Effective Date: May 1, 2025 · Last Updated: May 2025
Sōna ("Company," "we," "us") is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This policy applies to all Covered Entities and Business Associates who use the Sōna platform to manage client or patient data.
PHI includes any individually identifiable health information that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. Within Sōna, PHI may include: client names, contact information, appointment records related to health or wellness treatments, call recordings, and any notes or tags that identify an individual in connection with their health or treatment history.
Sōna processes PHI solely to provide the services described in your Business Associate Agreement (BAA). We do not sell, rent, or disclose PHI to third parties except as required to operate the platform (e.g., cloud infrastructure providers with signed BAAs), as required by law, or with your explicit written authorization. AI-generated features that process client data use only anonymized, de-identified summaries — no names, phone numbers, or identifying information are transmitted to third-party AI providers.
Sōna implements the following technical safeguards in accordance with 45 CFR § 164.312: • Encryption in transit: All data transmitted between users and Sōna is encrypted using TLS 1.2 or higher. • Encryption at rest: All database storage is encrypted at rest via AES-256. • Access controls: Role-based access controls and Row Level Security ensure users can only access their own business data. • Audit logging: All access to and modifications of client records are logged with user ID, timestamp, action, and resource type. • Automatic session timeout: Sessions automatically expire after 15 minutes of inactivity to prevent unauthorized access on unattended devices. • Unique user identification: Each user has a unique login credential. Shared accounts are not permitted.
Sōna has implemented administrative safeguards including: designated privacy and security responsibilities, workforce training on HIPAA requirements, risk analysis and risk management procedures, and an incident response plan for potential breaches of PHI.
Physical infrastructure is hosted on enterprise-grade cloud platforms (Supabase, Vercel) that maintain SOC 2 Type II compliance and HIPAA-eligible infrastructure with signed Business Associate Agreements. Physical access to server environments is controlled exclusively by our infrastructure providers.
Any Covered Entity using Sōna to create, receive, maintain, or transmit PHI must sign a Business Associate Agreement (BAA) with Sōna prior to use. The BAA governs our obligations with respect to PHI and is required before any PHI may be entered into the platform. To request a BAA, visit usesonaai.com/baa or contact privacy@usesonaai.com.
In the event of a breach of unsecured PHI, Sōna will notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery of the breach, in accordance with 45 CFR § 164.410. Notification will include the nature of the PHI involved, the unauthorized persons who used or may have accessed the PHI, and the steps taken to mitigate harm.
Sōna supports Covered Entities in fulfilling their obligations to individuals regarding their PHI rights, including the right to access, amend, and receive an accounting of disclosures of their PHI. Requests related to individual PHI rights should be directed to the Covered Entity (your business), which is responsible for fulfilling these obligations under HIPAA.
For questions about this HIPAA Privacy Policy, to request a Business Associate Agreement, or to report a potential security incident, contact: Sōna Privacy Officer privacy@usesonaai.com usesonaai.com
Ready to sign a BAA?
Required before entering any protected health information into Sōna.
View Business Associate Agreement →