Our HIPAA posture
Last updated: April 14, 2026
Margin for Care is designed around HIPAA from day one because independent therapists can't afford to guess about compliance. This page describes what that means contractually for design partners today, and what changes at General Availability. For the technical controls that back these commitments, see the /security page.
BAA coverage
Design partners operate under a Business Associate Agreement as part of the Pilot Agreement. The BAA is signed before any PHI moves through Margin for Care.
A General Availability BAA is in progress and will be ready at GA launch. Until then, Margin for Care is only available to practices that have signed the Pilot Agreement and BAA.
Breach notification
Where we act as a Business Associate under an executed BAA, and if we discover a breach of unsecured protected health information, we notify the affected Covered Entity without unreasonable delay and no later than the deadline stated in the applicable BAA. HIPAA sets an outside limit of 60 calendar days after discovery; our BAA may require a shorter period, such as 72 hours. “Discovery” has the meaning given in HIPAA and the applicable BAA.
Our notice includes, to the extent information is available at the time, the identities of affected individuals and other information the Covered Entity needs to meet its HIPAA breach-notification obligations, and we supplement additional information as it becomes available.
This page summarizes our standard practices and does not modify the parties' executed BAA.
Technical safeguards
Claims data and clinician-authored notes are handled under different application access rules inside Margin for Care. Insurance-operations data is made available to authorized billing and practice-management roles for denials, remittances, and appeals. Clinical notes are restricted by clinical role and practice scoping. Notes that clinicians designate as psychotherapy notes in the product are stored under stricter application access controls — read or edit by the authoring clinician only, reads audit-logged, and excluded from standard export paths. Clinicians are responsible for ensuring that the content they place in this bucket is appropriate for that treatment. Role-based access control, person/entity authentication, audit controls, and security-incident procedures apply to PHI maintained by the product.
A full technical overview — data handling, encryption, access control, audit logging, and data portability — is on the /security page.
Current commitments
- BAA (Pilot)
- Yes — under the Pilot Agreement
- BAA (General Availability)
- In progress
- Breach notification
- Per executed BAA (typically within 72 hours). HIPAA outside limit is 60 calendar days from discovery.
- Data residency
- United States
- Subprocessors
- Marketing site: listed on /privacy. Product: disclosed via BAA.
This page is not a BAA
Nothing on this page is a Business Associate Agreement. If you are a covered entity and need to execute a BAA before handling data with Margin for Care, contact us at [email protected] and we'll send the current template. Design partners receive the BAA as part of the Pilot Agreement; other covered entities should reach out directly.
HIPAA inquiries
Questions about our HIPAA posture, the BAA, or how we handle PHI — reach out directly.
[email protected]