Security Policy

This HIPAA Security Policy establishes the administrative, physical, and technical safeguards Brezia Healing uses to protect electronic protected health information (ePHI) in compliance with the HIPAA Security Rule, including 45 CFR 164.308, 164.310, and 164.312. This policy supplements the HIPAA Privacy Policy and applies to all systems, devices, workforce members, contractors, and business associates that create, receive, maintain, or transmit ePHI on behalf of the practice. Because Brezia Healing operates as a solo telehealth practice, the controls below are designed to be practical, documented, and risk-based while ensuring the confidentiality, integrity, and availability of ePHI.

Table of Contents

  1. Purpose and Scope for Brezia Healing and TheraNest
    2. TheraNest Access Management and Authentication
    3. Solo Telehealth Device Use and Media Controls
    4. Encryption and Secure Communications in TheraNest
    5. TheraNest Audit Controls and Security Review
    6. TheraNest Configuration Standards
    7. Security Officer Governance and Vendor Oversight
    8. Acknowledgment and Adoption

Section I | TheraNest Access Management and Authentication

 Brezia Healing will manage access to ePHI in TheraNest and any connected practice systems so that only authorized persons can view, create, edit, export, or transmit information necessary to perform approved functions. As a solo telehealth practice, Brezia Healing will maintain a unique user account for the practice owner, prohibit shared credentials, and enable available authentication safeguards within TheraNest, including organization-level multi-factor authentication when supported and appropriate. Emergency access procedures will be maintained so that necessary ePHI can be obtained during outages, emergencies, or continuity events. Automatic logoff, screen lock, and re-authentication settings will be enabled where reasonable and appropriate based on risk, and all access permissions for any future staff member, contractor, biller, or vendor will be reviewed periodically and promptly updated when duties change or access is no longer required.

  • Unique user IDs are required for the EHR, email, cloud storage, and any other system used to access ePHI.
  • Access provisioning, modification, and termination will be documented, including prompt removal of access for any departing workforce member or vendor.
  • Multi-factor authentication will be enabled for remote access and for systems that support it, particularly the EHR, administrative portals, and cloud services.
  • Passwords must be strong, unique, and not shared; password reuse across systems containing ePHI is prohibited.

Section II | Solo Telehealth Device Use and Media Controls

 All devices used by Brezia Healing to access TheraNest, conduct telehealth sessions, send secure client communications, or store any ePHI, including laptops, desktops, tablets, smartphones, removable media, and backup devices, must be secured against unauthorized use, loss, theft, and improper disposal. Because Brezia Healing operates as a solo telehealth practice, device use for ePHI will be limited to approved devices and HIPAA-appropriate applications used within a private workspace. Devices must be protected by passcodes or biometric security, configured with current operating system updates, antivirus or endpoint protection where applicable, and device encryption when ePHI may be stored locally. Use of public or shared computers for access to TheraNest or telehealth services is prohibited unless no local storage occurs and adequate session security is maintained.

  • Portable devices containing or capable of accessing ePHI must use full-disk encryption, automatic screen lock, and remote wipe capabilities where available.
  • Removable media will not be used for ePHI unless there is a documented business need and the media is encrypted and securely tracked.
  • Before reuse, transfer, or disposal of hardware or media, ePHI must be removed or destroyed using a method appropriate to the device and sensitivity of the data.
  • Any lost, stolen, or compromised device must be reported immediately to the Security Officer for risk assessment, mitigation, and breach analysis as needed.

Section III | Encryption and Secure Communications in TheraNest

Brezia Healing will implement encryption and decryption mechanisms for ePHI at rest and in transit when reasonable and appropriate based on documented risk analysis, and will document any alternative measures if an addressable specification is not implemented as written. As a practical baseline for a solo telehealth practice using TheraNest, the practice will use vendor-supported secure communications, the client portal, and telehealth workflows designed to protect information during storage and transmission, together with HIPAA-appropriate email or other services subject to a signed Business Associate Agreement when ePHI must be communicated outside the platform. ePHI may not be sent through unencrypted consumer messaging channels or stored in unsecured personal accounts.

