HIPAA & BAA Information — Cove Teams Inc.
Cove is built to support secure, collaborative pediatric therapy — while meeting the privacy requirements of the Health Insurance Portability and Accountability Act (“HIPAA”). We partner closely with therapy clinics, early intervention programs, and private practitioners to ensure Protected Health Information (PHI) remains safe and appropriately managed.
HIPAA Compliance at Cove
Cove maintains administrative, technical, and physical safeguards consistent with HIPAA requirements, including:
- Encryption of PHI in transit and at rest
- Role-based access controls
- Data minimization and restricted internal access
- Activity logging and audit trails
- Secure and compliant hosting infrastructure
- Regular security testing and monitoring
We do not use PHI for marketing, and we never sell PHI.
What PHI Cove Processes
As a Business Associate to treating clinics, Cove processes the following categories of PHI on behalf of your organization:
Child identity data
- Full legal name and date of birth
- Insurance information (when RTM is enabled)
Clinical data (created by the treating clinic)
- Diagnoses and therapy types
- Treatment plan content: therapy goals, home program activity assignments, and therapist instructions
Caregiver-generated data
- Activity completion logs, timestamps, and performance notes submitted by parents and Authorized Caregivers
- Photos and videos submitted to document home program activities
- Free-text feed posts and caregiver notes
RTM data (clinics with RTM enabled only)
- Caregiver activity logs and monitoring day counts
- Therapist review records and live interaction logs
- RTM evidence packets used for insurance claim preparation and submission
All of the above is treated as PHI and protected under Cove’s full HIPAA safeguard framework.
How Clinics and Families Interact in Cove
Clinic as data originator. When a therapist creates a home program, assigns therapy goals, or generates activity assignments within the Platform, the clinic is originating PHI. Cove processes this content as a Business Associate on your behalf. The clinic retains responsibility for the clinical accuracy of the content it creates.
Therapist-initiated enrollment. Clinics initiate family enrollment by inviting the child’s parent or legal guardian to connect their Cove account to the clinic. Before enrolling a child, the clinic is responsible for ensuring it has obtained appropriate authorization from the guardian.
Guardian as Primary Account Holder. Once a guardian accepts the clinic’s invitation, they become the Primary Account Holder for the child’s record within Cove. They have full visibility into the child’s health record and home program content.
Authorized Caregivers. The Primary Account Holder may invite additional family members (co-parents, grandparents, or other caregivers) to access the child’s account. These Authorized Caregivers can view the child’s home program and submit activity logs. Access can be revoked by the guardian at any time. Cove enforces role-based access controls so Authorized Caregivers cannot modify clinical content or account settings.
When Is a BAA Required?
If you are a HIPAA Covered Entity — including:
- Occupational therapy clinics
- Speech and language therapy clinics
- Physical therapy practices
- Early intervention agencies
- Pediatric therapy groups
- Any provider billing insurance for therapy services
— Cove executes a Business Associate Agreement (BAA) with every Covered Entity clinic account during registration.
A BAA is required before enabling RTM features. Clinics that want to use Cove’s Remote Therapeutic Monitoring (RTM) billing support must have an executed BAA in place before activating RTM for any client account.
What Our BAA Covers
Our BAA outlines:
- How Cove safeguards PHI
- Permitted uses and disclosures (including RTM billing pathways)
- Breach notification requirements
- Security obligations
- Subcontractor compliance
- Termination and data return/destruction
You may request a copy of our standard BAA at any time.
Remote Therapeutic Monitoring (RTM) and PHI
When a clinic enables RTM:
- Caregiver activity logs, feed posts, monitoring day counts, and therapist review records are collected and stored as PHI
- These records are assembled into monthly RTM evidence packets
- The evidence packets are used by clinic billing staff to prepare and submit insurance claims
- The child’s insurance plan receives relevant PHI as part of claims processing
An executed BAA must be in place before RTM is activated. A guardian must provide active RTM Billing Consent through a dedicated in-app consent flow before RTM monitoring can begin for any individual child.
Accessing Your BAA
Covered Entity clinic accounts accept and execute the BAA electronically during registration; acceptance is required to finish signing up, and electronic acceptance carries the same legal effect as a handwritten signature. A copy of the BAA in effect at the time of acceptance, including a countersigned PDF for clinics that need one, is available any time by emailing [email protected].
HIPAA for Parents & Caregivers
When parents use the Platform directly:
- PHI is shared only with the child’s authorized therapy team and any Authorized Caregivers you have invited
- You remain in control of what you upload or share
- PHI is never visible to other families or users outside your child’s care team
- You can request account deletion where legally permissible
- You may revoke access for any Authorized Caregiver at any time through your account settings
Our Commitment to Privacy
HIPAA compliance is an ongoing effort. Cove continually enhances its security practices, trains staff, and updates policies to ensure we meet evolving standards for privacy protection.
Questions?
For questions about HIPAA, PHI, or BAAs, email us at [email protected].
Last Updated: June 28, 2026
Cove Teams Inc. © 2026. All rights reserved.