Your Privacy Matters

Privacy Policy

Last updated: February 2026

HIPAA-Compliant Healthcare Provider

BehavioTech is a HIPAA-covered entity. We comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Security Rule, and Breach Notification Rule. All Protected Health Information (PHI) is handled in strict accordance with federal and California state privacy laws.

Contents

  1. Introduction
  2. HIPAA Compliance & Protected Health Information
  3. How We Handle PHI
  4. Information We Collect
  5. How We Use Your Information
  6. Data Security Measures
  7. Business Associate Agreements (BAA)
  8. Breach Notification
  9. Information Sharing & Disclosure
  10. Your Rights Under HIPAA
  11. Notice of Privacy Practices
  12. Children's Privacy
  13. Cookies & Tracking
  14. California Privacy Rights
  15. Changes to This Policy
  16. Contact & Privacy Officer

1. Introduction

BehavioTech ("we," "us," or "our") is committed to protecting the privacy and security of your personal information and Protected Health Information (PHI). This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website, use our services, or interact with us in any way.

As a provider of Applied Behavior Analysis (ABA) therapy services and a HIPAA-covered entity, we understand the sensitive nature of the information entrusted to us. We comply with all applicable federal and state privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and the California Confidentiality of Medical Information Act (CMIA).

2. HIPAA Compliance & Protected Health Information

BehavioTech is classified as a covered entity under HIPAA because we provide healthcare services (ABA therapy) and transmit health information electronically. As such, we are legally required to:

  • Maintain the privacy and security of your Protected Health Information (PHI).
  • Provide you with a Notice of Privacy Practices describing how we may use and disclose your PHI.
  • Notify you if a breach of your unsecured PHI occurs.
  • Follow the duties and privacy practices described in this policy and our Notice of Privacy Practices.

Protected Health Information (PHI) includes any individually identifiable health information that we create, receive, maintain, or transmit in connection with providing ABA therapy services. This includes your child's name, diagnosis, treatment plans, session notes, progress data, insurance information, and any documents uploaded to our secure portals.

3. How We Handle PHI

PHI Protection Standards

  • Encryption at rest: All PHI stored in our systems is encrypted using AES-256 encryption with AWS Key Management Service (KMS).
  • Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher.
  • Access controls: PHI access is restricted through role-based access control (RBAC). Only authorized clinical staff assigned to your child's care team can access their records.
  • Audit logging: All access to PHI is logged and monitored. We maintain audit trails of who accessed what information and when.
  • Minimum necessary: We limit PHI access and disclosure to the minimum amount necessary to accomplish the intended purpose.
  • Secure file storage: Documents are stored in a dedicated, HIPAA-compliant AWS S3 bucket with server-side encryption and private access controls.
  • Time-limited access: Download links for PHI documents expire after 60 seconds to minimize exposure risk.

4. Information We Collect

Protected Health Information (PHI)

In the course of providing ABA therapy services, we collect and maintain:

  • Client demographics: Child's name, date of birth, address, and guardian contact information.
  • Clinical information: Diagnosis (e.g., Autism Spectrum Disorder), assessment results, treatment plans, session notes, and behavior data.
  • Insurance information: Carrier name, policy and group numbers, authorization details, and claims data.
  • Clinical documents: Diagnostic reports, IEPs, physician referrals, authorization letters, and progress reports.

Non-PHI Personal Information

  • Account credentials: Login information for parent and staff portals.
  • Communication records: Messages, inquiries, and feedback you send to us.
  • Employment information: Resumes and applications submitted through our careers page.

Automatically Collected Information

  • Usage data: Pages visited, time spent on pages, and navigation patterns.
  • Device information: Browser type, operating system, and device identifiers.
  • Cookies: Essential cookies for session management (see Section 13).

5. How We Use Your Information

We use PHI only for the following permitted purposes under HIPAA:

  • Treatment: To provide, coordinate, and manage ABA therapy services for your child.
  • Payment: To verify insurance benefits, obtain authorizations, submit claims, and process billing.
  • Healthcare Operations: For quality assessment, staff training, compliance activities, and business management.
  • As required by law: To comply with federal, state, or local laws and regulations.
  • With your authorization: For any purpose not listed above, we will obtain your written authorization before using or disclosing your PHI.

6. Data Security Measures

We implement comprehensive administrative, physical, and technical safeguards to protect your information as required by the HIPAA Security Rule:

Administrative Safeguards

  • Designated Privacy Officer and Security Officer responsible for HIPAA compliance.
  • Workforce training on HIPAA privacy and security requirements.
  • Sanction policies for employees who violate privacy or security policies.
  • Regular risk assessments to identify and mitigate vulnerabilities.
  • Incident response and breach notification procedures.

Technical Safeguards

  • AES-256 encryption for data at rest using AWS KMS.
  • TLS 1.2+ encryption for data in transit.
  • Role-based access control (RBAC) with 10-level permission hierarchy.
  • Unique user identification and authentication for all system access.
  • Automatic session timeout and account lockout policies.
  • Audit controls that record and examine system activity.

