HIPAA and Hivemanager.io
What HIPAA means for your clinic, how we handle protected health information, and what each party is responsible for.
This page covers HIPAA as it applies to US-based massage clinics. Canadian clinics are subject to PIPEDA and applicable provincial health privacy legislation (Alberta HIA, Ontario PHIPA, and others). See our Canadian Privacy overview →
Is your massage clinic a HIPAA covered entity?
Not automatically. Under HIPAA, a covered entity is a healthcare provider that transmits health information electronically in connection with a standard transaction — most commonly, submitting claims to a health insurance plan.
A massage therapy clinic that operates on a cash or direct-pay basis and does not submit electronic insurance claims is generally not a HIPAA covered entity. The law's requirements don't automatically attach just because you collect health history from clients.
- You submit claims electronically to health insurance plans (including motor vehicle, workers' compensation, or group benefits plans that process standard HIPAA transactions)
- You operate as a business associate to a covered entity — for example, providing massage services within or under contract with a hospital, physical therapy clinic, or other covered healthcare provider
- You receive referrals from covered entities and handle their patients' protected health information as part of a care coordination arrangement
If you're unsure whether your clinic qualifies, consult a healthcare attorney familiar with your state's requirements. The answer affects what compliance obligations apply to you — and by extension, what you need from your software vendors.
What counts as protected health information (PHI)?
PHI is individually identifiable health information — any data that relates to a person's physical or mental health condition, the provision of healthcare to that person, or payment for that care, when it can be linked to a specific individual.
- Client name combined with health history or treatment notes
- SOAP notes and session documentation
- Intake forms with medical conditions, medications, or contraindications
- Diagnosis or treatment information tied to an individual
- Payment records for healthcare services
- Aggregated, de-identified statistics with no individual identifiers
- Website visit data collected by analytics tools (when no PHI is transmitted)
- Business contact information (name, email) used for marketing purposes only
- Appointment availability data with no health context
Hivemanager.io stores client health history, intake forms, SOAP notes, and treatment records on behalf of clinics. This data is PHI when your clinic is a HIPAA covered entity or business associate.
Hivemanager.io as your Business Associate
When a covered entity uses Hivemanager.io to store or process PHI, Hivemanager.io acts as a Business Associate under HIPAA. A Business Associate Agreement (BAA) is the contract that defines both parties' obligations for protecting that information.
If your clinic is a HIPAA covered entity or business associate, contact us to execute a Business Associate Agreement before storing client health information in Hivemanager.io. Submit a request through our support form and select "BAA request" as the topic.
What Hivemanager.io commits to in a BAA
- Use and disclose PHI only as permitted under the agreement and HIPAA
- Implement appropriate administrative, physical, and technical safeguards to protect PHI
- Report any breach or security incident affecting PHI to the covered entity without unreasonable delay
- Ensure any subcontractors who handle PHI are bound by the same obligations
- Make PHI available for access, amendment, and accounting of disclosures as required
- Return or destroy PHI upon termination of the agreement
Google services we use — and where
Understanding our Google service usage requires distinguishing between two separate environments: our public marketing website (hivemanager.io) and the Hivemanager application (app.hivemanager.io) where clinic and client data lives.
| Service | Used where | BAA available | PHI exposure |
|---|---|---|---|
| Google Analytics 4 (GA4) | Marketing site only | No | None — marketing site contains no PHI |
| Google Tag Manager (GTM) | Marketing site only | No | None — marketing site contains no PHI |
| Google Search Console | Marketing site only | N/A | None — search performance data only |
| Google Workspace | Internal operations | Yes (with setup) | Isolated from client PHI; BAA required if PHI is processed |
Why GA4 and GTM are not used in the app
Google does not offer a HIPAA Business Associate Agreement for Google Analytics 4 or Google Tag Manager. Google's own documentation states that these services should not be used in contexts where PHI is processed.
For this reason, GA4 and GTM are used exclusively on the public marketing site — pages that contain no client health information, no login-gated content, and no PHI of any kind. The Hivemanager application, where clinic and client data is stored, does not use GA4 or GTM.
If your clinic uses a separate website (not built on Hivemanager.io) and you have installed Google Analytics or Meta Pixel on pages where clients log in or view health information, you may have a HIPAA compliance exposure independent of Hivemanager.io. Analytics tools on authenticated or health-context pages can transmit PHI to third parties without a BAA. Consult a HIPAA compliance advisor if this applies to you.
Responsibilities of each party
HIPAA compliance is a shared responsibility. No software vendor can make a clinic compliant — the clinic and its vendors each have defined obligations.
Your clinic (Covered Entity)
- Determine whether HIPAA applies to your practice based on your billing and referral arrangements
- Execute a BAA with Hivemanager.io before storing PHI in the platform
- Execute BAAs with any other vendors who handle your clients' PHI (payment processors, scheduling tools, email platforms)
- Train staff on HIPAA requirements and your clinic's privacy policies
- Implement access controls — ensure only authorized staff can access client records
- Maintain a Notice of Privacy Practices and provide it to clients
- Report breaches to affected individuals and HHS as required
- Respond to client requests for access, amendment, or accounting of disclosures
Hivemanager.io (Business Associate)
- Execute a Business Associate Agreement with covered entities upon request
- Implement and maintain administrative, physical, and technical safeguards for PHI
- Encrypt PHI at rest and in transit
- Restrict access to PHI to authorized personnel only
- Notify covered entities of any breach or security incident affecting PHI without unreasonable delay
- Ensure subcontractors who access PHI are bound by equivalent obligations
- Support covered entities' obligations to respond to client access requests
- Return or destroy PHI upon termination of the relationship
Google (Infrastructure / Subprocessor)
- Google Cloud infrastructure (where applicable): provides HIPAA-eligible services and signs BAAs for covered services
- Google Workspace: signs BAAs for covered Google Workspace services when configured for healthcare use
- Google Analytics and Google Tag Manager: not covered by any HIPAA BAA — Google explicitly excludes these from its healthcare agreements. These services are used only on the Hivemanager.io marketing site, which contains no PHI.
- Maintains SOC 2, ISO 27001, and other security certifications for its infrastructure
Technical safeguards in Hivemanager.io
Encryption in transit
All data transmitted between your browser and Hivemanager.io is encrypted using TLS 1.2 or higher. Connections are enforced over HTTPS.
Encryption at rest
Client health records, intake forms, and SOAP notes are encrypted at rest in our database infrastructure.
Access controls
Role-based permissions limit which staff members can view, edit, or export client health records within your clinic account.
Audit logging
Access to client records is logged. Clinic owners can review who accessed what and when.
Authentication
Account access requires email and password authentication. Multi-factor authentication is available and recommended for all staff accounts.
Infrastructure
Hivemanager.io runs on SOC 2-compliant cloud infrastructure. Data is hosted in secure, certified data centers.
Questions about compliance?
If you have questions about our data practices, need to execute a BAA, or want to understand how Hivemanager.io handles specific types of health information, contact us directly.
Disclaimer: This page provides general information about HIPAA and how Hivemanager.io approaches compliance. It is not legal advice. Whether HIPAA applies to your practice and what specific obligations you have depends on your clinic's activities and arrangements. Consult a licensed healthcare attorney for guidance specific to your situation. This page was last reviewed in May 2026.