Privacy Policy

Last Updated: 5/21/2026

HIPAAtherapy, a product of Open7 (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy and maintaining the security of protected health information (PHI). This Privacy Policy explains how we collect, use, and safeguard information when you use our Electronic Health Record (EHR) system, Practice Management software, and related software services available through HIPAAtherapy (collectively, the “Services”).

Information We Collect

Practice and Administrative Information

We collect information about healthcare practices and administrators, including:

  • Practice name and contact information
  • Administrator and staff credentials
  • Business Associate Agreements
  • Billing and payment information
  • System access logs and audit trails
  • Practice configuration settings

Protected Health Information (PHI)

As a HIPAA-compliant service provider, we may collect and process PHI including:

  • Patient demographic information
  • Medical records and history
  • Treatment plans and notes
  • Appointment schedules
  • Insurance and billing information
  • Clinical documentation
  • Patient communication records

Technical and Audit Information

To secure the Services and meet our HIPAA audit obligations, we record:

  • Authentication records (sign-ins, sign-in failures, and sign-outs)
  • Audit logs of access to protected health information, capturing who accessed which record and when
  • The IP address and browser user-agent string associated with those events
  • Configuration data for integrations you choose to connect (such as calendar sync)

We do not use analytics, telemetry, or third-party tracking tools. We do not collect feature-usage metrics, performance or error telemetry, or network-behavior data.

How We Use Your Information

Practice and Administrative Data

We use this information to:

  • Provide and maintain our Services
  • Process payments and manage subscriptions
  • Communicate system updates and notices
  • Provide technical support
  • Ensure compliance with agreements

Protected Health Information

PHI is used solely for:

  • Providing healthcare services through our platform
  • Facilitating insurance and billing processes
  • Supporting patient care and communication
  • Maintaining required medical records
  • Complying with legal obligations

Data Security Measures

We implement comprehensive security measures including:

  • Two-factor authentication
  • Regular security audits and penetration testing
  • Automated threat detection
  • Disaster recovery procedures
  • Employee security training

HIPAA Compliance

As a Business Associate under HIPAA, we:

  • Maintain HIPAA compliance programs
  • Provide Business Associate Agreements
  • Conduct regular risk assessments
  • Report security incidents as required
  • Train staff on HIPAA requirements
  • Maintain audit logs of access to protected health information

Data Retention

  • PHI is retained according to state and federal requirements
  • Practice data is maintained throughout active subscriptions
  • System logs are retained for security and compliance
  • Data deletion requests are honored as permitted by law
  • Backup retention follows industry standards

Your Rights

Healthcare providers have the right to:

  • Access practice and patient data
  • Request data exports
  • Modify practice information
  • Receive security incident notifications
  • Obtain audit logs
  • Request data deletion (subject to retention requirements)

Patients retain all rights under HIPAA and applicable laws.

Third-Party Services

We rely on a limited set of vetted third-party service providers (“subprocessors”) to deliver the Services. Each processes practice data or PHI only as needed to perform its function:

  • Payment processors — process client and practice payments
  • Healthcare clearinghouses — submit insurance claims and verify eligibility
  • Microsoft Azure — optical character recognition (OCR) for text extraction from uploaded documents
  • Microsoft 365 / Outlook (Microsoft Graph) — optional calendar synchronization for staff who connect an account
  • Tigris — encrypted object storage for uploaded files and images
  • 8x8 (Jitsi) — video conferencing for telehealth sessions

All third-party services must meet our security requirements and, where they handle PHI, sign a Business Associate Agreement or equivalent data protection agreement.

International Data Transfer

  • Data is primarily stored in U.S.-based data centers
  • International transfers follow applicable regulations
  • Additional safeguards apply for cross-border transfers

Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated directly to practice administrators with 30 days notice.

Contact Information

For privacy-related inquiries:

For HIPAA-related concerns: Open7 LLC [email protected]