View Categories

Platform Security Information (inc HIPAA/GDPR)

Ensuring a Safe and Secure Online Workspace

When therapists/organisations are considering our platform to support and develop their online practice, they want to know that we’ve taken the appropriate steps to ensure a safe online workspace for them and their clients. We keep this article up to date with information on everything we have done, are doing, and will continue to do as part of our ongoing commitment to the security and safety of the platform.

HIPAA and GDPR Compliance #

At Bilateral Base, we are committed to protecting personal health information (PHI) and personal data in compliance with major data protection laws worldwide, including HIPAA (Health Insurance Portability and Accountability Act) in the United States and GDPR (General Data Protection Regulation) in the European Union.

HIPAA Compliance: As a platform used for telehealth, Bilateral Base adheres to HIPAA requirements for protecting the privacy and security of PHI. Here’s how we ensure compliance:

  • Data Encryption: All data transmitted between users, including video sessions, is encrypted using end-to-end 256-bit encryption. This ensures that PHI is kept secure and private during sessions.
  • Access Controls: We enforce strong password policies and unique session links, ensuring only authorised users can access protected health information.
  • Audit Controls: Bilateral Base maintains a secure audit trail of access and actions within the platform, allowing us to monitor and record activity to prevent unauthorised access or breaches.
  • Business Associate Agreements (BAAs): If you are based in the United States and require a BAA for your practice, we can provide one to ensure compliance with HIPAA when you use our platform for client care.

GDPR Compliance: Bilateral Base is fully compliant with the GDPR, protecting the personal data of individuals in the European Economic Area (EEA). Our key GDPR measures include:

  • Data Minimisation: We collect only the essential information needed for the platform’s operation, ensuring that no unnecessary personal data is collected. For client data, therapists have the option to use confidential IDs instead of names, keeping personal details private.
  • Consent and Control: We give users control over their personal information, ensuring that all data collection is based on explicit consent. Users can update, request access to, or delete their data at any time.
  • Right to Be Forgotten: We respect users’ rights to request the deletion of their personal data. Upon request, we will permanently delete all identifiable information related to your account and clients.
  • Data Storage: All personal data is securely stored on servers within the European Union, specifically in Dublin, Ireland. We ensure that all data processing complies with GDPR requirements regarding data localisation and cross-border data transfers.
  • Data Breach Notification: In the unlikely event of a data breach, we are committed to notifying affected users promptly, as required by GDPR, and taking immediate action to mitigate any risks.

In addition to HIPAA and GDPR, Bilateral Base complies with other relevant data privacy regulations around the world, ensuring that your data is protected no matter where you or your clients are located.

Security By Design #

Bilateral Base was designed specifically to meet the needs of therapists, ensuring security is a primary focus from the start. Every feature or capability that is added undergoes a thorough security and privacy review. We only release updates once we’re confident they meet or exceed our security standards, ensuring continuous protection for both you and your clients.

Minimal Information Collected #

We collect only the essential personal or sensitive information needed for therapists to work effectively with clients. This principle of data minimisation aligns with GDPR guidelines.

For therapists:

  • The only personal information we ask for is your name and email address.

For clients:

  • We support anonymous client profiles and offer the option to use confidential IDs to identify clients in your Bilateral Base account, reducing the need to store personally identifiable information.
  • We do not require email addresses for clients, as we recognise that therapists may already have established communication methods, such as email or messaging.

Secure Video Technology #

Our video calls use end-to-end 256-bit encryption, ensuring that only the session participants can access the conversation. For technically minded users, our technology utilises WebRTC, a widely used telehealth standard. WebRTC is open-source, which means that its code undergoes constant review by security experts globally, enhancing its security. WebRTC is also compliant with HIPAA, GDPR, and other data privacy regulations worldwide.

Strong Access Controls #

We prioritise robust access controls to ensure the security of your account and sessions:

  • Strong Passwords: We require strong passwords to protect your account and recommend that therapists avoid reusing passwords across multiple sites, reducing the risk of compromise from weakly protected services.
  • MFA (Multi-factor Authentication): For an additional layer of security, we offer multi-factor authentication (MFA) as an optional feature, providing extra protection for higher-risk features and account access.
  • Secure Reusable Client Links: Our reusable client session links are designed with a secure key system, ensuring a balance between robust security and easy access for clients.

Security On Advanced Tools #

  • Session Recording: Recordings are stored securely on AWS servers in Dublin, Ireland, for a limited period. Therapists can access recordings for 5 days, with an additional 15-day archive period upon request. After this, recordings are completely deleted. The recording feature can also be disabled on accounts if required to comply with organisation policies.
  • Screen Sharing: We offer precise control over what content is shared during screen-sharing sessions to ensure only intended information is visible. For the best experience, we recommend using the Chrome browser for this feature.

Regular 3rd Party Penetration Testing #

To add an extra layer of protection, we engage external security experts for penetration testing, ensuring that any vulnerabilities are addressed promptly.

Certified by National Cyber Security Centre UK #

We hold a ‘Cyber Essentials’ certificate, a government-backed scheme that protects against common cyber threats. This certification is available upon request.

NHS UK Compliance #

Through our partnerships with NHS trusts in  across the UK we maintain and comply with the following processes and protocols to ensure high-quality delivery and patient safety:

  1. Clinical Risk Management System
  2. Clinical Safety Case Report
  3. Hazard Log
  4. UK Medical Device Regulations 2002 Conformity 
  5. Information Commissioner’s Assessment 
  6. Data Protection Impact Assessment (DPIA)
  7. Cyber Essentials Certification
  8. External Penetration Test 
  9. User acceptance testing to validate platform usability

Further information is available on request.

We hope this article has given you a good foundation on how we operate as a service to ensure a high quality of service and delivery and to keep therapist and clients’ information safe. We welcome any questions you have or clarification you need, and as we continue to develop the platform and introduce new capabilities, we will always share with you the steps and precautions we have taken to ensure we maintain the highest standard of security across all our therapy technologies.