TheraSignal is a clinical-grade measurement instrument designed for use in therapeutic settings. We are committed to full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the Privacy Rule, Security Rule, and Breach Notification Rule.
As a Business Associate under HIPAA, TheraSignal implements administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all Protected Health Information (PHI) processed through our platform.
TheraSignal executes Business Associate Agreements with all covered entities (healthcare providers, clinics, and practices) prior to processing any PHI. View BAA templates and vendor compliance checklist → Or contact us at compliance@therasignal.com to initiate a custom agreement.
TheraSignal collects and processes the following categories of data to deliver clinical intelligence to licensed practitioners:
| Data Category | What We Collect | Purpose |
|---|---|---|
| Session Recordings | Video and audio captured during therapy sessions with patient consent | Multimodal affect analysis, micro-expression detection, prosody analysis |
| Sensor Data | Physiological signals: heart rate variability (HRV), galvanic skin response (GSR), skin conductance | Arousal and autonomic response tracking during and between sessions |
| Derived Metrics | Computed affect valence, engagement scores, arousal indices, risk assessments | Clinical dashboard intelligence, progress tracking, intervention mapping |
| Clinical Notes | Clinician-entered session notes and treatment observations | Contextual enrichment of automated analyses |
| Account Data | Clinician name, email, practice information, credentials | Account management, authentication, compliance verification |
| Usage Data | Feature usage patterns, session frequency, dashboard interactions | Platform improvement, performance optimization |
Whenever possible, TheraSignal processes raw sensor data in real-time and stores only derived metrics (affect scores, engagement indices, risk flags). Raw video and audio recordings are processed and can be configured for automatic deletion after analysis, per your practice's data retention policy.
TheraSignal implements industry-leading encryption and security measures across all layers of the platform:
TheraSignal provides configurable data retention policies aligned with clinical and legal requirements:
| Data Type | Default Retention | Configurable |
|---|---|---|
| Raw session recordings | 30 days after processing | Yes — 0 to 365 days, or indefinite per practice policy |
| Derived clinical metrics | Duration of patient treatment + 7 years | Yes — aligned with state medical records retention laws |
| Clinical notes | Duration of patient treatment + 7 years | Yes — per practice policy |
| Account data | Duration of active subscription + 90 days | Deleted upon account termination request |
| Audit logs | 6 years (HIPAA requirement) | No — regulatory minimum |
When data reaches the end of its retention period, it is permanently and irreversibly deleted using cryptographic erasure (destroying encryption keys) and physical media overwrite where applicable.
Patients whose data is processed through TheraSignal have the following rights under HIPAA and applicable state law:
Patients may request access to their PHI held by TheraSignal, including all derived metrics, session summaries, and clinical notes. Requests are fulfilled within 30 days as required by HIPAA. Access requests are coordinated through the treating clinician.
Patients may request correction or amendment of their PHI if they believe information is inaccurate or incomplete. The treating clinician reviews and processes amendment requests in accordance with the HIPAA amendment standard.
Patients may request restrictions on certain uses or disclosures of their PHI. This includes the ability to opt out of specific data collection modalities (e.g., video recording, physiological monitoring) while maintaining access to other platform features.
Patients may request an accounting of disclosures of their PHI made by TheraSignal in the preceding six years. Our audit logging system maintains comprehensive disclosure records.
Patients may request deletion of their PHI, subject to legal retention requirements. Upon a verified deletion request, TheraSignal permanently removes all patient data within 30 days, except where retention is required by law.
Patients may revoke consent for data collection at any time. Upon revocation, TheraSignal immediately ceases collecting new data and processes deletion of existing data per the patient's instructions and applicable retention laws.
To exercise any of these rights, patients should contact their treating clinician, who will coordinate with TheraSignal. Clinicians can submit requests through the platform or by contacting privacy@therasignal.com.
TheraSignal maintains strict limitations on third-party data sharing:
TheraSignal shares data only with the following categories of Business Associates, each bound by a BAA:
All Business Associates undergo security review and must demonstrate HIPAA compliance before gaining access to any PHI.
TheraSignal may use de-identified data (stripped of all 18 HIPAA identifiers) for platform improvement, research collaboration, and aggregate clinical insights. De-identification follows the HIPAA Safe Harbor method and is verified before any use.
In the event of a breach of unsecured PHI, TheraSignal will:
The TheraSignal marketing website uses minimal analytics to understand visitor traffic. This data is completely separate from the clinical platform and contains no PHI.
In addition to HIPAA, TheraSignal is designed to comply with:
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes:
Privacy Officer: privacy@therasignal.com
HIPAA Compliance: compliance@therasignal.com
General Inquiries: hello@therasignal.com