My Elara
Get Started

HIPAA & Security

Built for Protected Health Information.

Last updated: April 17, 2026

Draft document

This is a scaffolded policy intended to be finalized by qualified legal counsel before publication. Language here is a starting point, not a final legal commitment. References to [Operator Legal Name] must be replaced with the actual operating entity once determined. Nothing on this page should be relied upon as legal advice.

My Elara is designed to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, including the Privacy, Security, and Breach Notification Rules.

Business Associate Agreement (BAA)

When a mental health practice uses My Elara, the operator of the Service acts as a Business Associate under HIPAA. We provide every practice with a Business Associate Agreement during onboarding. The BAA governs:

  • Our permitted uses and disclosures of PHI
  • Our obligation to safeguard PHI
  • Breach notification and reporting timelines
  • Subprocessor management
  • Data return and destruction upon termination

To request a copy of our BAA template, contact hello@myelara.ai.

Technical safeguards

Encryption

  • All PHI encrypted at rest with AES-256
  • All data in transit encrypted with TLS 1.2 or higher
  • Encrypted database backups retained according to HIPAA-compliant retention policies

Access controls

  • Unique user identification for every account
  • Role-based access control (RBAC) at the application and database layers
  • Strict multi-tenant isolation: every data query is scoped to the requesting practice
  • Password requirements and session timeouts

Audit controls

  • Append-only audit logs record every access to PHI
  • Logs include user identity, timestamp, action, and resource
  • Logs are immutable and retained for a minimum of six years

Integrity and availability

  • Regular automated backups with point-in-time recovery
  • Infrastructure hosted in HIPAA-eligible environments
  • Uptime monitoring with alerting

Administrative safeguards

  • Security officer designated for oversight of the HIPAA compliance program
  • Workforce training on HIPAA Privacy and Security Rules
  • Access is granted on a least-privilege basis
  • Incident response plan and breach notification procedures
  • Annual security risk analysis

Physical safeguards

Infrastructure is hosted with providers that are HIPAA-compliant and maintain SOC 2 certification. Data centers use physical access controls, environmental monitoring, and 24/7 security.

What we don't do

  • We do not sell, rent, or trade PHI to any third party
  • We do not train or fine-tune AI models on identifiable PHI
  • We do not use PHI for marketing or advertising
  • We do not share PHI outside what is permitted by HIPAA and our BAA

AI and PHI

My Elara uses AI to surface themes, generate recommendations, and support clinical workflow. When AI is applied to content that contains PHI, the processing happens within HIPAA-compliant boundaries, and data is never used to train the underlying AI models or shared with third parties for their purposes.

Reporting a security concern

If you believe you have found a security vulnerability or witnessed a privacy incident, please email security@myelara.ai. We investigate all reports and will respond within two business days.

Client notice

If you are a client using My Elara at the invitation of your clinician, the protections above apply to your information. Your journal entries, homework submissions, and messages are protected by HIPAA. See our For Clients page and Privacy Policy for more information.

Back to home