  • The EHR, telehealth platform, and cloud services used for ePHI must support encryption in transit and encryption at rest.
  • Local device encryption is required for laptops, tablets, and smartphones that may access cached or stored ePHI.
  • Encryption keys, passwords, and recovery methods must be safeguarded and accessible only to authorized persons.
  • If an exception to encryption is necessary, the reason, compensating safeguards, and approval must be documented.

Section IV | TheraNest Audit Controls and Security Review

 Brezia Healing will maintain hardware, software, and procedural mechanisms that record and examine activity in TheraNest and any other systems containing or using ePHI. Audit information may include user access records, sign-in attempts, chart access, record views, exports, scheduling changes, administrative changes, secure message activity, telehealth-related activity, security alerts, and other system events relevant to detecting unauthorized access, improper use, or security incidents. Audit logs, available system reports, and related activity records will be reviewed on a regular schedule and after any known or suspected incident. Findings that indicate unusual, unauthorized, or unexplained activity will be investigated promptly, documented, and addressed through corrective action, sanctions, vendor follow-up, or breach response procedures as appropriate.

  • Information system activity reviews will include audit logs, access reports, failed login attempts, and security incident tracking reports.
  • Routine audit review will occur at least monthly for primary systems containing ePHI and more frequently when risk, vendor alerts, or incidents warrant.
  • Audit review results, identified exceptions, and remediation steps will be documented and retained for at least six years in accordance with HIPAA documentation requirements.
  • Log retention, access to audit data, and any changes to logging settings must be controlled to preserve integrity and support investigations.

Section V | TheraNest Configuration Standards

Brezia Healing will configure TheraNest and any connected services in a least-privilege, security-first manner that supports a solo telehealth workflow while protecting confidentiality, integrity, and availability of ePHI. Configuration choices will be reviewed at implementation, whenever TheraNest releases material security or workflow changes, and whenever Brezia Healing adds a new service, integration, user, or practice function that may affect how ePHI is accessed, transmitted, or retained.

  • Multi-factor authentication will be enabled at the organization level in TheraNest, or for the practice account specifically, whenever the feature is available and feasible for the practice workflow.
  • The client portal will be used for intake forms, secure messaging, payments, and telehealth access whenever practical, so client-facing interactions occur within a vendor-supported environment rather than unsecured consumer tools.
  • Telehealth sessions will be scheduled and accessed through TheraNest workflows or other HIPAA-appropriate services approved by the Security Officer, and meeting links or client access details will not be distributed through unsecured channels unless protected by reasonable safeguards.
  • Email alerts, reminders, and notifications connected to TheraNest will be configured to limit unnecessary exposure of ePHI, including the use of privacy-conscious message content and minimum necessary information.
  • Portal access for authorized contacts, caregivers, or other third parties will be limited to the permissions necessary for scheduling, forms, or payments, and will not be expanded to clinical content unless specifically authorized and appropriate.
  • Reports and dashboard views in TheraNest will be reviewed periodically to identify missing documentation, unresolved billing items, unusual activity, incomplete workflows, or other indicators that security or operational follow-up may be needed.
  • Any add-on, integration, AI-assisted workflow, e-prescribing service, clearinghouse connection, or third-party tool used with TheraNest will be evaluated by the Security Officer before use to confirm that privacy, security, and business associate requirements are addressed.
  • Configuration changes that materially affect access, storage, communications, or audit visibility will be documented as part of the practice’s HIPAA security records.

Heather Arculeo serves as the Security Officer responsible for implementation, oversight, training, and periodic review of this policy, including oversight of TheraNest configuration, vendor access, business associate agreement management, and security settings used in the Brezia Healing telehealth workflow. This HIPAA Security Policy will be reviewed at least annually, updated when there are material changes in law, technology, vendors, or operations, and enforced through the practice sanction process for any workforce member who violates its requirements. This policy is intended to reflect the current HIPAA Security Rule in effect, including the administrative safeguard requirement for regular information system activity review under 45 CFR 164.308(a)(1)(ii)(D) and the technical safeguard standards for access control, audit controls, and transmission security under 45 CFR 164.312. Brezia Healing will maintain supporting documentation, risk analyses, implementation records, and vendor oversight documentation for a minimum of six years.

Annual Review Acknowledgments

The Security Officer must sign below following each annual review of this policy to confirm the policy has been reviewed and, if applicable, updated.