Compliance
HIPAA at Harbor
Last updated May 22, 2026
Harbor handles Protected Health Information (PHI) on behalf of therapy practices. Under the HIPAA Rules, the practice is the Covered Entity and Harbor Office, Inc. is its Business Associate. A signed Business Associate Agreement (BAA) is required before any PHI is submitted to the Service.
This page summarizes the safeguards we maintain so that careful clinicians and their IT reviewers can decide whether Harbor meets their standards. For the authoritative technical detail, see our Security page, which maps controls to specific sections of 45 CFR Part 164 Subpart C.
1. BAA status
Below is the current Business Associate Agreement status for each subprocessor that may receive PHI. We update this list in advance of changes; if any status changes materially, active Customers are notified by email.
| Vendor | Purpose | BAA |
|---|---|---|
| Amazon Web Services | RDS, KMS, Cognito, S3, Chime SDK, Bedrock | Executed |
| Paubox | HIPAA-aligned transactional email | Executed |
| Stedi | 270/271 eligibility, 837/835 claim transactions | Executed |
| SignalWire | Voice and SMS transport | In progress — not yet executed |
| Retell AI | Real-time voice agent runtime | In progress — not yet executed |
| Anthropic | LLM inference (zero-retention API tier) | Zero-retention contract; no PHI used for training |
| Stripe | Subscription billing only | Not applicable — no PHI shared |
Practices whose risk tolerance requires every voice-stack subprocessor BAA to be executed before go-live should ask us for an updated timeline before signing.
2. Technical safeguards (§164.312)
- Encryption at rest. All PHI is stored in AWS RDS with KMS-managed customer-managed keys (AES-256). Backups inherit the same encryption.
- Encryption in transit. TLS 1.2 or higher is enforced on every client-facing endpoint. HSTS is enabled with a one-year max-age and
includeSubDomains. - Access controls. Application authentication runs on AWS Cognito with MFA required for every user. PHI access is scoped at the application layer and audit-logged.
- Audit logs. Every PHI-relevant action (read, write, delete, export) is recorded with actor, timestamp, IP, and target identifier. Logs are retained for six years.
- Workstation isolation. Production access requires SSO with phishing-resistant MFA and is limited to a small, named workforce.
3. Administrative safeguards (§164.308)
- Documented Security Risk Analysis reviewed annually and after material changes.
- Workforce HIPAA training at onboarding and annually thereafter.
- Sanction policy for workforce HIPAA violations.
- Designated Security Officer and Privacy Officer (currently the founder; will be split as the team grows).
- Incident response plan with defined roles, communication paths, and tabletop exercises.
4. Physical safeguards (§164.310)
Harbor runs entirely on AWS. We do not operate physical infrastructure that touches PHI. Physical safeguards are inherited from AWS’s SOC 2, ISO 27001, and HIPAA-eligible service controls and are covered by the AWS BAA.
5. Breach notification
Harbor notifies affected Customers of a suspected or confirmed Breach of Unsecured PHI without unreasonable delay and within the timeframe specified in the executed BAA. Notifications include the elements required by 45 CFR §164.410(c).
6. What we don’t do
- We do not use PHI to train general-purpose AI models.
- We do not load session-replay, heatmap, or behavioral-analytics tooling on the authenticated application.
- We do not sell PHI or share it with advertising networks.
- We do not offer the Service in compliance-excluded jurisdictions where we have not yet completed state-specific review.
7. Requesting our BAA
We send our standard BAA template ahead of every demo so it can be reviewed in parallel. Reach out to chance@harboroffice.ai with subject line “BAA request” and we will reply same business day.
See also: Privacy Policy · Terms of Service · Security