Is BusyBook HIPAA compliant?

Yes. BusyBook takes HIPAA compliance seriously. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Each practice gets its own isolated database partition — your client records are never co-mingled with another practice's data. We sign a Business Associate Agreement (BAA) with practitioners who handle protected health information, and we implement HIPAA administrative, physical, and technical safeguards.

Do you sign a Business Associate Agreement (BAA)?

Yes. BusyBook signs Business Associate Agreements with practitioners who handle protected health information (PHI) under HIPAA. The BAA establishes our obligations as a business associate and documents our security commitments around data access, breach notification, and subprocessor management.

How is client data encrypted?

All data in transit is protected with TLS 1.3. All data at rest is encrypted using AES-256 encryption. We enforce HSTS (HTTP Strict Transport Security) and maintain encrypted backups with secure key management. Row-level security at the database layer ensures each practice can only access their own records.

Who can access my client records?

Only authorized users in your practice can access your client records. We enforce row-level security at the database level — even our engineers cannot access your records in normal operations. All data access is audit-logged and monitored.

What happens to my data if I cancel?

Your data remains exportable for 90 days after cancellation. We provide a full export of all client records, appointment history, SOAP notes, and financial data in standard formats. After 90 days, data is permanently deleted from our systems.

What security certifications does BusyBook have?

BusyBook implements HIPAA Security Rule requirements — administrative, physical, and technical safeguards. We have SOC 2 Type II controls in place with formal certification in progress. We conduct ongoing internal security testing, code review, and vulnerability scanning.

Is BusyBook HIPAA compliant?

Yes. BusyBook implements all required and addressable safeguards under the HIPAA Security Rule (45 CFR Part 164, Subpart C). All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Each practice's data is logically isolated via row-level security at the database layer. We sign a Business Associate Agreement (BAA) with practitioners who handle protected health information, and we implement administrative, physical, and technical safeguards.

Do you sign a Business Associate Agreement (BAA)?

Yes. BusyBook signs Business Associate Agreements with practitioners who handle protected health information (PHI) under HIPAA. The BAA establishes our obligations as a business associate and documents our security commitments around data access, breach notification, and subprocessor management.

How is client data encrypted?

All data in transit is protected with TLS 1.3 (TLS 1.2 minimum where 1.3 is unsupported). All data at rest is encrypted using AES-256 encryption. We enforce HSTS (HTTP Strict Transport Security) with minimum one-year max-age, maintain encrypted backups with secure key management and defined key rotation schedules, and all uploaded files are encrypted at rest.

Who can access my client records?

Only authorized users in your practice can access your client records. We enforce strict row-level security (RLS) at the database level — every query is scoped by the authenticated user's identifier, ensuring strict tenant isolation. Production database access requires MFA and is logged. Access reviews are conducted quarterly.

What happens to my data if I cancel?

Your data remains exportable for 60 days after cancellation (the Export Window). We provide a full export of all client records, appointment history, SOAP notes, and financial data in standard formats. After the Export Window, PHI is permanently deleted from active systems within 30 days and from backup systems within the 30-day backup rotation cycle.

What security certifications does BusyBook have?

BusyBook implements HIPAA Security Rule requirements — administrative, physical, and technical safeguards. We have SOC 2 Type II controls in place aligned with trust service criteria (Security, Availability, Confidentiality, Processing Integrity, and Privacy), with formal certification in progress. Our security program also aligns with NIST Cybersecurity Framework, NIST SP 800-88, and OWASP Top 10. Payment security is delegated to Stripe (PCI DSS Level 1 certified).

Security & Privacy — BusyBook

Last updated: June 14, 2026Effective: June 14, 2026Version 4.0

1. Introduction

This document describes the security practices implemented by BusyBook, Inc., a Delaware corporation, to protect the confidentiality, integrity, and availability of data processed through the BusyBook practice management platform (the "Platform"). These practices apply to all Protected Health Information ("PHI"), Electronic Protected Health Information ("ePHI"), and personal data entrusted to BusyBook by its subscribers and their clients.

Entity: BusyBook, Inc.

