HIPAA Compliance

Our Commitment to HIPAA Compliance

As mental health professionals ourselves, we understand that protecting Protected Health Information (PHI) is non-negotiable. Brivy has been built from the ground up to meet and exceed HIPAA requirements, providing you with peace of mind when documenting your therapy sessions.

Administrative Safeguards

Security Officer and Workforce Training

• Designated Security Officer: We have appointed a qualified security officer responsible for developing and implementing our security policies.
• Workforce Training: All team members undergo comprehensive HIPAA training and sign confidentiality agreements.
• Access Management: Strict policies govern who can access PHI and under what circumstances.
• Regular Audits: We conduct regular security assessments and compliance audits.

Physical Safeguards

Secure Infrastructure

• AWS Cloud Infrastructure: We use Amazon Web Services, which provides SOC 2 Type II certified data centers.
• Data Center Security: Physical access controls, surveillance, and environmental protections.
• Workstation Security: All workstations used to access PHI are secured and encrypted.
• Device Controls: Strict policies for mobile devices and removable media.

Technical Safeguards

Advanced Security Technologies

• End-to-End Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Multi-factor authentication and role-based access controls ensure only authorized personnel can access PHI.
• Audit Logs: Comprehensive logging of all system access and data modifications.
• Automatic Logoff: Sessions automatically terminate after periods of inactivity.
• Data Integrity: Cryptographic mechanisms ensure data hasn't been altered or destroyed.

Business Associate Agreements (BAAs)

We maintain Business Associate Agreements with all third-party vendors who may have access to PHI, including:

• Amazon Web Services (AWS)
• AI processing partners
• Backup and disaster recovery services

Data Processing and Storage

How We Handle Your Therapy Session Data

• Minimal Data Collection: We only collect the data necessary to provide our transcription and note-generation services.
• Secure Processing: All AI processing occurs within our secure, HIPAA-compliant infrastructure.
• Data Retention: Clear policies govern how long we retain data and when it's securely deleted.
• No Third-Party Sharing: We never sell or share PHI with third parties for marketing purposes.

Incident Response and Breach Notification

• Incident Response Plan: Comprehensive procedures for identifying, containing, and responding to security incidents.
• Breach Notification: We will notify affected users and relevant authorities within required timeframes if a breach occurs.
• Regular Testing: Our incident response procedures are regularly tested and updated.

Your Responsibilities as a Covered Entity

While Brivy provides HIPAA-compliant infrastructure, you remain responsible for:

• Obtaining proper patient consent before recording sessions
• Ensuring your use of Brivy complies with your organization's policies
• Reviewing and verifying all AI-generated content before including it in patient records
• Maintaining secure access to your Brivy account

Compliance Documentation

We maintain comprehensive documentation of our HIPAA compliance measures, including:

• Security risk assessments
• Policies and procedures
• Training records
• Audit logs and reports
• Incident response documentation

Regular Compliance Reviews

We conduct regular reviews of our HIPAA compliance program to ensure we continue to meet all requirements and adapt to any changes in regulations or best practices.

Questions About HIPAA Compliance?

If you have any questions about our HIPAA compliance measures or need additional documentation for your compliance review, please contact us at [email protected]