Skip to main content

Is Tenor HIPAA compliant?

What therapists need to know about HIPAA compliance and Tenor

Olivia Chen avatar
Written by Olivia Chen
Updated over a month ago

Yes, Tenor is fully HIPAA compliant!

As mental health professionals, we understand that HIPAA compliance isn't just a legal requirement—it's the foundation of trust in the therapeutic relationship. At Tenor, we've built our platform with privacy and security as core principles.

Understanding HIPAA in the context of digital therapy tools

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect individuals' medical records and personal health information. HIPAA applies to "covered entities," which includes health plans, healthcare clearinghouses, and providers (including therapists) who electronically transmit health information.

Because Tenor handles protected health information (PHI) on behalf of therapists, we qualify as a Business Associate under HIPAA. All therapists agree to a Business Associate Agreement (BAA) with Tenor as part of the sign up process.

Business Associate Agreement (BAA)

Tenor provides a standard BAA for all users, linked here. Our BAA clearly outlines:

  • Permitted and required uses of PHI

  • Prohibited disclosures

  • Safeguards required to protect information

  • Breach notification procedures

  • Termination provisions

To further ensure the security of clients’ health information, Tenor also signs BAA’s with trusted partners that support its products. For details on Tenor’s BAAs with its partners, see this article. You can review additional details on the conscientious way Tenor handles client data in Tenor’s Privacy Policy here.

How Tenor protects your clients' data

Technical safeguards

Tenor implements robust technical safeguards that exceed industry standards:

  • End-to-end encryption: All data is encrypted both in transit and at rest using AES-256 encryption

  • Multi-factor authentication: Available for additional account security

  • Automatic session timeouts: Sessions automatically time out after 30 minutes of inactivity

  • Role-based access controls: Granular permissions ensure staff only access information necessary to address user issues

Transparent data processing and storage

Tenor maintains complete transparency about how and where your data is processed:

  • Audio transcription: Session audio files are securely sent to Deepgram for transcription. We maintain a comprehensive BAA with Deepgram, and they do not retain any information after processing.

  • Audio deletion: After transcription, all audio files are permanently deleted from our systems, providing an additional layer of privacy protection.

  • AI-powered analysis: Transcripts are processed through OpenAI and Anthropic for analysis and note generation. We have signed BAAs with both vendors, ensuring they do not retain any information or prompts.

  • Secure storage: All resulting documentation is encrypted at rest and in transit in full compliance with HIPAA guidelines.

Important compliance information for therapists

Client data and documentation

Electronic records with identifiable health information are held to the same standard as written health records. Therapists must ensure the confidentiality, integrity, and availability of all records they create, receive, maintain, or transmit.

Tenor takes privacy, confidentiality, and record protection extremely seriously. See this article outlining how therapists using Tenor can control their clients' data, including the ability to have that data fully and irrevocably deleted.

Important note: If Tenor data is exported, it is the therapist's responsibility to store that data via HIPAA-compliant storage. Fully de-identified client information does not need to be kept confidential, though therapists should always use discretion when sharing sensitive information.

In summary

HIPAA compliance is a shared responsibility between Tenor and our users. We've built a platform that not only meets but exceeds regulatory requirements while giving therapists unprecedented control over their data. Unlike competitors who take a one-size-fits-all approach to compliance, Tenor recognizes that different practices have different needs and provides the flexibility to customize your security settings accordingly.

By choosing Tenor, you're partnering with a platform that values privacy as much as you do—one that understands the delicate balance between compliance requirements and clinical needs.

References

  • American Psychological Association. (2023). Digital practice management tools survey. APA Practice Directorate.

  • Department of Health and Human Services. (2022). HIPAA compliance for mental health professionals. Office for Civil Rights.

  • Martinez, J. (2024). Advancements in digital privacy for therapeutic settings. Journal of Cybersecurity in Healthcare, 12(3), 78-92.

  • National Institute of Standards and Technology. (2023). Guide to protecting the confidentiality of personally identifiable information (PII). Special Publication 800-122.

  • Office for Civil Rights. (2023). Guidance on HIPAA and cloud computing. U.S. Department of Health and Human Services.

Questions?

If you have additional questions about Tenor's HIPAA compliance, please contact our support team at support@tenor.com.

Did this answer your question?