Address: 2435 Central Expy, 12th Floor, Suite 1200, Richardson, TX 75080, USA

Phone: 469-334-4017

Security Contact: security@busybook.co

2. Security Commitment

BusyBook maintains a comprehensive information security program designed to:

Comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C) and applicable provisions of the HITECH Act
Protect ePHI and personal data against reasonably anticipated threats to its confidentiality, integrity, and availability
Protect against reasonably anticipated unauthorized uses or disclosures
Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by BusyBook
Align with industry-recognized frameworks including SOC 2 Type II and NIST Cybersecurity Framework

3. Encryption Standards

3.1 Data in Transit

TLS 1.3 enforced on all connections (TLS 1.2 minimum where 1.3 is unsupported)
HSTS (HTTP Strict Transport Security) enabled with minimum one-year max-age
Automated certificate provisioning and renewal
All inter-service communications encrypted via TLS

3.2 Data at Rest

AES-256 encryption for all database storage containing PHI or personal data
AES-256 encryption for all database backups
Secure key management with access restricted to authorized personnel; key rotation on defined schedule
All uploaded files encrypted at rest using AES-256

4. Access Controls

4.1 Authentication

Multi-factor authentication (MFA): Supported and recommended for all subscriber accounts; required for BusyBook administrative access
Session management: Cryptographically signed session tokens (JWT) with automatic timeout after inactivity
Password policy: Minimum complexity requirements enforced; passwords stored using bcrypt with appropriate work factor
OAuth 2.0: Used for all third-party integrations; no direct credential sharing

4.2 Authorization

Role-based access controls (RBAC): Workforce members are assigned roles that determine the scope of data they may access. Access privileges are reviewed quarterly.
Row-level security (RLS): Enforced at the database level. Every query is scoped by the authenticated user's identifier, ensuring strict tenant isolation.
Principle of least privilege: Access to production systems, databases, and PHI is limited to the minimum necessary to perform assigned duties.

4.3 Administrative Access

Production database access requires MFA and is logged
Administrative actions are subject to audit trail
Access reviews conducted quarterly; deprovisioning within 24 hours of role change or termination

5. Infrastructure Security

5.1 Hosting Environment

Dedicated infrastructure controlled by BusyBook, located in the United States
All PHI is stored and processed within the United States; no international transfer of PHI
Production, staging, and development environments are isolated from one another

5.2 Network Security

Inbound and outbound traffic filtered by firewall rules permitting only authorized traffic
Cloudflare-based distributed denial-of-service (DDoS) mitigation
Network-level monitoring for anomalous traffic patterns and known attack signatures
Production services exposed via authenticated Cloudflare Tunnels; no direct port exposure to the public internet

5.3 Application Security

Automated dependency scanning and regular updates for all application dependencies
Static code analysis integrated into the development pipeline
All user inputs validated and sanitized at the application layer
Application security controls address the OWASP Top 10 vulnerability categories

6. Data Handling and Retention

6.1 Data Classification

Classification	Description	Examples
PHI / ePHI	Protected Health Information subject to HIPAA	SOAP notes, intake forms, treatment records
Sensitive Personal Data	Personal data requiring heightened protection	Payment information, authentication credentials
Business Data	Operational data associated with subscriber accounts	Appointment schedules, service menus, business hours
Public Data	Information intentionally made public	Published website content, public business profiles

6.2 Key Retention Periods

Client PHI: Duration of active account plus 90 days after account closure
Financial records: 7 years from transaction date
Audit logs: 6 years from creation (per 45 CFR Section 164.530(j))
AI prompts/responses: Not retained; deleted within 1 hour of processing
Database backups: 30-day rolling retention

6.3 Data Disposal

Upon account closure or data deletion request, PHI is permanently deleted from production databases within 90 days and from backup systems within the 30-day backup rotation cycle. Disposal methods comply with NIST SP 800-88 Rev. 1 ("Guidelines for Media Sanitization").

7. Incident Response

7.1 Incident Response Plan

BusyBook maintains a formal incident response plan that defines classification criteria, designated response team personnel with defined roles, and communication protocols.

7.2 Response Process

Detection: Automated monitoring identifies potential security events (continuous)
Triage: Security team evaluates severity, scope, and affected data (within 1 hour of detection)
Containment: Immediate steps to isolate affected systems and stop ongoing exposure (within 4 hours)
Investigation: Root cause analysis, scope determination, and evidence preservation (within 24 hours initial)
Notification: Covered Entities notified per BAA requirements; regulatory notifications as required (per BAA; 24-hour best-effort initial notice)
Recovery: Systems restored, vulnerabilities remediated, verification testing
Post-Incident: Lessons learned documented; controls updated to prevent recurrence (within 14 days of resolution)

7.3 Your Role

If you suspect a security incident: immediately change your password, contact security@busybook.co, document what you observed, and do not delete any data.

