StillpointStillpoint Help
Log InGet Started
Help/Settings & Subscription/HIPAA Compliance

HIPAA Compliance

Updated May 7, 2026

For US practices, Stillpoint includes a HIPAA mode with the controls you need to operate compliantly: a Business Associate Agreement, an audit log, configurable retention, and encryption controls.

HIPAA mode is US-only. Practices outside the US still get encrypted data handling but don't need the formal HIPAA framework.

Open the page

Navigate to Settings → Compliance. The page is organized into tabs: Status, Audit Log, Retention, and Encryption.

Business Associate Agreement (BAA)

The BAA is the legal agreement between your practice (the Covered Entity) and Stillpoint (the Business Associate) governing how Protected Health Information is handled.

Accept the BAA

  1. Open the Status tab.
  2. Click Review & Accept BAA.
  3. Read the agreement.
  4. Enter your Covered Entity name if it differs from your practice name.
  5. Click Accept.

Once accepted, the page shows BAA version, acceptance date, and who accepted. HIPAA-mode features (audit log, retention, encryption details) become available.

You can re-read the BAA any time via View Agreement.

Audit log

The audit log records access to PHI:

  • Who accessed the data (practitioner name and role).
  • What was accessed (client record, note, form submission).
  • When the access occurred.
  • Action type (view, create, update, delete).

Filter and search the log from the Audit Log tab. The log is retained per your data retention policy.

Data retention

Configure how long PHI records are kept before becoming eligible for deletion:

  1. Open the Retention tab.
  2. Pick a retention period (typical options: 5, 6, 7, or 10 years).
  3. Click Save.

HIPAA generally requires a minimum of 6 years. Some states require longer. Check with your compliance officer for the specific requirement that applies to you.

Encryption

The Encryption tab summarizes how your data is protected:

  • Data is encrypted at rest in the database.
  • Connections use TLS in transit.
  • Backups are encrypted.

For specifics on the implementation, refer to the encryption tab in your account; the details there are the source of truth.

Tips

  • Accept the BAA before storing PHI in Stillpoint.
  • Review the audit log periodically to monitor access patterns.
  • Set retention to match your state's requirement, not just the federal minimum.
  • The BAA must be accepted by an owner or admin.

Related Articles

Practice Settings

Set the basics: practice name, contact info, timezone, and address.

Notification Settings

Control which emails and SMS go to clients and your team, and when.

AI Scribe

Dictation and full-session recording that generates structured notes automatically.

On this page

  • Open the page
  • Business Associate Agreement (BAA)
  • Accept the BAA
  • Audit log
  • Data retention
  • Encryption
  • Tips
Ready when you are

Your practice,
at rest.

Start FreeApply to be a Founding Practitioner
Stillpoint

Scheduling software for wellness practitioners. Beautiful, simple, and built with care.

MADE IN CANADA

FEATURES

  • Booking & Intake
  • Team Scheduling
  • Group Classes
  • Sell Products
  • Payments
  • Reminders
  • Clinical Notes
  • Practice Website
  • AI Assistant
  • HIPAA Compliance
  • Integrations & Import
  • Multiple Locations
  • Waitlists
  • Analytics
  • Reviews
  • Email Templates
  • Appointment Management
  • Client Portal
  • Email Automations
  • Re-engagement
  • Recurring Appointments
  • Email Preferences

WHO IT'S FOR

  • Acupuncturists
  • Massage Therapists
  • Nutritionists
  • Chiropractors
  • Yoga Instructors
  • Personal Trainers
  • Naturopaths
  • Wellness Practitioners

PRODUCT

  • Features
  • Pricing
  • How It Works
  • Compare
  • Make the Switch
  • Blog
  • FAQ
  • About

SUPPORT

  • Help Center
  • help@withstillpoint.com

LEGAL

  • Privacy Policy
  • Terms of Service

© 2026 Stillpoint Technologies Inc. All rights reserved.

Built for the people who help people.