How FrameShare Ensures HIPAA Compliance

FrameShare implements comprehensive security measures that meet and exceed HIPAA Security Rule requirements. Here's how we protect your clients' Protected Health Information (PHI):

Your Sessions Are Completely Private

No Sharing Without Consent

Drawings, chat messages, and session notes are NEVER shared or visible to anyone except the therapist and their authorized patients. Each session is completely isolated.

Self-Hosted Video

Unlike other platforms that use third-party services (Zoom, Google Meet, etc.), we host all video sessions on our own secure servers. Your therapy sessions never leave our HIPAA-compliant infrastructure.

Zero Platform Visibility

Even FrameShare's administrators cannot view your encrypted session content, messages, or patient data. Only you and your authorized patients have access.

Administrative Safeguards

Comprehensive Audit Logging (§164.312(b))

Every access to PHI is tracked: WHO accessed WHAT, WHEN, and from WHERE. Audit logs are immutable and include all creates, reads, updates, and deletes.

Automatic Session Timeout

Sessions automatically expire after 30 minutes of inactivity, preventing unauthorized access from unattended devices.

Account Security & Lockout

Accounts are locked for 10 minutes after 5 failed login attempts, protecting against brute force attacks. IP-based tracking identifies suspicious access patterns.

Technical Safeguards

Field-Level Encryption (§164.312(a)(2)(iv))

All sensitive data is encrypted using AES-128 encryption (Fernet). This includes patient profiles, session notes, messages, and drawing data - both in transit and at rest.

Data Integrity Controls (§164.312(c)(1))

SHA-256 checksums verify data hasn't been tampered with. Any unauthorized modifications are immediately detectable.

Complete Data Recovery (§164.308(a)(7))

Full history tracking allows recovery of any accidentally deleted or modified data. Every change is versioned with timestamps and user attribution.

Secure Infrastructure

All data transmission uses HTTPS/TLS encryption. AWS infrastructure provides additional security layers with VPC isolation and security groups.

Data Protection Features

Soft Delete Protection

PHI is never permanently deleted immediately. Deleted records are retained and can be restored if needed, preventing accidental data loss.

Role-Based Access Control

Therapists can only access their own clients' data. Staff have restricted access based on their role. All access is logged and auditable.

Privacy-First Design

Therapist locations shown only at state level. Anonymous visitor tracking respects privacy. Patient data is segregated and encrypted.

Complete Data Isolation

No artwork, chat messages, or session notes are ever shared without explicit consent. Only the therapist who created the session and their authorized patients can access session data.

Self-Hosted Video Infrastructure

All video sessions are self-hosted on our secure servers. No third-party video services have access to your therapy sessions, ensuring complete privacy and HIPAA compliance.

Therapist-Controlled Data

All patient data, health records, and session content is encrypted and saved exclusively with the therapist's account. No other users, including platform administrators, can view this protected information.

HIPAA-Compliant Technology Stack

django-auditlog

Provides comprehensive, immutable audit trails for all PHI access and modifications.

django-simple-history

Maintains complete version history of all records, enabling data recovery and change tracking.

django-fernet-fields

Implements transparent field-level encryption using industry-standard AES-128 encryption.

django-axes

Monitors and blocks suspicious login attempts, preventing unauthorized access.

HIPAA Compliance Summary

✓ Access Control (§164.312(a)(1))

✓ Audit Controls (§164.312(b))

✓ Integrity Controls (§164.312(c)(1))

✓ Transmission Security (§164.312(e))

✓ Data Recovery (§164.308(a)(7))

✓ Access Management (§164.308(a)(4))

Need more information about our HIPAA compliance?

Contact us at support@frameshare.org

We can provide our complete HIPAA compliance documentation, Business Associate Agreement (BAA), or schedule a security assessment review.