Security — Cove Teams Inc.
Overview
Cove is built with industry-leading administrative, physical, and technical safeguards to protect Protected Health Information (PHI). Our platform follows HIPAA and HITECH requirements and is designed to support secure collaboration between therapists, clinics, and families.
We also offer a Business Associate Agreement (BAA) to all Covered Entities using Cove with PHI.
What Data Cove Protects
The Cove Platform handles sensitive pediatric health data. All of the following is treated as PHI and protected under the same standards:
- Child identity data: Full legal name, date of birth, and profile information
- Clinical data: Diagnoses, therapy types, treatment plans, therapy goals, and home program activity assignments created by therapists
- Activity engagement data: Caregiver-submitted completion logs, timestamps, performance notes, and feed posts
- Media: Photos and videos submitted by caregivers to document home program activities
- Scheduling and documentation records: Session notes, appointment records, and related documentation
- RTM data (where applicable): Caregiver activity logs, monitoring day counts, and therapist review records collected when Remote Therapeutic Monitoring is enabled
Administrative Safeguards
- HIPAA & HITECH Compliance: We follow all applicable requirements, including privacy, security, and breach notification rules.
- Business Associate Agreements (BAAs): Cove signs BAAs with clinics, group practices, and licensed providers who use the Platform to create, store, or share PHI.
- Role-Based Access Control: Users only access the minimum necessary information required for their role. Therapists access records for clients assigned to them. Parents and legal guardians access only their own child’s record. Authorized Caregivers access records for the specific child they have been invited to by the legal guardian. Administrative users have restricted access scoped to their organizational role.
- Staff Training: All Cove personnel with access to systems containing PHI complete ongoing HIPAA compliance and security training.
- Audit Logging: Access to PHI is logged and monitored to prevent unauthorized or inappropriate activity.
- Regular Risk Assessments: We perform periodic security reviews and vulnerability assessments to ensure safeguards remain effective.
Access Tiers and Data Visibility
Understanding who can see what is a core part of our privacy architecture:
| Role | What They Can See |
|---|---|
| Therapist / Clinic Staff | Full health record for assigned clients: treatment plans, therapy goals, activity assignments, caregiver activity logs, media, feed posts, and (if RTM-enabled) RTM evidence data |
| Primary Account Holder (Legal Guardian) | Full health record for their child: all content above, plus the ability to invite/revoke Authorized Caregivers and manage RTM consent |
| Authorized Caregiver | Full home program content for the child (therapy goals, activity assignments, therapist instructions), activity history, and the ability to submit activity logs and feed posts. Cannot modify clinical content or account settings. |
| Cove Internal Staff | Access limited to minimum necessary for support and security purposes, under strict access controls and audit logging |
No user can see data for individuals they are not authorized to access. Data is never shared between unrelated families or organizations.
Technical Safeguards
- Encryption In Transit: All data transmitted between users and our servers is encrypted using TLS 1.2+.
- Encryption At Rest: All stored PHI — including clinical content, media files, and engagement data — is encrypted using AES-256 standards.
- Secure Authentication: Strong password policies are enforced. Multi-factor authentication (MFA) is available and recommended for clinic administrator accounts.
- Device-Level Protection: Mobile data is stored in encrypted containers; no PHI is stored unencrypted on personal devices.
- Session Monitoring & Lockouts: Automatic timeouts and failed-attempt lockouts protect against unauthorized logins.
Physical Safeguards
- Secure Hosting Environment: Cove is hosted on HIPAA-ready cloud infrastructure with SOC 2 / ISO 27001 certified data centers.
- Firewalls & Intrusion Detection: Network protections include advanced firewalling, intrusion detection, and continuous monitoring.
- Redundancy & Backups: Encrypted backups and real-time data replication ensure availability and resiliency.
- Disaster Recovery: We maintain disaster recovery procedures to ensure continuity in case of an outage or regional failure.
Breach Notification Procedures
In the event of a data breach involving PHI, Cove will notify affected entities without unreasonable delay and in accordance with HIPAA Breach Notification Rules (45 CFR Part 164, Subpart D). Notification timelines and procedures are documented in our BAA.
Subprocessors
Cove uses limited third-party service providers (e.g., secure cloud hosting, analytics) that are contractually obligated to maintain HIPAA-compliant safeguards and, where appropriate, sign BAAs with Cove.
A list of subprocessors can be provided upon request.
Questions?
For questions about Cove’s security practices, email us at [email protected].
Last Updated: June 11, 2026
Cove Teams Inc. © 2026. All rights reserved.