Upheal puts security and privacy first. We know that confidentiality and trust are not just crucial, but foundational to our work in the mental health field, and you can be certain that we prioritize your safety and well-being.

We are committed to protecting the data on our platform and have implemented several measures to ensure its security:

HIPAA compliance

We comply with the strict standards set by the Health Insurance Portability and Accountability Act (HIPAA) to ensure the confidentiality, integrity, and recoverability of protected health information (PHI). Learn more here.

GDPR compliance

We follow the data regulations established by the GDPR, UK GDPR and UK DPA to provide important security measures for the protection of personal data of individuals within the EU and UK. Combining US and EU standards, we also meet and exceed US state and federal laws for security and privacy of data.

Record-level encryption of client data

Encryption is like scrambling data into a secret code that can only be read by someone with the authorization to access it. This ensures that your information is safe both when it's being transmitted, like during an online session, and when it's saved, such as in your therapist's notes.

in case of a security breach

SOC 2 compliance

We’re very close to obtaining SOC 2, a globally recognized standard for organizational and technical security controls. SOC 2 compliance ensures that our security controls, policies, and procedures are designed to protect customer data against unauthorized access, disclosure, alteration, and destruction. In addition, we use AWS for our cloud infrastructure and storage, a highly secure and reliable vendor.

Security incident readiness

In the event of a security incident, we have a security incident policy and protocol to follow to ensure fast resolution and mitigation of harm to personal data.

The short answer:

No one besides your therapist can access your information. The only exception is if your therapist explicitly requests technical assistance that requires Upheal personnel to access their account, but this process is tightly regulated and safeguarded. Upheal will never access your personal information without your therapist’s explicit consent.

The long answer:

We uphold rigorous security measures and infrastructure barriers to guard your protected health information (PHI). An Upheal employee would only access PHI if the therapist provides explicit consent for such access for the purpose of technical help. Upheal stops access to PHI as soon as the technical issue is solved. Any Upheal personnel accessing PHI are specifically trained not to share or use protected health information in any way. Most technical issues are solved without any access to PHI.

All access to personal data is logged and monitored, and access rights are reviewed regularly to ensure that they are appropriate and up-to-date.

Your therapist is in full control of how long information is stored in Upheal. Upheal does not create any copies of client information and does not store any client information once a therapist deletes it.

If a therapist deletes their Upheal account, all of their client data is permanently deleted.

Upheal captures the audio from your sessions so that notes can be generated, but this recording is automatically deleted after the session unless your therapist specifies that they would like to keep it and has your permission to do so. Upheal does not create any copies of recordings, and once a recording is deleted, it is removed permanently.

Even if a client’s data is subpoenaed, Upheal cannot directly share protected health information (PHI) with anyone. It is up to the mental health care provider to produce PHI in the case of a subpoena.