How we work with session data
We recognise that privacy and data security are very much necessary for therapy to be safe and effective. Let’s begin by addressing how we work with private session data and what happens to it.
As you probably already know, when you want to use Upheal for notes and insights, we need some kind of record of your session, whether that’s audio, video, or an uploaded recording. Otherwise, there would be nothing to create notes or insights from.
Now, let’s use the example of holding your sessions on Upheal in an online format – your video-call creates: an audio recording, a session transcript, progress notes, and analytics.
For added security and privacy purposes, we delete the audio recording once it’s no longer needed for session processing. We’ve made deleting the recording a default standard. If you, the healing professional, want to keep the audio for supervision or clinical purposes, it’s possible, but necessary to get explicit client consent.
As for the rest, once you edit and finalize the pre-drafted progress notes: the session transcript, analytics, even the notes themselves, can be deleted too.
We recommend that you delete whatever you feel comfortable with on an individual or practice level, after you submit your notes to the necessary insurance or third-party vendors, of course.
We’ve made it possible to set this up for your entire practice which means that all of your team members’ transcripts will be deleted automatically once the notes are generated.
* Please note: based on your Upheal plan, you may not have session transcript access.
If you choose not to delete a session transcript, you will have access to this (non-de-identified) transcript for however long you use the app. We do not have access to it ourselves. However, as any cloud service, we must store it somewhere and have made sure to partner with an established, robust secure storage provider – AWS, complete with AES-256 encryption. In addition, AWS environments are continuously audited, with certifications from accreditation bodies across geographies and verticals.
More on data security and third-parties
We follow the best industry practices and have an extensive list of certifications when it comes to data protocol and protection. Upheal is HIPAA, PHIPAA, PIPEDA, GDPR, and DPA compliant in the USA, Canada, EU, UK, New Zealand and Australia. We have also received the SOC 2 Type I attestation report. This rigorous, independent assessment of our internal security controls serves as validation of our dedication and adherence to the highest standards for security, confidentiality, availability, privacy, and processing integrity. You can read more here.
In addition, HIPAA regulates how we share data with any third parties. We must enter a BAA (Business Associate Agreement) with any third party that would receive access to, transmit, or store Protected Health Information (PHI) as part of its services for the provider. The BAA agreement effectively extends the responsibility we have over our clients’ data to any third party. This means the third parties have to be legally responsible for their security and privacy practices under HIPAA, the same way we are. An example of a LLM third party we work with is Microsoft Azure. Other third parties must guarantee that they:
- Aren’t logging any information from or about the data, nor have employees processing session data.
- Aren’t storing the data, except for our storage provider – AWS.
- Aren’t using any data for any AI training of their own.
As a therapist, it can be beneficial to conduct a security risk assessment and document those results. The Office of the National Coordinator for Health Information Technology (ONC) offers a security risk assessment tool that could be used for this purpose. Generally, the more levels of information or moving data around means the more risk of human error.
What about client data?
In our previous article, we explained that we allow our clients to decide if they want to opt into sharing their session data with us for AI and product improvements.
We don’t just assume, and we are proud of that distinction.
Just to help give you an idea, 18 different types of identifiers are removed, including names, telephone numbers, vehicle identifiers, serial numbers, email addresses, medical and social record numbers, and so on, which you can read about here. And finally, we do regular vulnerability testing as part of our development cycle making sure our product doesn't have any known vulnerabilities.
- Upheal follows industry best-practices for data protocol and protection.
- We conduct regular penetration testing by external security companies.
- Upheal is HIPAA, PHIPAA, PIPEDA, GDPR, and DPA compliant.
- We do regular vulnerability testing as part of our development cycle.
- Our security and privacy commitments are constantly being monitored by industry leading compliance software and you can review our security posture anytime at https://trust.upheal.io
- Upheal deletes audio recordings by default, and offers practice-level transcript deletion.
- Deleting transcripts, progress notes, and insights is fully possible anytime: If kept, the above are secured with AES-256 encryption and calls are end-end-encrypted.
- Transcript data is de-identified if kept for AI and product improvements.
- Analytics can also be deleted anytime.
We hope this helps answer some of your most pressing questions! If you have any more data or privacy related questions, you can peruse our Support center or drop us an email. Next time, we’ll be looking at our obligation to law enforcement.