Legal

HIPAA & Your Health Information

Effective date: April 23, 2026 · Last updated: April 23, 2026

Important: This page is informational. It is not a HIPAA Notice of Privacy Practices. A Notice of Privacy Practices is a document your child's speech-language pathologist (SLP) — as the HIPAA Covered Entity — is responsible for providing directly to you. If you have not received your SLP's Notice of Privacy Practices, please ask them for it.

Plain-language summary: HIPAA is the US law that protects health information. Your child's SLP is the "Covered Entity" primarily responsible for HIPAA compliance. Speech by Katie LLC (d/b/a Talkli) acts as a "Business Associate" — we store and process health information on behalf of the SLP, under a Business Associate Agreement. This page explains how we support SLPs in meeting their HIPAA obligations and how you can exercise your HIPAA rights through your SLP.

1. About this page

Under HIPAA, the document that informs patients and families about their health information rights is called a "Notice of Privacy Practices" (NPP). An NPP must be issued by the Covered Entity that provides care — in this case, your child's speech-language pathologist.

This page is not that notice. Instead, this page explains the role Speech by Katie LLC (doing business as Talkli) plays as a Business Associate to SLPs using the platform, the safeguards we apply, and how HIPAA rights reach us through the SLP. For the authoritative statement of your rights under HIPAA in relation to your child's therapy, please refer to the Notice of Privacy Practices provided by the treating SLP.

2. About HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations establish national standards for protecting individuals' medical records and other identifiable health information, collectively referred to as "Protected Health Information" (PHI).

HIPAA applies directly to "Covered Entities" — including licensed healthcare providers such as speech-language pathologists — and their "Business Associates," which are companies that perform services involving PHI on behalf of Covered Entities.

3. Talkli's role under HIPAA

Speech by Katie LLC (d/b/a Talkli) operates as a Business Associate to licensed speech-language pathologists who use our platform to deliver services to their patients. The SLP is the Covered Entity under HIPAA and bears primary responsibility for HIPAA compliance in relation to your child's health information.

Talkli enters into Business Associate Agreements (BAAs) with SLPs using the platform, committing us to:

Use PHI only as necessary to provide the Talkli service, or as otherwise permitted under the BAA
Implement administrative, physical, and technical safeguards to protect PHI
Report any breach of unsecured PHI to the affected SLP without unreasonable delay
Ensure that our subcontractors who handle PHI on our behalf agree to equivalent protections
Return or destroy PHI upon termination of the relationship, where feasible
Make our practices available to the US Department of Health and Human Services (HHS) as required for compliance reviews

If you are a parent or family member, your primary HIPAA rights are exercised through your child's SLP. You may also contact Talkli directly using the information at the end of this page, and we will coordinate with your SLP as appropriate.

4. Protected Health Information we handle

In the course of providing the Service, Talkli may store and process the following categories of PHI on behalf of SLPs:

Child identifiers: name, date of birth
Diagnosis codes (ICD-10) and clinical descriptions
Therapy goals, target sounds, and current accuracy levels
Session notes, observations, and progress summaries
CPT procedure codes and fee information
Superbill records and e-signatures
Home practice session results and accuracy data

Consistent with the principle of minimum necessary, the Talkli system does not collect or store Social Security numbers, driver's license numbers, or other government-issued identifiers, and does not store payment card data. Parents may use a first name or a nickname in a child profile if they prefer additional privacy.

5. Permitted uses and disclosures

Talkli uses and discloses PHI only in the following circumstances:

Treatment and service delivery

PHI is used to provide the core functions of the Talkli platform — displaying clinical notes and goals to connected family members, generating practice content, and producing superbills — all at the direction of the treating SLP.

Third-party AI processing (optional features)

When an SLP or parent uses Talkli's optional AI features (such as the practice content generator or the parent AI assistant), the content submitted to those features is transmitted to our AI subprocessor (currently Anthropic) and may include PHI. This subprocessor is bound by a written agreement that (a) permits use of the data only to provide the AI service to Talkli, (b) prohibits use of the data to train AI models, and (c) requires confidentiality and security protections. Use of AI features is optional.

Healthcare operations

We may use de-identified data to improve the Service, conduct quality assurance, and develop new features. We de-identify data using the HIPAA Safe Harbor method under 45 CFR § 164.514(b)(2), which requires removal of the 18 categories of direct identifiers specified in the rule. Data de-identified in this manner is not PHI and is not subject to HIPAA restrictions.

