Home/Legal

Last updated: April 13, 2026

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) protects certain health information in the United States. This page explains how Euthyn supports HIPAA-regulated interactions and where HIPAA does and does not apply on our platform.

1. When HIPAA applies on Euthyn

HIPAA applies when a “Covered Entity” (a licensed clinician, psychologist, or other provider governed by HIPAA) uses Euthyn to deliver care. In that context, Euthyn acts as a Business Associate of the clinician and signs a Business Associate Agreement (BAA) before any Protected Health Information (PHI) is transmitted through the Service.

HIPAA does not apply to non-clinical services such as peer listening, life coaching, or anonymous venting. Those interactions are still protected by our Privacy Policy, but they are not regulated as PHI.

2. Safeguards we implement

  • Administrative: written policies, workforce training, access reviews, and an appointed Security Officer.
  • Physical: data is hosted in SOC 2 Type II audited facilities (Supabase, Vercel, Daily.co).
  • Technical: TLS 1.2+ in transit, AES-256 at rest, role-based access, audit logging, automatic session timeout, and least-privilege engineering access.

3. Video sessions

Per-booking video rooms are created through Daily.co with HIPAA-compliant configuration, end-to-end encryption, a 2-participant cap, and 1-hour expiry. Daily.co executes a BAA with Euthyn. Cloud recordings are opt-in and retained for 30 days unless a clinician's professional obligations require otherwise.

4. Your rights under HIPAA

When HIPAA applies, you have the right to: (a) access your PHI; (b) request amendments; (c) receive an accounting of disclosures; (d) request restrictions on certain uses; and (e) receive notice of breaches. Direct HIPAA requests to your clinician, who remains the Covered Entity for your record.

5. Breach notification

Euthyn will notify the affected Covered Entity without unreasonable delay, and no later than 60 days after discovery, of any breach of unsecured PHI. Covered Entities are responsible for notifying affected individuals as required by 45 CFR §§ 164.404–164.410.

6. Sub-processors handling PHI

  • Supabase (database and auth) — BAA executed.
  • Daily.co (video sessions) — BAA executed.
  • Stripe (payments) — handles limited transaction data only; does not process PHI.
  • Vercel (hosting) — BAA executed for enterprise tier.

Analytics tools (Microsoft Clarity, etc.) are configured to exclude clinical pages from session recording and tracking when HIPAA applies.

7. Requesting a Business Associate Agreement

Clinicians who plan to deliver HIPAA-regulated care on Euthyn must execute a BAA with us before inviting patients. Request a BAA from compliance@euthyn.com.

8. Limitations

HIPAA does not apply to information a Seeker volunteers outside a clinical relationship, and it does not preempt professional licensing rules in your jurisdiction. Clinicians remain responsible for their own compliance, documentation, and record-keeping obligations.

9. Contact

Privacy / HIPAA Officer: compliance@euthyn.com