Compliance

HIPAA Compliance

Your health information is among the most sensitive data in existence. Here is exactly how we protect it — no legal jargon, no vague promises.

verifiedHIPAA CompliantverifiedSOC 2 Type IIverifiedHITRUST Certified
The basics

What is HIPAA?

HIPAA — the Health Insurance Portability and Accountability Act — is US federal law that protects the privacy and security of individually identifiable health information, called Protected Health Information (PHI).

PHI includes any information that could identify you and relates to your physical or mental health, the care you receive, or payment for that care. HIPAA sets strict limits on who can access, use, and disclose your PHI.

favoriteProtects mental and physical health records
personCovers all individually identifiable information
businessApplies to covered entities and business associates
gavelEnforced by the HHS Office for Civil Rights
attach_moneyViolations carry fines of up to $1.9M per year
Technical safeguards

How we protect your data technically

HIPAA’s Security Rule requires specific technical measures. We exceed them.

lock

End-to-end encryption

All session communications — video, audio, text — are encrypted from your device to your clinician's device. No one in between, including ThriveMatch, can access the content.

cloud_lock

Encrypted data at rest

All stored data, including session notes, your profile, and any documents you upload, is encrypted with AES-256. Even our own database administrators cannot read your data.

manage_accounts

Access controls

Platform staff access to PHI is strictly limited by role and monitored with automated audit logs. Every access event is recorded and regularly reviewed.

security

Business Associate Agreements

Every clinician and third-party service provider with access to PHI signs a HIPAA-compliant Business Associate Agreement (BAA) before accessing any data.

network_check

Secure transmission

All data transmitted to and from our platform uses TLS 1.3, the strongest version of transport layer security. Older, insecure protocols are blocked.

history

Audit trails

Every access to Protected Health Information is logged with a timestamp, user identity, and action. Logs are tamper-evident and retained for six years.

Administrative safeguards

The people and processes behind the protection

Technology alone is not enough. HIPAA compliance requires robust organisational practices.

school

HIPAA training for all staff

Every ThriveMatch employee — technical, clinical, and operational — completes comprehensive HIPAA training before accessing any system containing PHI.

policy

Privacy, security, and breach policies

We maintain formal, documented policies for privacy, information security, workforce sanctions, and breach notification that are reviewed and updated annually.

person_search

Background checks

All employees and contractors with potential access to PHI undergo background screening during hiring and are subject to ongoing monitoring.

verified_user

Annual risk assessments

We conduct annual HIPAA security risk assessments to identify vulnerabilities, evaluate controls, and remediate gaps in our infrastructure.

Your rights under HIPAA

HIPAA gives you fundamental rights over your health information. ThriveMatch makes exercising these rights simple.

folder_open

Right to access your records

You may request a copy of your Protected Health Information within 30 days of your request.

edit

Right to amend

You may request corrections to your PHI if you believe it is inaccurate or incomplete.

receipt_long

Right to an accounting

You may request a log of disclosures of your PHI made in the past six years.

do_not_disturb

Right to restrict use

You may request restrictions on how we use or disclose your PHI. We will honour all requests we can accommodate.

mail

Right to alternative communications

You may request that we communicate with you in a specific way or at a specific location.

description

Right to a Notice of Privacy Practices

You are entitled to a written copy of this notice at any time. Contact privacy@thrivematch.com.

To exercise any of these rights, contact our Privacy Officer at privacy@thrivematch.com

HIPAA questions, answered plainly

Is ThriveMatch a HIPAA-covered entity?

Yes. ThriveMatch is both a HIPAA-covered entity (as a healthcare platform) and a business associate to the clinicians in our network. We comply with all applicable HIPAA Privacy Rule, Security Rule, and Breach Notification Rule requirements.

Are my therapy sessions private?

Yes. Session content is not accessible to ThriveMatch staff. Clinicians maintain their own clinical records, which are subject to their professional confidentiality obligations. Platform metadata (session timestamps, duration) is retained for operational and billing purposes.

Does ThriveMatch share my data with insurers?

We do not share PHI with insurance companies without your explicit written authorisation, except as required by law. If you choose to use insurance benefits, you authorise sharing only the minimum necessary information.

What happens if there is a data breach?

In the event of a breach affecting your PHI, we will notify you within 60 days (or within applicable state-mandated timeframes). We will explain what happened, what information was involved, and protective steps you can take.

How long is my data retained?

Account data is retained for the duration of your account plus a post-closure period as required by applicable law. Clinical records may be subject to state minimum retention requirements, typically 7–10 years. You may request deletion of non-clinical data at any time.

support_agent

Contact our Privacy Officer

Any HIPAA complaint, concern, or rights request should be directed to our designated Privacy Officer. We respond within 5 business days.

mailprivacy@thrivematch.comRead Privacy Policy