De-identified by design. HIPAA-aligned by practice.
TherapistAssist is built and operated by BocaPress LLC. The application is engineered so that no Protected Health Information (PHI) enters the system: clinicians work with client initials and clinical content, never names, contact details, or other direct identifiers. This page explains that posture, the technical safeguards behind it, and the services we use.
Last reviewed: June 2026
A note on what this page is.
This is BocaPress LLC’s good-faith self-attestation. HIPAA does not issue certifications, and no third party has audited or endorsed these statements. We describe controls as they are actually implemented in the product. If your compliance officer has questions or needs documentation, email annie@emdrassist.com.
Our HIPAA posture
TherapistAssist follows a de-identified-by-design approach. Under HIPAA’s Safe Harbor de-identification standard (45 CFR §164.514(b)(2)), information that has had all 18 direct identifiers removed is not Protected Health Information, and the HIPAA Privacy and Security Rules do not apply to it.
We enforce this in the product: there are no fields, prompts, or workflows that capture client names, dates of birth, contact information, addresses, government identifiers, insurance numbers, photos, or biometrics. Clinicians identify clients by initials. Clinical content (themes, interventions, progress notes) is stored against those initials and the therapist’s account, never tied to an identifiable person inside our systems.
Because no PHI enters TherapistAssist, BocaPress LLC is not acting as a HIPAA Business Associate, and a signed Business Associate Agreement is not legally required for you to use the product. We still adopt HIPAA-aligned technical safeguards as best practice — they are listed below.
If your compliance officer would like our written explanation of why a BAA is not required for de-identified data, email annie@emdrassist.com and we will send a one-page memo you can share.
What we deliberately do not collect
The application has no fields, prompts, or workflows that capture the following client data. Clinicians who need to record this information should do so in their own EHR.
- Client full names
- Client email addresses or phone numbers
- Client mailing or physical addresses
- Client dates of birth or Social Security numbers
- Photos, biometrics, or government identifiers
- Insurance member IDs or claim numbers
- Emergency contact details
Technical safeguards
All traffic is served over TLS. Data stored in our managed Postgres database is encrypted at rest by our cloud provider.
Email/password and Google sign-in via a managed identity provider. Sessions expire automatically. Password reset flows are signed and single-use. Passwords are checked against the Have I Been Pwned breach database at signup.
Every database table that holds user data enforces row-level security policies so a clinician can only read and write their own records. Roles are stored in a separate table and checked through a security-definer function to prevent privilege escalation.
AI generations, authentication events, and administrative changes are logged with timestamps for review.
Our database provider takes regular point-in-time backups. We test recovery procedures as part of routine maintenance.
The application is engineered to avoid collecting personally identifying information about clients. Clinicians work with initials and clinical content; we do not ask for client names, dates of birth, contact information, or addresses.
Subprocessors
These services support TherapistAssist on our behalf. Because the application is de-identified by design, none of these vendors receive PHI from us. We review this list at least annually and will update it before adding a new subprocessor.
| Vendor | Purpose | Region |
|---|---|---|
| Cloudflare | Application hosting, CDN, DDoS protection | Global edge |
| Supabase | Managed Postgres database, authentication, file storage | United States |
| Lovable | Build platform and managed cloud services | United States |
| Stripe | Payment processing and subscription billing | United States |
| Resend | Transactional email (auth, receipts, notifications) | United States |
| Lovable AI Gateway | Routing for AI-assisted clinical drafting tools | United States |
Incident response
BocaPress LLC maintains a written incident-response procedure. If we discover an incident that may affect customer data, we investigate promptly, contain the issue, and notify affected customers as soon as we have a clear picture of what happened.
To report a suspected vulnerability or incident, email annie@emdrassist.com. Please include reproduction steps and any supporting detail. We acknowledge reports within two business days.
Shared responsibility
The de-identification model only works if both sides hold up their end. We build the guardrails; you keep client identities out of the free-text fields.
- · Hosting, encryption, and access controls
- · Database row-level security & backups
- · Designing out fields that would capture PHI
- · Vulnerability monitoring and patching
- · Incident investigation and notification
- · Keeping account credentials private
- · Using initials and never typing names, emails, phones, or DOBs into notes
- · Obtaining client consent appropriate to your jurisdiction
- · Compliance with your own state board and HIPAA duties
- · Telling us promptly if you suspect a breach
Contact & documents
For security questionnaires, privacy requests, the de-identification memo, or incident reports, email annie@emdrassist.com.
For the full legal disclaimer that governs use of the application, see below or visit any page footer.
Legal disclaimer
Professional Use Only.
This application is designed exclusively for use by licensed mental health professionals who have completed approved training. It is not intended for use by untrained individuals.
Not a Medical Device.
This software is a clinical reference and session support tool. It is not a medical device, diagnostic tool, or substitute for professional clinical judgment, training, or supervision.
No Clinical Advice.
The guides, protocols, and suggestions provided are educational references only. All clinical decisions remain the sole responsibility of the treating clinician.
Geographic Restriction.
This application is not for use in the State of California. By using this tool you confirm that you are not practicing in or providing services to clients located in California.
Responsibility & Ownership.
This application is owned, operated, and published by BocaPress LLC, which is solely responsible for its contents. The developers assume no liability for clinical outcomes resulting from the use of this tool. Use at your own professional discretion.
Privacy.
This tool does not store personally identifiable client information. Clinicians are responsible for ensuring their use complies with HIPAA and applicable privacy regulations.
Intellectual Property.
All software, design, code, trademarks, and proprietary features of this application are the exclusive intellectual property of BocaPress LLC and are protected by copyright, trademark, and other applicable laws. Unauthorized reproduction, distribution, modification, or reverse engineering is strictly prohibited.
All clinical content is educational paraphrasing written in original language, based on widely taught therapy concepts and publicly available clinical literature. No content is reproduced verbatim from copyrighted sources. Referenced assessment instruments (PCL-5, DES-II, PHQ-9, GAD-7, ACE) are freely available for clinical use per their respective publishers.
This application is the property of BocaPress LLC and is protected by copyright. All rights reserved.