HIPAA & PHI Compliance

Sobio is a secure online platform that connects patients with licensed therapists and coaches for virtual care. It supports online intake, appointment scheduling, video visits, and ongoing documentation of your care while protecting your health information.

Sobio collects information you and your providers enter as part of your care, including intake assessments, appointment details, and clinical notes. This information is stored in a secure, access-controlled database in the United States and is treated as protected health information (PHI) under HIPAA.

Sobio sends consent forms, questionnaires, and agreements to you electronically for review and signature. Signed documents are stored in a secure e-signature system, and Sobio keeps secure links and key details in its own records so your care team can see which consents are on file.

Sobio protects PHI with encryption both when it is stored and when it is sent over the internet. All connections to the Sobio website use secure, encrypted web connections, and sensitive data is stored in encrypted form in Sobio's databases and file storage.

Access to your information is restricted based on role and job function. Patients, therapists, coaches, and administrators have different levels of access, and each person can see only the information needed to perform their role. Access checks happen every time someone logs in or tries to view or update information.

Patients complete a structured intake process, including required assessments, followed by review by Sobio staff and final acceptance by a licensed therapist when appropriate. Therapists and coaches complete background screening, credential checks, and an interview before they are granted access. All steps in these onboarding processes are recorded in Sobio with access controls and an audit trail.

Sobio keeps detailed logs that record when records are viewed or changed, by whom, and what actions were taken. These logs cover both clinical data and system access and can be reviewed for security, quality, and compliance purposes.

Sobio's record-retention approach is based on applicable federal and state requirements, including rules for substance use disorder treatment records that can require retention for many years. Backups of Sobio's database are taken regularly, stored securely in encrypted form, and retained for extended periods to support clinical, legal, and audit needs.

Sobio uses data-lifecycle controls so that records can be deleted when they no longer need to be kept under law or policy. Deletion processes are designed to be auditable and limited to authorized staff. Sobio can also place a “legal hold” on records so they are preserved if needed for litigation, audit, or regulatory review.

Virtual appointments are conducted through Sobio's secure web portal using live audio-visual visits between you and your provider. Sessions use encrypted connections, and Sobio does not record or store the audio or video from these visits.

Sobio may contact you and your care team through the web portal, live calls with support staff, and email notifications for operational matters such as appointment confirmations and changes. Sobio's policies are to avoid placing sensitive health details directly into routine email messages and to use secure methods for any PHI.

Sobio monitors its systems for unusual activity and configuration changes and keeps logs of system actions to support security review. Sobio maintains backup and recovery processes and has defined objectives for how quickly data can be restored and services brought back online after an outage, to help maintain the availability and integrity of your information.