As part of our ongoing commitment to privacy, security, and transparency, and in connection with the HITRUST certification of TherapyNotes and TherapyFuel, we’ve updated our Terms of Service, Privacy Policies, and Business Associate Agreement (BAA), effective April 23, 2026.
These updates are intended to make our policies easier to understand and to reflect evolving legal and regulatory requirements, including state privacy laws. This FAQ highlights the most common questions about what’s changing and what it means for your practice.
Table of Contents
General Questions
What are the main changes I should know about?
There are four key updates:
- Updated Privacy Policies - We revised our privacy policies to better align with current privacy law requirements and to provide clearer information about how data is handled.
- Separate Privacy Policy for TherapyPortal - We created a separate privacy policy for TherapyPortal to better explain how patient information is handled within the client portal experience. This helps distinguish between information related to your practice as a customer and information related to your patients.
- Business Associate Agreement (BAA) integrated into the Terms of Service - The BAA is now built directly into the Terms of Service for customers who need one. This simplifies HIPAA compliance by removing the need for a separate signed agreement.
- Additional account ownership and continuity clarifications - Within the Terms of Service, we clarified how account ownership is designated when more than one Practice Administrator is associated with an account, and we also clarified what may happen to an account in the event of a user’s death or incapacitation if no practice will is in place.
Why is TherapyNotes updating its Terms of Service now?
As privacy and regulatory requirements continue to evolve, especially at the state level, we’ve made targeted updates to help ensure ongoing compliance and provide greater transparency about how we handle personal information.
Are these major changes to how TherapyNotes handles data?
No. These updates do not represent a major change in how TherapyNotes handles your information. We do not sell your data to third parties, and we do not allow vendors to use your information for any purpose other than providing services on our behalf. Most of the updates are focused on clarity, transparency, and legal compliance.
Were any other changes made?
Yes. In addition to the updates above, we made other minor revisions for clarity and consistency. For example, because the BAA is now incorporated into the Terms of Service, we removed language that referred to it as a separate document or described separate signature requirements.
Business Associate Agreement (BAA) Questions
What does it mean that the BAA is now part of the Terms of Service?
It means that for customers who are Covered Entities under HIPAA and require a BAA, the BAA now applies through acceptance of the Terms of Service. There is no longer a separate BAA that must be signed and returned.
Do I need to sign the new BAA?
No. If you are a Covered Entity and agree to the updated Terms of Service, the BAA is automatically in effect. There is nothing to sign, download, or return.
What do I need to do with my old BAA?
No action is required. Your new BAA takes effect when you agree to the updated Terms of Service. You should continue to retain your prior BAA for as long as required by applicable law or your internal record retention policies. Under HIPAA, documentation is generally retained for at least six years beyond its last effective date, though other requirements may also apply.
What if I do not need or want a BAA?
The BAA applies only to customers who are Covered Entities under HIPAA and are required to have a BAA with TherapyNotes. If that does not apply to you, the BAA does not apply to your account.
Privacy Policy Questions
Why are there now two Privacy Policies—one for TherapyNotes and one for TherapyPortal?
We heard from customers that it could be confusing for patients to read a single policy covering both customer and patient-related information. In addition, many state privacy laws require specific disclosures about how customer information is handled.
By separating these policies, we can provide a clearer experience for both providers and patients:
- The TherapyNotes Privacy Policy focuses on customer information, and
- the TherapyPortal Privacy Policy focuses on patient-facing portal use and patient data in that context.
This change is intended to improve transparency and make the information easier to understand.
Why are the Privacy Policies so detailed?
Because there is no single national privacy standard, we must account for a range of state privacy law requirements. Some states have adopted more restrictive requirements, increased enforcement, or created private rights of action. Our policies are designed to provide detailed information about the types of information we collect, why we collect it, and how it is used.
Account Ownership and Continuity Questions
What changed regarding account ownership?
In the Terms of Service, we clarified how account ownership is designated when multiple Practice Administrators are associated with an account. This is intended to make it clearer who holds ultimate responsibility for the account in the event of a dispute or conflict.
What changed regarding death or incapacitation?
We added language in the Terms of Service to clarify what may happen to an account if the account holder dies or becomes incapacitated and there is no practice will in place. These clarifications are designed to support continuity of care while maintaining the privacy and security protections patient records require.
Should I create a practice will?
Yes. We strongly encourage every practice to complete a practice will. Doing so helps ensure your wishes are clear, supports continuity of care for your patients, and makes it easier to determine who should manage your account if you are no longer able to do so.