HIPAA & BAA Information — Cove Teams Inc.

Cove is built to support secure, collaborative pediatric therapy — while meeting the privacy requirements of the Health Insurance Portability and Accountability Act (“HIPAA”). We partner closely with therapy clinics, early intervention programs, and private practitioners to ensure Protected Health Information (PHI) remains safe and appropriately managed.

HIPAA Compliance at Cove

Cove maintains administrative, technical, and physical safeguards consistent with HIPAA requirements, including:

  • Encryption of PHI in transit and at rest
  • Role-based access controls
  • Data minimization and restricted internal access
  • Activity logging and audit trails
  • Secure and compliant hosting infrastructure
  • Regular security testing and monitoring

We do not use PHI for marketing, and we never sell PHI.

What PHI Cove Processes

New June 2026: New section enumerating the PHI categories Cove processes as a Business Associate, including RTM data.

As a Business Associate to treating clinics, Cove processes the following categories of PHI on behalf of your organization:

Child identity data

  • Full legal name and date of birth
  • Insurance information (when RTM is enabled)

Clinical data (created by the treating clinic)

  • Diagnoses and therapy types
  • Treatment plan content: therapy goals, home program activity assignments, and therapist instructions

Caregiver-generated data

  • Activity completion logs, timestamps, and performance notes submitted by parents and Authorized Caregivers
  • Photos and videos submitted to document home program activities
  • Free-text feed posts and caregiver notes

RTM data (clinics with RTM enabled only)

  • Caregiver activity logs and monitoring day counts
  • Therapist review records and live interaction logs
  • RTM evidence packets used for insurance claim preparation and submission

All of the above is treated as PHI and protected under Cove’s full HIPAA safeguard framework.

How Clinics and Families Interact in Cove

New June 2026: New section covering clinic-as-originator, therapist-initiated enrollment, the Primary Account Holder, and Authorized Caregivers.

Clinic as data originator. When a therapist creates a home program, assigns therapy goals, or generates activity assignments within the Platform, the clinic is originating PHI. Cove processes this content as a Business Associate on your behalf. The clinic retains responsibility for the clinical accuracy of the content it creates.

Therapist-initiated enrollment. Clinics initiate family enrollment by inviting the child’s parent or legal guardian to connect their Cove account to the clinic. Before enrolling a child, the clinic is responsible for ensuring it has obtained appropriate authorization from the guardian.

Guardian as Primary Account Holder. Once a guardian accepts the clinic’s invitation, they become the Primary Account Holder for the child’s record within Cove. They have full visibility into the child’s health record and home program content.

Authorized Caregivers. The Primary Account Holder may invite additional family members (co-parents, grandparents, or other caregivers) to access the child’s account. These Authorized Caregivers can view the child’s home program and submit activity logs. Access can be revoked by the guardian at any time. Cove enforces role-based access controls so Authorized Caregivers cannot modify clinical content or account settings.

When Is a BAA Required?

Amended June 2026: Added that an executed BAA is required before enabling RTM features.

If you are a HIPAA Covered Entity — including:

  • Occupational therapy clinics
  • Speech and language therapy clinics
  • Physical therapy practices
  • Early intervention agencies
  • Pediatric therapy groups
  • Any provider billing insurance for therapy services

— Cove executes a Business Associate Agreement (BAA) with every Covered Entity clinic account during registration.

A BAA is required before enabling RTM features. Clinics that want to use Cove’s Remote Therapeutic Monitoring (RTM) billing support must have an executed BAA in place before activating RTM for any client account.

What Our BAA Covers

Amended June 2026: Clarified that permitted uses and disclosures include RTM billing pathways.

Our BAA outlines:

  • How Cove safeguards PHI
  • Permitted uses and disclosures (including RTM billing pathways)
  • Breach notification requirements
  • Security obligations
  • Subcontractor compliance
  • Termination and data return/destruction

You may request a copy of our standard BAA at any time.

Remote Therapeutic Monitoring (RTM) and PHI

New June 2026: New section describing how RTM data is collected, packaged, and used for insurance billing.

When a clinic enables RTM:

  • Caregiver activity logs, feed posts, monitoring day counts, and therapist review records are collected and stored as PHI
  • These records are assembled into monthly RTM evidence packets
  • The evidence packets are used by clinic billing staff to prepare and submit insurance claims
  • The child’s insurance plan receives relevant PHI as part of claims processing

An executed BAA must be in place before RTM is activated. A guardian must provide active RTM Billing Consent through a dedicated in-app consent flow before RTM monitoring can begin for any individual child.

Accessing Your BAA

Amended June 2026: Updated to reflect that the BAA is executed by electronic acceptance during clinic registration.

Covered Entity clinic accounts accept and execute the BAA electronically during registration; acceptance is required to finish signing up, and electronic acceptance carries the same legal effect as a handwritten signature. A copy of the BAA in effect at the time of acceptance, including a countersigned PDF for clinics that need one, is available any time by emailing [email protected].

HIPAA for Parents & Caregivers

Amended June 2026: Added Authorized Caregiver access and revocation.

When parents use the Platform directly:

  • PHI is shared only with the child’s authorized therapy team and any Authorized Caregivers you have invited
  • You remain in control of what you upload or share
  • PHI is never visible to other families or users outside your child’s care team
  • You can request account deletion where legally permissible
  • You may revoke access for any Authorized Caregiver at any time through your account settings

Our Commitment to Privacy

HIPAA compliance is an ongoing effort. Cove continually enhances its security practices, trains staff, and updates policies to ensure we meet evolving standards for privacy protection.

Questions?

For questions about HIPAA, PHI, or BAAs, email us at [email protected].

Last Updated: June 28, 2026

Cove Teams Inc. © 2026. All rights reserved.