HIPAA Compliance Policy for TheraAI Solutions

1. Purpose

TheraAI Solutions is committed to protecting the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and its implementing regulations. This policy establishes the framework for ensuring HIPAA compliance for TheraAI Solutions’ chatbot services provided to outpatient physical, occupational, and speech-language therapy clinics.

2. Scope

This policy applies to:

  • All employees, contractors, and third-party vendors of TheraAI Solutions involved in the development, deployment, maintenance, or support of chatbot services.

  • Basic chatbots that handle clinic policies, FAQs, and general inquiries (including questions about diagnoses or conditions) without collecting, storing, or processing PHI.

  • Advanced chatbots that provide home exercise programs and may collect, store, or process PHI.

  • All systems, platforms, and processes used in the creation and operation of TheraAI Solutions’ chatbots.

3. Definitions

  • Protected Health Information (PHI): Individually identifiable health information, as defined by 45 CFR § 160.103, transmitted or maintained in any form or medium, including demographic data, medical histories, or information related to an individual’s physical or mental health.

  • Business Associate: An entity that performs functions or services on behalf of a covered entity (e.g., therapy clinics) involving the use or disclosure of PHI, as defined by 45 CFR § 160.103.

  • Covered Entity: A healthcare provider, health plan, or healthcare clearinghouse subject to HIPAA, such as TheraAI Solutions’ client clinics.

4. Roles and Responsibilities

  • HIPAA Compliance Officer: TheraAI Solutions designates a HIPAA Compliance Officer responsible for overseeing policy implementation, conducting risk assessments, managing Business Associate Agreements (BAAs), and handling complaints or breaches.

  • Employees and Contractors: All personnel must complete HIPAA training upon hire and annually, adhere to this policy, and report potential violations to the Compliance Officer.

  • Third-Party Vendors: Vendors handling PHI must sign BAAs and comply with HIPAA security standards.

5. Chatbot Operations and HIPAA Compliance

5.1 Basic Chatbots

  • Functionality: Basic chatbots provide information on clinic policies, FAQs, and general responses to inquiries about diagnoses or conditions (e.g., “What is physical therapy for rotator cuff injuries?”). These chatbots are designed to avoid collecting, storing, or processing PHI.

  • Safeguards:

    • Responses are pre-programmed or sourced from general medical knowledge bases, avoiding patient-specific data.

    • Chatbots include disclaimers informing users not to share PHI (e.g., “Do not share personal health information, such as your name or medical history, in this chat.”).

    • No user inputs are stored unless explicitly required for functionality, and any temporary data (e.g., session logs) is anonymized and deleted within 24 hours.

    • Chatbot platforms use end-to-end encryption for all communications.

  • Monitoring: Regular audits ensure basic chatbots do not inadvertently collect PHI. Any user attempt to input PHI triggers an immediate warning and session termination.

5.2 Advanced Chatbots

  • Functionality: Advanced chatbots provide personalized home exercise programs, which may involve collecting or processing PHI (e.g., patient responses about physical limitations or progress).

  • Safeguards:

    • Access Controls: Only authorized users (e.g., clinicians or patients with secure credentials) can access advanced chatbot features. Multi-factor authentication (MFA) is required.

    • Encryption: All PHI is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are managed securely and rotated regularly.

    • Data Minimization: Chatbots collect only the minimum necessary PHI to deliver home exercise programs, as required by 45 CFR § 164.502(b).

    • Audit Trails: All interactions involving PHI are logged with timestamps, user IDs, and actions taken, stored securely for auditing purposes.

    • Data Storage: PHI is not stored by TheraAI Solutions or our platform. Providers wishing to store PHI, will be required to setup webhooks for self-storage.

    • GDPR Compliant: Ensures that all personal data is handled according to the strict privacy and security requirements of the General Data Protection Regulation. This includes data encryption, user consent, and data access controls

    • De-Identification: When PHI is no longer needed, it is de-identified or securely deleted in accordance with HIPAA retention policies.

  • Patient Consent: Advanced chatbots require explicit patient consent before collecting PHI, delivered via a secure interface with clear terms of use.

6. Business Associate Agreements (BAAs)

  • TheraAI Solutions, as a Business Associate, will execute BAAs with all covered entities (client clinics) before handling PHI. BAAs outline responsibilities for safeguarding PHI, reporting breaches, and ensuring subcontractor compliance.

  • Subcontractors or third-party vendors (e.g., cloud providers, AI model providers) must sign BAAs or equivalent agreements ensuring HIPAA compliance.

7. Security Policies

  • Risk Assessments: Annual risk assessments identify vulnerabilities in chatbot platforms, infrastructure, and processes, with mitigation plans implemented promptly.

  • Access Controls: Role-based access ensures only authorized personnel access PHI. Access is revoked immediately upon termination of employment or contracts.

  • Incident Response: A documented incident response plan addresses potential breaches, including:

    • Immediate containment of the breach.

    • Notification to affected covered entities within 24 hours of discovery.

    • Reporting to the Department of Health and Human Services (HHS) and affected individuals, as required by 45 CFR § 164.400-414, within 60 days.

  • Physical Security: Data centers and offices housing PHI-related systems are secured with biometric access, surveillance, and restricted entry.

