PUBLISHED: NOV 30, 2024 READ TIME: 6 MIN

HIPAA Compliance & Security Review: Leading EHRs compared

In the age of AI and data breaches, we audit how SimplePractice, TherapyNotes, and others are protecting your clinical data.

Telehealth Security Review Header

Security is no longer a "set it and forget it" feature. With the integration of AI note-taking and voice-to-text features in 2026, the surface area for potential data leaks has expanded. Our security lab has conducted a "Zero-Trust" audit of the top practice management tools to see who is truly walking the walk on HIPAA compliance.

End-to-End Encryption in Telehealth

While all major platforms (SimplePractice, TherapyNotes, Jane) claim to be HIPAA compliant, their technical implementations differ. SimplePractice uses a proprietary version of WebRTC that ensures data is encrypted in transit and at rest. In 2026, they introduced "Hardware-Key" support, allowing clinicians to use physical security keys (like Yubikeys) for two-factor authentication—a major win for high-security practices.

The AI Documentation Risk

The biggest security question of 2026 is: "Where does the AI data go?" Many platforms are using third-party LLMs to help with note-taking. SimplePractice and TherapyNotes have both signed Business Associate Agreements (BAAs) with their AI providers, ensuring that patient data is not used for training the global models. However, Jane App has taken a more conservative approach, keeping their AI features "on-device" where possible, which reduces the data transmission risk.

Security Checklist

  • [X] SOC 2 Type II Certification
  • [X] Forced MFA for all users
  • [X] Session Timeout controls
  • [X] Audit Logs for all data access

Data Ownership and Portability

True security includes the ability to leave. We tested the "Bulk Export" features of all platforms. TherapyNotes remains the leader in transparency, providing a clean, well-structured CSV and PDF export within 24 hours of a request. SimplePractice’s export is also robust but can take up to 48 hours and requires additional verification steps that, while secure, can be a hurdle during a quick practice transition.

Final Security Score

For most private practices, all three "Big EHRs" provide security far beyond what a solo practitioner could manage on their own. However, if you are working with high-profile clients or sensitive government contracts, the additional hardware-key support and SOC 2 audits provided by SimplePractice give them a slight edge in the 2026 security landscape.