HIPPA and Privacy Policy Declaration

HIPPA COMPLIANCE POLICY

TheraAI's HIPAA compliance policy ensures the confidentiality, integrity, and security of Protected Health Information (PHI) while providing AI chatbot services to outpatient healthcare clinics. This policy aligns with 45 CFR Parts 160 and 164 under HIPAA, incorporating requirements from the HHS Model Business Associate Agreement1 and healthcare chatbot best practices23.

1. Scope & Responsibilities

  • Covered Entities: TheraAI acts as a Business Associate to HIPAA-covered entities (PT/OT/ST clinics)

  • PHI Handling: Applies to all PHI created, received, maintained, or transmitted via chatbots

  • Roles:

    • Security Officer: Oversees HIPAA compliance program

    • Engineering Team: Implements technical safeguards

    • Support Staff: Trained on PHI handling protocols

2. Technical Safeguards

AI Chatbot Security Measures

python

# Example encryption implementation from cryptography.fernet import Fernet def encrypt_phi(data): key = Fernet.generate_key() cipher_suite = Fernet(key) return cipher_suite.encrypt(data.encode())

  • End-to-end encryption (AES-256) for data in transit & at rest

  • Multi-factor authentication for system access

  • Automated PHI redaction in chat transcripts

  • Real-time intrusion detection systems

Access Controls

  • Role-based permissions with least privilege principle

  • Unique user IDs + activity logging

  • 15-minute session timeouts for admin portals

3. Business Associate Agreement (BAA) Provisions

Key requirements from HHS model agreement:

Requirement TheraAI Implementation PHI Use Limited to treatment/payment/operations. Disclosure Reporting72-hour breach notification protocol. Audit Access 24/7 access to security logs. Termination PHI return/destruction within 30 days.

4. Training & Audits

  • Annual HIPAA training for all personnel

  • Quarterly vulnerability scans + penetration testing

  • Bi-annual risk assessments using NIST 800-66 framework

  • Audit trails retained for 6 years

5. Incident Response

  1. Immediate isolation of affected systems

  2. Notification to Covered Entity within 72 hours

  3. Root cause analysis within 14 business days

  4. Corrective action implementation plan

6. Subcontractor Management

  • Flow-down BAAs with all cloud providers

  • Vendor security assessments before integration

  • Annual review of AWS HIPAA Attestation Reports

Policy Review Cycle: Updated biennially or with HIPAA regulation changes. Current version effective 04/25/2025.

Privacy Policy

Effective Date: April 23, 2025

Approved: Judy Lindsay, Privacy Officer

TheraAI
Email: privacy@theraai.com

**********************************************************************************************************************************************************************

Website Privacy Policy

At TheraAI, we are committed to protecting the privacy and security of your personal information. This Privacy Policy outlines how we collect, use, disclose, and safeguard your data when you visit our website, use our services, or interact with our AI-powered tools. By accessing or using our website and services, you agree to the terms of this Privacy Policy.

1. Information We Collect

We may collect the following types of information:

  • Personal Information: Information you voluntarily provide, such as your name, email address, phone number, or other contact details when you register, contact us, or use our services.

  • Clinic Data: Information provided by clinics, such as operational documents, patient interaction data, or other materials used to customize AI chatbots, which may include anonymized or aggregated data.

  • Usage Data: Automatically collected information about your interactions with our website and services, including IP address, browser type, device information, pages visited, and time spent on our site.

  • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to enhance your experience, analyze site performance, and deliver personalized content. You can manage cookie preferences through your browser settings.

2. How We Use Your Information

We use the collected information to:

  • Provide, operate, and improve our website and AI-powered services.

  • Customize AI chatbots and agents based on clinic-specific documents and needs.

  • Respond to inquiries, provide customer support, and communicate with you about our services.

  • Analyze usage trends to enhance user experience and optimize our offerings.

  • Comply with legal obligations and protect the security and integrity of our services.

3. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

  • Service Providers: With trusted third-party vendors who assist us in operating our website, delivering services, or analyzing data. These providers are contractually obligated to protect your information.

  • Legal Compliance: When required by law, regulation, or legal process, or to protect the rights, property, or safety of TheraAI, our users, or others.

  • Business Transfers: In connection with a merger, acquisition, or sale of assets, where your information may be transferred as part of the transaction.

4. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access, use, or disclosure. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

5. Your Choices and Rights

You have the following rights regarding your personal information:

  • Access and Update: You may request access to or correction of your personal information by contacting us.

  • Opt-Out: You may opt out of receiving promotional communications by following the unsubscribe instructions in our emails.

  • Cookies: You can disable cookies through your browser settings, though this may affect your experience on our website.

  • Data Deletion: You may request the deletion of your personal information, subject to legal or contractual obligations.

6. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices or content of these sites. We encourage you to review the privacy policies of any third-party sites you visit.

7. Children’s Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete it.

8. International Users

TheraAI operates in the United States, and your information may be processed and stored in the U.S. By using our services, you consent to the transfer of your information to the U.S., which may have different data protection laws than your country.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website with a revised effective date. Please review this policy periodically.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

TheraAI
Email: privacy@theraai.com