Security & HIPAA
Built for the data therapy practices actually handle.
Harbor was engineered from day one for the realities of Protected Health Information. Every layer — infrastructure, application, operations — is designed to satisfy the HIPAA Security Rule and the expectations of clinicians, patients, and reviewers.
HIPAA-aligned AWS stack
Harbor runs on AWS using only services covered by our AWS Business Associate Addendum (RDS, S3, ECS, KMS, Cognito, SES, Textract, Transcribe, Bedrock, Chime SDK). No PHI ever flows through services we don’t have a BAA for.
Encryption everywhere
All PHI is encrypted at rest with AWS KMS-managed keys (AES-256) and in transit with TLS 1.2+. Database backups are encrypted with the same keys. RDS lives in a private subnet with no public IP.
Strong authentication
Cognito-managed identity with MFA available for every clinician account. Session timeout, audit logging on every PHI access, and tight role-based scoping at the data layer.
Mapped to the HIPAA Security Rule.
Every required and addressable safeguard under 45 CFR §164.308–§164.312, with the specific control we use to satisfy it.
Annual HIPAA risk assessment, documented in our compliance binder, refreshed on every major architecture change.
Cognito identity, role-based access, principle of least privilege. Background checks for staff with PHI access.
Annual HIPAA training for all team members with PHI access, completion tracked.
Encrypted automated daily RDS backups, 30-day retention, documented disaster-recovery runbook with periodic restoration tests.
No on-prem PHI. AWS data centers handle all physical controls under our BAA.
Unique account per user, automatic session timeout, MFA available on every account, audit logging on all PHI reads/writes.
Append-only audit log table records every PHI access with actor, timestamp, request ID. Exportable for review.
KMS-managed encryption with integrity protection, append-only audit logs, immutable session note signing.
TLS 1.2+ everywhere, HSTS preload, strict CSP, no PHI in URLs, signed webhook verification on every external integration.
Signed BAA with every customer practice. Upstream BAAs executed with AWS, Paubox, and Stedi. Voice-stack BAAs (SignalWire, Retell) are in active negotiation; until they’re executed we keep PHI off any path those vendors carry. Current status is on the /hipaa page.
We sign a BAA on day one.
Every Harbor customer signs a Business Associate Agreement before their first patient call. The BAA spells out our obligations as a business associate under HIPAA — how we handle PHI, what we’ll do in the unlikely event of a breach, and your rights to audit and terminate.
Upstream BAAs are executed with AWS, Paubox, and Stedi today. The voice-transport (SignalWire) and voice-runtime (Retell) BAAs are in active negotiation; until they land, we keep PHI off any path those vendors carry. The full, current BAA-status table is published on the HIPAA page.
Want a copy of our standard BAA template? Contact us and we’ll send it over before your demo.
Patient safety, engineered.
Harbor includes a real-time, 3-tier crisis detection system on every call and every inbound message. Tier 1 catches unambiguous warning phrases and immediately escalates with a 988 referral and an SMS to the on-call therapist. Tier 2 routes ambiguous language through a Claude Sonnet model for contextual analysis. Tier 3 monitors behavioral signals like sequential cancellations.
The system fails safe: if any model call fails, we default to escalation. Patient safety is not best-effort.