HIPAA compliance and PHI


Headway holds client information with the highest security. We treat personal and Protected Healthcare Information (PHI) privacy as a top priority and maintain HIPAA compliance through the following:

  • Our proprietary platforms and underlying databases encrypt all client information in accordance with HIPAA best practices.
  • User to user messaging conducted through the Headway portal is stored in secure and encrypted systems.
  • Emails from the Headway team use the minimal amount of personal and protected health information necessary to inform both patients and providers of the necessary details. We frequently ask users to login to our portal to view message contents in order to prevent the possibility of such leaks occurring even in error.
  • We sign Business Associate Agreements (BAA) with all other platforms we use that may store PHI. This ensures our vendors also follow HIPAA compliance for our use.


In addition, as an extra layer of encryption, we do not include client information in initial requests, and will use SendSafely. With SendSafely:

  • Each agent has their own personal URL that they can use to send items to you securely, even if you don't have a SendSafely account; you can reply back using this link, as well
  • Nobody can see the data in the messages other than the people given access
  • Information is encrypted for a second time before being sent


We also have our privacy policy listed on our website.

Articles in this section