Security & Compliance at TheraPrac

TheraPrac is EHR software for therapists designed with security, privacy, and compliance as foundational principles. The platform supports therapy practices and is designed for independent clinicians and small practices that need clear, reliable safeguards around sensitive data.

This page provides an overview of TheraPrac's approach to security and compliance. For how sensitive data is organized in the product, see secure client records.

HIPAA Compliance & Business Associate Agreements

TheraPrac is built for healthcare use cases and supports compliance with the Health Insurance Portability and Accountability Act (HIPAA).

TheraPrac operates as a business associate to healthcare customers that qualify as covered entities under HIPAA. We implement administrative, physical, and technical safeguards designed to protect protected health information (PHI) throughout its lifecycle.

As part of our standard onboarding process, TheraPrac executes a Business Associate Agreement (BAA) with covered entity customers.

Our HIPAA-aligned practices include:

  • Administrative, physical, and technical safeguards
  • Role-based access controls and least-privilege enforcement
  • Encryption of data in transit and at rest
  • Audit logging and security monitoring
  • Incident response and breach notification procedures
  • Vendor and subprocessor risk management

Security Architecture & Data Protection

TheraPrac protects sensitive healthcare data using a layered security approach designed to support confidentiality, integrity, and availability.

Core security practices include:

  • Encryption in transit and at rest
  • Logical tenant data isolation
  • Multi-factor authentication (MFA)
  • Role-based access control (RBAC)
  • Audit logging and monitoring
  • Secure backup and recovery processes

Security controls are reviewed periodically and evolve as the platform and threat landscape change.

Alignment with Industry Security Frameworks

In addition to HIPAA, TheraPrac aligns its security governance and control environment with widely recognized industry frameworks.

SOC 2

TheraPrac's controls and operational practices are designed to align with the SOC 2 Trust Services Criteria, with a focus on Security, Availability, and Confidentiality.

A SOC 2 report has not yet been issued.

ISO/IEC 27001

TheraPrac maintains an Information Security Management System (ISMS) designed to align with the principles and control objectives of ISO/IEC 27001.

TheraPrac is not currently ISO/IEC 27001 certified.

Shared Responsibility

Security and compliance are a shared responsibility between TheraPrac and each practice.

  • TheraPrac provides technical safeguards, access controls, audit logging, monitoring, and secure application infrastructure.
  • Providers are responsible for internal policies, appropriate user access management, and day-to-day usage that aligns with their clinical and regulatory obligations.
  • Cloud service providers are responsible for physical data center security and underlying infrastructure protections.

Additional Compliance Documentation

Detailed security and compliance documentation, including our Security, Privacy & Compliance White Paper, is available upon request.

For security inquiries, compliance questions, or documentation requests, please contact:

compliance@theraprac.com

TheraPrac logo featuring a stylized medical cross symbol in gradient green and white, followed by the word 'TheraPrac' in modern, rounded font with 'Thera' in green and 'Prac' in white.
Elevate Care, Change Lives.

About

Privacy Statement Terms of Service

Contact Us

+1.801.599.3204 info@theraprac.com

3865 S Arroyo Rd,
Salt Lake City, UT 84106

Sign up for early access

Thank you! You have
been subscribed.
Oops! Something went wrong while submitting the form.
© Therapy Practice Corporation