  • Device Security: Employee devices accessing chatbot systems use endpoint protection, encryption, and remote wipe capabilities.

8. Training and Awareness

  • All employees and contractors receive initial and annual HIPAA training covering:

    • HIPAA Privacy, Security, and Breach Notification Rules.

    • TheraAI Solutions’ chatbot-specific safeguards.

    • Procedures for identifying and reporting potential PHI exposure.

  • Training completion is documented, and non-compliance results in disciplinary action, up to termination.

9. Patient Rights

  • TheraAI Solutions supports covered entities in fulfilling patient rights under HIPAA, including:

    • Access to PHI: Facilitating secure delivery of exercise program data to patients upon request.

    • Amendment: Allowing corrections to PHI through coordination with the covered entity.

    • Accounting of Disclosures: Maintaining logs of PHI disclosures for six years, as required by 45 CFR § 164.528.

  • Advanced chatbots provide clear instructions for patients to exercise these rights via the clinic.

10. Breach Notification

  • In the event of a breach of unsecured PHI, TheraAI Solutions will:

    • Conduct a risk assessment to determine the breach’s scope and impact.

    • Notify the covered entity within 24 hours of discovery.

    • Assist the covered entity in notifying affected individuals, HHS, and, if applicable, the media, per 45 CFR § 164.400-414.

    • Document all breaches and corrective actions taken.

11. Third-Party Vendor Management

  • All third-party vendors handling PHI (e.g., cloud providers, AI platforms) must:

    • Be vetted for HIPAA compliance.

    • Sign BAAs or equivalent agreements.

    • Undergo annual security audits by TheraAI Solutions.

  • TheraAI Solutions prohibits vendors from using PHI for purposes outside the agreed services (e.g., data mining).

12. Policy Enforcement

  • Compliance Monitoring: The HIPAA Compliance Officer conducts quarterly reviews of chatbot operations, logs, and employee compliance.

  • Disciplinary Actions: Violations of this policy (e.g., unauthorized PHI access) result in disciplinary measures, including retraining, suspension, or termination, and may lead to legal action.

  • Policy Updates: This policy is reviewed annually or upon significant regulatory changes, with updates communicated to all personnel.

13. Contact Information

For questions, concerns, or to report potential HIPAA violations, contact:

  • HIPAA Compliance Officer: Judy Lindsay PT, DPT, CHCQM

  • Email: Judy@theraAIchat.com

  • Phone: (239)266-1232

14. Effective Date

This policy is effective as of May 14, 2025, and supersedes all prior HIPAA policies.

Approval
Judy Lindsay, CEO, TheraAI Solutions
Date: May 14, 2025

*******************************************************************************************************************************

Website Privacy Policy

At TheraAI, we are committed to protecting the privacy and security of your personal information. This Privacy Policy outlines how we collect, use, disclose, and safeguard your data when you visit our website, use our services, or interact with our AI-powered tools. By accessing or using our website and services, you agree to the terms of this Privacy Policy.

1. Information We Collect

We may collect the following types of information:

  • Personal Information: Information you voluntarily provide, such as your name, email address, phone number, or other contact details when you register, contact us, or use our services.

  • Clinic Data: Information provided by clinics, such as operational documents, patient interaction data, or other materials used to customize AI chatbots, which may include anonymized or aggregated data.

  • Usage Data: Automatically collected information about your interactions with our website and services, including IP address, browser type, device information, pages visited, and time spent on our site.

  • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to enhance your experience, analyze site performance, and deliver personalized content. You can manage cookie preferences through your browser settings.

2. How We Use Your Information

We use the collected information to:

  • Provide, operate, and improve our website and AI-powered services.

  • Customize AI chatbots and agents based on clinic-specific documents and needs.

  • Respond to inquiries, provide customer support, and communicate with you about our services.

  • Analyze usage trends to enhance user experience and optimize our offerings.

  • Comply with legal obligations and protect the security and integrity of our services.

3. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

  • Service Providers: With trusted third-party vendors who assist us in operating our website, delivering services, or analyzing data. These providers are contractually obligated to protect your information.

  • Legal Compliance: When required by law, regulation, or legal process, or to protect the rights, property, or safety of TheraAI, our users, or others.

  • Business Transfers: In connection with a merger, acquisition, or sale of assets, where your information may be transferred as part of the transaction.

4. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access, use, or disclosure. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

5. Your Choices and Rights

You have the following rights regarding your personal information:

  • Access and Update: You may request access to or correction of your personal information by contacting us.

  • Opt-Out: You may opt out of receiving promotional communications by following the unsubscribe instructions in our emails.

  • Cookies: You can disable cookies through your browser settings, though this may affect your experience on our website.

  • Data Deletion: You may request the deletion of your personal information, subject to legal or contractual obligations.

6. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices or content of these sites. We encourage you to review the privacy policies of any third-party sites you visit.

7. Children’s Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete it.

8. International Users

TheraAI operates in the United States, and your information may be processed and stored in the U.S. By using our services, you consent to the transfer of your information to the U.S., which may have different data protection laws than your country.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website with a revised effective date. Please review this policy periodically.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

TheraAI
Email: Judy@theraai.com