Physical Safeguards

  • Cloud infrastructure hosted in SOC 2 Type II and HIPAA-compliant AWS data centers.
  • No PHI is stored on local devices or portable media.
  • Workstation security policies for all staff accessing PHI.

7. Business Associate Agreements (BAA)

BAA Compliance

Under HIPAA, we are required to enter into Business Associate Agreements (BAAs) with any third-party vendor or service provider that creates, receives, maintains, or transmits PHI on our behalf.

BehavioTech maintains executed BAAs with all business associates, including but not limited to:

  • Cloud infrastructure provider (Amazon Web Services) — SOC 2 Type II certified, HIPAA-eligible services
  • Payment processor (Stripe) — PCI DSS Level 1 certified
  • Insurance clearinghouses — For electronic claims submission
  • Any subcontractor that handles PHI on our behalf

Each BAA specifies the permitted uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, and obligates them to report any security incidents or breaches. We regularly review and update our BAAs to ensure continued compliance.

If you are a business or organization seeking to establish a BAA with BehavioTech, please contact our Privacy Officer at [email protected].

8. Breach Notification

Breach Notification Policy

In the event of a breach of unsecured PHI, BehavioTech will comply with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and California Civil Code § 1798.82.

In the unlikely event that a breach of your unsecured PHI occurs, we will:

  • Notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach, via first-class mail or email (if you have consented to electronic notice).
  • Notify the U.S. Department of Health and Human Services (HHS) as required — immediately for breaches affecting 500 or more individuals, or annually for smaller breaches.
  • Notify prominent media outlets if the breach affects 500 or more residents of a state or jurisdiction.
  • Provide details including: a description of the breach, the types of information involved, steps you should take to protect yourself, what we are doing to investigate and mitigate the breach, and contact information for questions.

9. Information Sharing & Disclosure

We do not sell, rent, or trade your personal information or PHI. We may share information only in the following circumstances:

  • For treatment, payment, and operations as described in Section 5.
  • With insurance companies: To verify benefits, obtain authorizations, and process claims.
  • With business associates: Third-party vendors bound by BAAs (see Section 7).
  • As required by law: When required by federal, state, or local law, regulation, or court order.
  • For public health activities: As permitted by HIPAA for disease prevention and reporting.
  • To avert serious threat: To prevent or lessen a serious and imminent threat to health or safety.
  • For abuse/neglect reporting: As required by California mandatory reporting laws.
  • With your written authorization: For any purpose not listed above.

10. Your Rights Under HIPAA

As a patient (or parent/guardian of a minor patient), you have the following rights regarding your PHI:

  • Right to access: You may request copies of your PHI. We will provide them within 30 days of your request.
  • Right to amend: You may request corrections to your PHI if you believe it is inaccurate or incomplete.
  • Right to an accounting of disclosures: You may request a list of certain disclosures of your PHI that we have made.
  • Right to request restrictions: You may ask us to limit how we use or disclose your PHI for treatment, payment, or operations.
  • Right to request confidential communications: You may ask us to communicate with you in a specific way or at a specific location.
  • Right to a paper copy: You may request a paper copy of our Notice of Privacy Practices at any time.
  • Right to revoke authorization: If you have given us written authorization to use or disclose your PHI, you may revoke that authorization at any time in writing.
  • Right to file a complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.

To exercise any of these rights, contact our Privacy Officer at [email protected] or call +1 (657) 678-9020.

11. Notice of Privacy Practices

Our full Notice of Privacy Practices (NPP) provides detailed information about how we may use and disclose your PHI, your rights, and our legal duties. The NPP is provided to all new clients at the time of intake and is available at any time on our website or by request.

Under HIPAA, we are required to provide you with our NPP no later than the date of first service delivery. We will also make a good-faith effort to obtain your written acknowledgment of receipt.

12. Children's Privacy

Our services primarily involve working with children. We collect information about minors only with the consent of their parent or legal guardian. Parents and guardians have full rights to access, review, update, or request deletion of their child's information.

We do not knowingly collect personal information from children under 13 without parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA). If you believe we have inadvertently collected information from a child without proper consent, please contact us immediately.

13. Cookies & Tracking

Our website uses essential cookies only to maintain session state and provide core functionality (e.g., keeping you logged in to the parent or staff portal). We do not use:

  • Third-party advertising or tracking cookies.
  • Social media tracking pixels.
  • Cross-site tracking technologies.

You can control cookie settings through your browser preferences. Disabling essential cookies may affect the functionality of our portals.

14. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA). Note that medical information governed by HIPAA and CMIA is exempt from certain CCPA provisions. However, you may still:

  • Request to know what personal information we collect and how it is used.
  • Request deletion of your personal information (subject to legal retention requirements).
  • Opt out of the sale of personal information (we do not sell personal information).
  • Exercise these rights without discrimination.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on this page with a revised "Last updated" date. For significant changes affecting how we handle PHI, we will provide direct notice to affected individuals as required by HIPAA.

16. Contact & Privacy Officer

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your HIPAA rights, please contact:

BehavioTech Privacy Officer

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:

HHS Office for Civil Rights