As required by law

We will disclose PHI when required by applicable law, court order, or government authority, and will notify the affected SLP to the extent permitted by law.

With authorization

Any uses or disclosures not described above require written authorization from the individual (or their personal representative), which may be revoked at any time as provided under HIPAA.

We will not use or disclose PHI for marketing, for fundraising, or for "sale of PHI" (as that term is defined at 45 CFR § 164.502(a)(5)(ii)) without valid written authorization where one is required under HIPAA.

6. Exercising HIPAA rights

HIPAA gives patients and their personal representatives certain rights regarding PHI. These rights run against the Covered Entity — in this case, your child's SLP — not against Talkli as a Business Associate. Talkli provides the tools that enable the SLP to honor these rights, and will coordinate with the SLP on any request that reaches us.

If you wish to exercise any of the following rights, please contact your child's SLP first. You may also contact Talkli at privacy@talkli.ai and we will route the request appropriately.

Right to access

To inspect and obtain a copy of PHI maintained about your child. Your SLP responds to the request; Talkli supports export where needed.

Right to amend

To request correction of inaccurate or incomplete PHI. The SLP may deny the request if the information is accurate and complete.

Right to an accounting of disclosures

To request a list of certain disclosures of PHI made by the SLP in the past six years (other than for treatment, payment, or operations).

Right to request restrictions

To ask the SLP to restrict certain uses or disclosures of PHI. The SLP is not required to agree, but if they do, they are generally bound by the restriction.

Right to confidential communications

To request that the SLP communicate with you about PHI in a particular way or at a particular location.

Right to the SLP's Notice of Privacy Practices

Your child's SLP is required to provide you with their Notice of Privacy Practices, which fully describes your HIPAA rights and how to exercise them.

7. Safeguards

Talkli implements administrative, physical, and technical safeguards to protect PHI, including:

Administrative: Staff training on privacy and security, access policies, workforce-member confidentiality obligations, and a designated privacy contact
Technical: Encrypted data transmission (TLS/HTTPS), encryption of data at rest, row-level security on all database tables, role-based access controls that limit each user to only the data they need, and secure authentication with email verification
Physical: Data stored in reputable US-based cloud infrastructure (currently Supabase running on AWS), which maintains industry-recognized security certifications

8. Breach notification

In the event of a breach of unsecured PHI, Talkli will notify affected SLPs (as Covered Entities) without unreasonable delay and in no case later than the time required under our Business Associate Agreement with that SLP. The outer HIPAA limit is 60 days after discovery of the breach (45 CFR § 164.410), and our standard BAA commits Talkli to notification within a substantially shorter window to give the SLP time to meet their own 60-day notification deadline to affected individuals and, where applicable, to HHS and the media.

The SLP, as the Covered Entity, remains responsible for notifying affected individuals and, where required, the US Department of Health and Human Services (HHS). Talkli will cooperate fully with affected SLPs and HHS in any investigation of a breach.

9. SLP responsibilities

Speech-language pathologists who use Talkli and are Covered Entities under HIPAA are responsible for:

Providing their own Notice of Privacy Practices to patients and families, as required by 45 CFR § 164.520
Obtaining appropriate patient authorizations where required by HIPAA and by applicable state law (note that some states require specific consent for certain categories of minor health records; the SLP is responsible for determining what state rules apply)
Managing patient access, amendment, accounting, restriction, and confidential-communication rights
Entering into a BAA with Speech by Katie LLC before using the platform for PHI (SLPs can request a BAA by emailing privacy@talkli.ai)
Ensuring that their use of Talkli is consistent with their own HIPAA compliance program, applicable state licensure rules, and professional ethics standards

10. Contact and complaints

If you have questions about how Talkli handles PHI as a Business Associate, please contact our Privacy Officer:

Speech by Katie LLC d/b/a Talkli — Privacy Officer

Email: privacy@talkli.ai

Tampa Bay, Florida, United States

To exercise HIPAA rights regarding your child's records, please contact your child's SLP first. You have the right to file a complaint with your SLP, with the US Department of Health and Human Services, or both, if you believe your privacy rights have been violated. Filing a complaint will not result in retaliation against you.

HHS Office for Civil Rights: www.hhs.gov/ocr/privacy/hipaa/complaints · 1-800-368-1019