All subcontractors with access to PHI are bound by Business Associate Agreements or equivalent contractual obligations:
| Service | Purpose | Compliance |
|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | HIPAA BAA, SOC 2, ISO 27001 |
| Twilio | SMS messaging | HIPAA BAA available |
| Stripe | Payment processing | PCI DSS Level 1 |
| Google | Drive backups, Maps | HIPAA BAA (Workspace) |
5. Patient Rights
Under HIPAA, patients have the right to:
- Access: Request access to their PHI stored in ChiroApp
- Amendment: Request corrections to their records
- Accounting of Disclosures: Request an accounting of how their PHI has been disclosed
- Restriction: Request restrictions on certain uses or disclosures of their PHI
- Confidential Communications: Request alternative means of receiving communications
As the Covered Entity, your practice is responsible for responding to patient rights requests. ChiroApp provides the tools and data access necessary for you to fulfill these obligations.
6. Breach Notification
In the event of a breach of unsecured PHI, ChiroApp will:
- Notify affected Covered Entities within 30 days of discovering the breach
- Provide sufficient detail for the Covered Entity to fulfill its notification obligations to individuals and HHS
- Cooperate fully in any investigation or remediation efforts
- Take immediate steps to mitigate harm and prevent future breaches
7. Your Responsibilities as a Covered Entity
While ChiroApp provides HIPAA-compliant tools and infrastructure, you (the practice/Covered Entity) are responsible for:
- Using strong, unique passwords and enabling two-factor authentication
- Training your staff on HIPAA requirements and proper use of the system
- Ensuring that patient consent forms and notice of privacy practices are current
- Reporting any suspected security incidents to ChiroApp immediately
- Not sharing login credentials between staff members
- Logging out of unattended devices
- Complying with state and federal regulations applicable to your practice
8. Contact
For HIPAA-related inquiries, security concerns, or to report a potential breach:
Security & Compliance Team: security@chiroapp.app
General Inquiries: support@chiroapp.app