Hope HarborAdmissions Ops
Audit

Security & HIPAA

How Hope Harbor handles your data.

Behavioral-health operations live and die on trust. This is the unembellished version of how we handle PHI, who has access, what we sign, and what we don't do — written for the operator who's about to forward this page to their compliance lead.

Request the $2,500 audit Ask about BAA-before-PHI

Business inquiries only. No PHI through public forms; diligence materials are available before any live workflow review.

BAA before live PHI access

Public website forms are business-inquiry surfaces and should not receive PHI. Provider work that requires live PHI is scoped separately and starts only after the right agreement and access rules are in place.

Vendor-backed security controls

We use established hosting, form, CRM, email, and communications vendors and review their security posture before putting them into a PHI-scoped workflow.

Least-privilege by default

Provider access is scoped to the work being performed. We avoid shared credentials and keep access narrower than the full clinical or revenue system whenever possible.

Evidence over slogans

Audit deliverables identify what was reviewed, what was synthetic, and what was not claimed. Live conversation logging and retention rules are confirmed in the scoped engagement.

Infrastructure reviewed before scope

For PHI-scoped work, we review hosting region, vendor terms, subprocessors, and workflow boundaries before access is granted.

Subprocessor transparency

Prospective provider customers can request vendor and subprocessor diligence materials before a PHI-scoped engagement begins.

What we do

  • Keep public forms limited to business inquiries and no-PHI submissions
  • Scope live PHI access only after the right agreement and access rules are in place
  • Provide a named operator and incident contact
  • Use least-privilege access and avoid shared credentials where provider systems allow it
  • Document what was reviewed, what was synthetic, and what was not claimed
  • Share vendor, subprocessor, retention, and incident-response materials on request

What we explicitly don't do

  • Sell or resell PHI. We disclose PHI only as needed for scoped provider workflow under the applicable agreement, access rules, and approved vendors/subprocessors
  • Use provider PHI to train shared, vendor, or foundation AI models
  • Accept referral fees or pay-per-admit arrangements
  • Make HIPAA “compliance” claims we can't back up in writing
  • Ask prospects to send patient names, dates of birth, member IDs, or medical details through public forms

An honest note on certifications.

Hope Harbor is an early-stage operator-led company. We do not currently hold a SOC 2 Type II report, and we will not claim more than we can document. For any engagement that requires live PHI, we are happy to walk your compliance lead through the proposed scope, vendors, access model, retention posture, and incident contact before access is granted.

Need the security packet?

Email hello@hopeharborhealth.com and we'll send the current diligence packet for the proposed scope.

BAA status and PHI-scope boundary
Vendor and subprocessor list for the proposed workflow
Access model, retention posture, and logging boundaries
Incident contact and escalation path
Public-form no-PHI instructions
Or start with the audit