Last updated: April 22, 2026
Speechtherapist.app is designed from the ground up to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). As a Business Associate to covered entities (speech-language pathologists and their practices), we implement comprehensive safeguards to protect Protected Health Information (PHI).
All audio recordings are encrypted using AES-256-GCM with per-user derived encryption keys (HKDF key derivation). Clinical data in Firestore is encrypted at rest by Google Cloud's default encryption (AES-256).
All data transmitted between your browser and our servers uses TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age and preload.
Firestore security rules enforce strict user-scoped access. Every database query is restricted to the authenticated user's own data. No user can read, modify, or delete another user's records.
Every access to PHI (viewing patients, opening sessions, generating notes, downloading recordings) is logged to an append-only audit trail. Audit logs include user ID, action, resource, timestamp, IP address, and user agent. Logs cannot be modified or deleted by any user, including administrators.
Content Security Policy (CSP) restricts which domains can interact with the application. X-Frame-Options prevents clickjacking. Additional headers prevent MIME sniffing, enforce referrer policy, and restrict device permissions.
We maintain BAAs with all sub-processors that handle PHI: Google Cloud Platform (Firebase), Anthropic (AI processing), and Deepgram (transcription). See our BAA page for details.
Clinical data is retained for the duration of your account plus 7 years. Audit logs are retained for a minimum of 6 years. An automated data retention function enforces these policies.
We maintain a breach notification procedure consistent with HIPAA requirements. In the event of a breach, affected users and HHS will be notified within the required timeframes.
All data is hosted on Google Cloud Platform infrastructure, which maintains SOC 2 Type II, ISO 27001, and HITRUST certifications. Application servers run on Vercel's edge network. Neither we nor our hosting providers allow physical access to servers without multi-factor authentication and audit trails.
When generating SOAP notes, reports, or responding to AI chat queries, patient data is sent to Anthropic's API over encrypted connections. Anthropic does not train on customer data and maintains a BAA with us. AI-generated content is stored within your Firestore document and subject to the same encryption and access controls as all other PHI.
For HIPAA compliance inquiries: compliance@speechtherapist.app