← Back to Home

HIPAA Compliance

Last Updated: April 28, 2026

Our Commitment to HIPAA Compliance

VoiceUp Athletics is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implementing regulations.

As a platform facilitating mental health support services, we understand the critical importance of maintaining the confidentiality, integrity, and availability of sensitive health information. This page outlines our HIPAA compliance framework and practices.

Privacy Rule

We comply with HIPAA Privacy Rule standards for the protection of PHI, ensuring proper use and disclosure practices.

Security Rule

We implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI).

Breach Notification

We maintain procedures for detecting, responding to, and reporting breaches of unsecured PHI.

BAA Agreements

All service providers handling PHI sign Business Associate Agreements ensuring compliance.

1. HIPAA Privacy Rule Compliance

1.1 Minimum Necessary Standard

We limit access to PHI to the minimum necessary to accomplish the intended purpose:

  • Counselors: Access only to conversations assigned to them and anonymous athlete identifiers
  • University Administrators: Access to aggregate statistics only, no conversation content
  • Platform Administrators: Access limited to encrypted data for technical maintenance
  • Athletes: Access only to their own conversations and profile

1.2 Use and Disclosure Limitations

We use and disclose PHI only for:

  • Treatment: Facilitating mental health counseling and support
  • Payment: Processing university subscription payments (aggregate level only)
  • Healthcare Operations: Quality improvement and platform operations
  • Required by Law: Responding to legal requirements and court orders
  • Public Health: Reporting required by public health authorities
  • Preventing Harm: Disclosures necessary to prevent serious threats to health or safety

1.3 Individual Rights

We support your HIPAA rights:

  • Right to Access: Request copies of your PHI within 30 days
  • Right to Amend: Request corrections to inaccurate PHI
  • Right to Accounting: Receive a list of certain disclosures we've made
  • Right to Request Restrictions: Ask us to limit uses or disclosures of your PHI
  • Right to Confidential Communications: Request alternative means of communication
  • Right to Notice: Receive a copy of our Notice of Privacy Practices

2. HIPAA Security Rule Compliance

2.1 Administrative Safeguards

  • Security Management: Risk analysis, risk management, and sanction policies for violations
  • Workforce Training: Annual HIPAA training for all employees and contractors
  • Access Controls: Role-based access with regular access reviews and termination procedures
  • Security Officer: Designated Security Officer responsible for compliance oversight
  • Incident Response: Documented procedures for security incident detection and response
  • Contingency Planning: Data backup, disaster recovery, and emergency mode operations

2.2 Physical Safeguards

  • Facility Access: Data centers with 24/7 security, surveillance, and biometric access controls
  • Workstation Security: Encrypted devices, screen locks, and clean desk policies
  • Device Controls: Hardware inventory management and secure disposal procedures
  • Physical Data Storage: Encrypted backups stored in secure, geographically distributed locations

2.3 Technical Safeguards

  • Access Controls: Unique user IDs, automatic logoff after inactivity, and encryption/decryption mechanisms
  • Audit Controls: Logging and monitoring of all PHI access and system activity
  • Integrity Controls: Mechanisms to ensure ePHI is not improperly altered or destroyed
  • Transmission Security: TLS 1.3 encryption for all data in transit
  • Authentication: Multi-factor authentication for administrative access
  • Encryption: AES-256 encryption for all data at rest

For more technical details, see our Security page.

3. Breach Notification Procedures

3.1 Breach Definition

A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the PHI. We maintain procedures to detect and respond to breaches promptly.

3.2 Notification Timeline

In the event of a breach:

  • Individual Notification: Within 60 days of breach discovery via email or mail
  • Media Notification: For breaches affecting 500+ individuals in a state or jurisdiction
  • HHS Notification: Within 60 days for breaches affecting fewer than 500 individuals; immediately for breaches affecting 500+ individuals
  • Business Associate Notification: Immediately upon discovery if breach originated from BA

3.3 Breach Content

Breach notifications include:

  • Description of the breach and when it occurred
  • Types of information involved
  • Steps individuals should take to protect themselves
  • What we are doing to investigate and mitigate harm
  • Contact information for further questions

4. Business Associate Agreements

All third-party service providers who have access to PHI sign Business Associate Agreements (BAAs) that require them to:

  • Implement appropriate safeguards to protect PHI
  • Report breaches and security incidents
  • Ensure subcontractors comply with HIPAA
  • Return or destroy PHI upon contract termination
  • Allow audits of their compliance practices

4.1 Current Business Associates

Our Business Associates include:

  • Cloud Infrastructure: HIPAA-compliant hosting providers (AWS/Google Cloud with BAA)
  • Email Services: Transactional email providers with BAA
  • Analytics: De-identified, aggregate analytics services only
  • Security Services: Penetration testing and security audit providers with BAA

5. FERPA Integration

In addition to HIPAA, we comply with the Family Educational Rights and Privacy Act (FERPA) requirements for educational institutions:

  • Education Records Protection: We treat mental health counseling notes as protected education records
  • No Disclosure Without Consent: Except as permitted by FERPA exceptions
  • University Access Limitations: Universities cannot access counseling content without student consent
  • Directory Information Exclusion: Mental health service usage is never considered directory information

6. Continuous Compliance Program

6.1 Regular Audits

  • Annual third-party HIPAA compliance audits
  • Quarterly internal security assessments
  • Continuous vulnerability scanning
  • Penetration testing every six months

6.2 Staff Training

  • Annual HIPAA training for all workforce members
  • Role-specific security training
  • Incident response drills
  • Privacy awareness campaigns

6.3 Policy Updates

  • Regular review and update of policies and procedures
  • Monitoring of regulatory changes
  • Documentation of all policy revisions

7. How to Exercise Your Rights

To exercise your HIPAA rights or for questions about our compliance practices:

HIPAA Privacy Officer

Email: hipaa@voiceupathletics.com

Phone: (555) 123-4567 ext. 2

Address: 123 University Ave, Suite 200, College Town, ST 12345

Office of Civil Rights (OCR) - For Complaints:
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy

8. Certifications and Attestations

  • HIPAA Compliance: Verified through third-party audit
  • SOC 2 Type II: Annual certification (in progress)
  • HITRUST: Pursuing certification

Related Legal Documents