HIPAA Compliance

Last updated: April 1, 2026

Cortexa Holdings, Inc. ("Cortexa") is committed to protecting the privacy and security of Protected Health Information ("PHI") in compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, and their implementing regulations. This page describes how we safeguard PHI when you use the Cortexa analytics platform.

As a provider of analytics services to therapy practices, Cortexa operates as a Business Associate under HIPAA. We take this responsibility seriously and have implemented comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.

Business Associate Agreement (BAA)

Cortexa will execute a Business Associate Agreement with every customer who is a Covered Entity or Business Associate under HIPAA before any PHI is transmitted through the Service. Our BAA outlines:

  • The permitted uses and disclosures of PHI by Cortexa
  • Our obligations to safeguard PHI using appropriate administrative, physical, and technical measures
  • Our duty to report any security incidents or breaches involving PHI
  • Your rights to request restrictions on our use of PHI
  • Our obligation to return or destroy PHI upon termination of the agreement
  • Subcontractor compliance requirements for any downstream service providers

To request a BAA, contact us at [email protected]. We require an executed BAA before onboarding any practice that will transmit PHI.

PHI Handling Practices

Minimum Necessary Standard

Cortexa adheres to the HIPAA minimum necessary standard. We only access, use, and disclose the minimum amount of PHI required to provide our analytics services. Our EHR integrations are configured to retrieve only the data fields necessary for practice analytics — we do not access clinical notes, diagnosis codes, treatment plans, or other detailed clinical records.

Data Categories

The types of information Cortexa may process in connection with your practice include:

  • Appointment Data: Session dates, times, statuses (completed, cancelled, no-show), and appointment types
  • Clinician Information: Clinician names, caseloads, and scheduling data
  • Financial Data: Session fees, payment statuses, and revenue totals
  • Client Identifiers: Limited client identifiers necessary for de-duplication and tracking (e.g., client ID, first name), but not full clinical records

De-identification

Where possible, Cortexa de-identifies data at the point of ingestion. Aggregated analytics and Cortexa IQ scores are generated from de-identified datasets. We follow the HIPAA Safe Harbor method of de-identification, removing the 18 categories of identifiers specified under 45 CFR 164.514(b)(2).

Encryption

  • In Transit: All data transmitted between your systems and Cortexa is encrypted using TLS 1.3. API connections to EHR providers use OAuth 2.0 with encrypted tokens
  • At Rest: All stored data is encrypted using AES-256 encryption. Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation
  • Backups: Database backups are encrypted with the same AES-256 standard and stored in geographically separate AWS regions for disaster recovery

Access Controls

Role-Based Access Control (RBAC)

Access to PHI within the Cortexa platform is governed by role-based access controls. Only authorized personnel within your practice can access your data, and only the data appropriate to their role. Practice owners can manage user permissions through the platform.

Internal Access

Cortexa employees access PHI only when necessary to provide support, troubleshoot issues, or fulfill our obligations under the BAA. All internal access is:

  • Restricted to authorized personnel who have completed HIPAA training
  • Authenticated using multi-factor authentication (MFA)
  • Logged and auditable
  • Subject to the principle of least privilege
  • Reviewed quarterly and revoked immediately upon role change or termination

Audit Logging

Cortexa maintains comprehensive audit logs for all activities involving PHI. Our audit logging system records:

  • User authentication events (logins, logouts, failed attempts)
  • Data access events (who accessed what data and when)
  • Data modification events (creates, updates, deletes)
  • Administrative actions (permission changes, configuration updates)
  • System events (API calls, data syncs, export requests)

Audit logs are retained for a minimum of six (6) years in compliance with HIPAA requirements. Logs are stored in a tamper-evident, append-only format and are available for review upon request.

Incident Response

Cortexa maintains a formal incident response plan for security events and potential PHI breaches. Our process includes:

  1. Detection: Continuous monitoring with automated alerting for suspicious activity, unauthorized access attempts, and anomalous data patterns
  2. Containment: Immediate isolation of affected systems and revocation of compromised credentials
  3. Investigation: Forensic analysis to determine the scope, cause, and impact of the incident
  4. Notification: If a breach of unsecured PHI is confirmed, Cortexa will notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery, as required by the HIPAA Breach Notification Rule (45 CFR 164.404-410)
  5. Remediation: Implementation of corrective measures to prevent recurrence
  6. Documentation: Complete documentation of the incident, response actions, and outcomes

Employee Training

All Cortexa employees who may access PHI undergo mandatory HIPAA training upon hire and annually thereafter. Training covers:

  • HIPAA Privacy and Security Rules
  • Proper handling and safeguarding of PHI
  • Recognizing and reporting security incidents
  • Social engineering and phishing awareness
  • Cortexa's internal policies and procedures

Subcontractor Compliance

Any subcontractor or third-party service provider that may access PHI on behalf of Cortexa is required to execute a Business Associate Agreement and demonstrate compliance with applicable HIPAA requirements. Our primary infrastructure and subprocessor partners include:

  • Amazon Web Services (AWS): Cloud infrastructure provider, HIPAA-eligible services with executed BAA
  • Stripe: Payment processing (does not access PHI)

Physical Safeguards

Cortexa's infrastructure is hosted on Amazon Web Services, which provides physical security controls including biometric access controls, 24/7 security monitoring, environmental controls, and SOC 2 Type II certified data centers. Cortexa does not store PHI on local devices, removable media, or in physical form.

Your Responsibilities

As a Covered Entity using Cortexa, you are responsible for:

  • Executing a BAA with Cortexa before transmitting any PHI
  • Ensuring that your use of the Service complies with your own HIPAA obligations
  • Managing user access permissions within your practice
  • Notifying Cortexa of any changes that may affect PHI handling
  • Maintaining appropriate safeguards within your own practice and systems

Contact Us

For questions about our HIPAA compliance program, to request a BAA, or to report a security concern, please contact us:

Cortexa Holdings, Inc.
HIPAA Compliance Officer
Email: [email protected]
Website: www.usecortexa.com