Privacy, Security, & HIPAA Compliance

All BEHAVEHEALTH sofware is built on the Amazon Web Services HIPAA compliant platform.


The three components of a secure cloud software platform.

  1.  Computing Infrastructure

  2.  Application Design

  3.  Best Practices

ESTABLISHING HIPAA COMPLIANCE and business associates agreement

BEHAVEHEALTH maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is able to process, maintain and store protected health information for any entities restricted by these regulations.  BEHAVEHEALTH signs a business associate agreement (BAA) with your organization.

Data Policy and Ownership

  • Your patients own their data and consent for you to use it in the course of their treatment and for BEHAVEHEALTH to use it to complete the health insurance billing process.

  • We store all patient records for the mandated 8 year period and offer additional storage options beyond that as well.

Privacy, Security and Trust

  • Your company entrusts BEHAVEHEALTH to securely store and protect the Protected Health Information (PHI).

  • We comply with all elements of HIPAA from privacy to data ownership and portability.

  • We believe deeply in the right to privacy for all people.


  • We have implemented the recommendations of National Institute of Standards and Technology (NIST) and Federal Information Processing Standard (FIPS) so our data is encrypted at rest using AES encryption with 256-bit keys.

  • We use the elliptic curve digital signature algorithm (ECDSA) for our digital signatures related to cryptography operations.

  • Transmitted PHI is encrypted using strong TLS (predecessor to SSL) ciphers configured for perfect forward secrecy. Insecure TLS ciphers are disabled per NIST recommendations.

  • Network access to virtual machines is inspected in real time and permanently logged.

  • Network traffic routed within each customer environment travels through an isolated, non-shared subnet.

  • SSH access to application environments is configured per the Center for Internet Security (CIS) benchmark recommendations.

  • Network traffic can be restricted to specific whitelisted IP addresses or VPN connections on a per environment basis.

  • Intrusion attempts are automatically identified and blocked on a per IP address basis for a significant duration of time, mitigating SSH dictionary attacks and other malicious behavior.


  • Access control to our system is managed through our user roles.

  • Each employee is assigned a user role when they are added and are governed by permissions.







  • All data stored in the BEHAVEHEALTH EHR is safe and recoverable, protecting customers against accidental loss or mistakes.

  • Database backups are encrypted and stored in a highly durable storage infrastructure (99.999999999% durability and 99.99% availability).

  • Disk volumes leverage a fault-tolerant, high-availability storage system.

  • Nightly snapshots create a backup of each disk volume.

  • For data integrity purposes, database backups are automatically enabled based on a consistent schedule, sensible rotation, and retention policy.

  • Monthly backups are retained for 6 years by default.


  • Analysis of intrusion detection system data for anomalous activity and system issues

  • Virtual machine filesystems are regularly scanned for file integrity, malware, and rootkits.

  • Audits of firewall rules and IP address whitelists

  • Maintaining base images for Docker containers used in our platform

  • Review of published vulnerabilities and exposures

  • Security patching


  • HIPAA compliance requires a number of best practices to be established and maintained internally at your business.

  • We help you handle that by centralizing your information in the BEHAVEHEALTH EHR.