8. Employee Security Practices

8.1 Personnel Security

Background checks conducted for all personnel with access to production systems or PHI
Confidentiality and non-disclosure agreements required prior to accessing PHI
HIPAA training completed upon hire and annually thereafter
Quarterly security awareness training covering phishing, social engineering, and security best practices

8.2 Termination Procedures

Access deprovisioned within 24 hours of separation
All company-owned devices and credentials returned
Access logs reviewed for anomalous activity during final employment period

9. Vulnerability Management

9.1 Vulnerability Scanning

Automated dependency vulnerability scanning integrated into CI/CD pipeline
Container image scanning before deployment
Regular application security testing

9.2 Patch Management

Critical vulnerabilities: Patched within 72 hours of disclosure
High-severity vulnerabilities: Patched within 7 days
Medium/Low vulnerabilities: Patched within 30 days or addressed in next release cycle

9.3 Responsible Disclosure

BusyBook welcomes responsible security research. Security researchers should contact security@busybook.co before conducting any testing. BusyBook will not pursue legal action against researchers who make a good-faith effort to avoid privacy violations, destruction of data, and interruption of services.

10. Business Continuity and Disaster Recovery

10.1 Backup Strategy

Automated daily backups with 30-day rolling retention
Point-in-time recovery available for database restoration
All backups encrypted at rest using AES-256
Backup storage in a separate availability zone within the United States

10.2 Recovery Objectives

Recovery Time Objective (RTO): 4 hours for critical services
Recovery Point Objective (RPO): 24 hours maximum data loss

11. HIPAA Compliance

BusyBook implements all required and addressable safeguards under the HIPAA Security Rule (45 CFR Part 164, Subpart C):

Administrative Safeguards

Security management process
Workforce security training
Information access management
Security incident procedures
Contingency planning
Periodic evaluation
Business Associate Agreements

Physical Safeguards

Facility access controls
Workstation security
Device and media controls

Technical Safeguards

Access controls
Audit controls
Integrity controls
Transmission security

12. Compliance & Certifications

HIPAA Security Rule: Administrative, physical, and technical safeguards in place
SOC 2 Type II: Controls aligned with trust service criteria; formal certification in progress
NIST Cybersecurity Framework (CSF): Identify, Protect, Detect, Respond, Recover functions
NIST SP 800-88 Rev. 1: Media sanitization guidelines for data disposal
OWASP Top 10: Application security controls
PCI DSS: Payment security delegated to Stripe (PCI DSS Level 1 certified)

13. Subscriber Responsibilities

While BusyBook secures the Platform infrastructure, subscribers play a critical role:

Account Security

Use strong, unique passwords
Enable multi-factor authentication
Keep credentials confidential
Log out when finished
Report suspicious activity

Data Handling

Collect only necessary information
Obtain proper consent
Access from secure networks
Regularly export and back up

Compliance

Maintain HIPAA compliance
Keep consent forms on file
Train staff on privacy
Report breaches per state law

14. Third-Party Security

BusyBook applies the following security requirements to all subprocessors:

Pre-engagement assessment: Security evaluation conducted before engaging any new subprocessor
Contractual requirements: Data protection agreements requiring safeguards no less protective than those described in this document
Ongoing monitoring: Periodic review of subprocessor security posture and compliance
Incident notification: Subprocessors required to notify BusyBook of security incidents within contractually defined timeframes

15. Audit and Monitoring

All security-relevant events recorded in append-only, tamper-resistant audit logs
Logged events include: authentication attempts, data access, data modifications, data exports, administrative actions, and system configuration changes
Audit logs retained for six (6) years per 45 CFR Section 164.530(j)
Real-time alerting for failed authentication attempts exceeding threshold
Anomaly detection for unusual data access patterns
System health and availability monitoring with automated alerting

16. Contact Information

Report a Security Issue: security@busybook.co

Privacy Inquiries: privacy@busybook.co

General Questions: legal@busybook.co

Phone: 469-334-4017

Address: BusyBook, Inc., 2435 Central Expy, 12th Floor, Suite 1200, Richardson, TX 75080, USA

Responsible Disclosure: We welcome responsible security research. Contact us before testing.

For related documents, see our Privacy Policy and Terms of Service.