PRIVATE.ME PLATFORM

xTherapy: Mental Health Data Protection

Enhanced protection for mental health records under 42 CFR Part 2. XorIDA splits psychotherapy notes, xRedact strips identifying information, and HMAC chains maintain consent records.

Healthcare COMING SOON XorIDA Powered

Section 01

The Problem

Mental health and substance abuse treatment records have the strongest legal protections (42 CFR Part 2) but the weakest technical protections. A single EHR breach exposes the most stigmatized health data.

42 CFR Part 2 requires explicit patient consent for every disclosure of substance abuse treatment records. But EHR systems store these records alongside general health data, creating inadvertent disclosure risks during care coordination.

Psychotherapy notes deserve even stronger protection — they contain the most intimate details of a patient’s life. Under HIPAA, psychotherapy notes have special status but are rarely technically segregated.

The Old Way

Section 02

The PRIVATE.ME Solution

xTherapy XorIDA-splits mental health records so they are technically isolated from general health data. xRedact strips identifying information for research use. Consent is HMAC-chained and DID-signed.

Psychotherapy notes and substance abuse records are XorIDA-split across independent custodians. Access requires patient consent via xLock push-auth plus threshold reconstruction. General EHR access never reaches these records.

Research access uses xRedact to strip identifying information before sharing. Consent records are HMAC-chained so every disclosure is tamper-evidently logged for 42 CFR Part 2 compliance.

The New Way

Section 03

How It Works

xTherapy layers XorIDA split-storage on top of EHR systems with xRedact de-identification and HMAC-chained consent management.

Key Security Properties

Mental health records are XorIDA-split and technically isolated from general EHR. Patient consent is cryptographically enforced via xLock. Every disclosure is HMAC-logged. Research access is de-identified via xRedact.

Section 04

Use Cases

🧠

Mental Health

Psychotherapy Notes

Technically isolate psychotherapy notes from general health records.

42 CFR Part 2

💊

Substance Abuse

Treatment Records

Consent-gated access to substance abuse treatment records.

SUD

🔍

Research

De-Identified Research

xRedact-stripped mental health data for research without patient identification.

Research

📋

Compliance

Consent Chain

HMAC-chained consent records proving every disclosure was authorized.

Compliance

Section 05

Integration

Quick Start

import { MindVault } from '@private.me/xtherapy';

const vault = await MindVault.create({
  patientDid: patientDid,
  custodians: [providerA, providerB, backupNode],
  threshold: { k: 2, n: 3 }
});
await vault.store(therapyNote, { consent: consentToken });

MindVault.create(opts): Promise<Result<MindVault, MindError>>

Creates a split-storage vault for mental health records with consent-gated access and HMAC-chained disclosure logging.

Section 06

Security Properties

Property	Mechanism	Guarantee
Records	XorIDA split isolated	✓ Separate from general EHR
Consent	HMAC-chained + xLock	✓ Per-disclosure auth
Research	xRedact de-identification	✓ 4-layer PII strip
Audit	HMAC-chained log	✓ 42 CFR Part 2 compliant

$5.1B

Behavioral health IT

K-of-N

Split storage

HMAC

Consent chain

VERIFIED BY XPROVE

Verifiable Data Protection

Every operation in this ACI produces a verifiable audit trail via xProve. HMAC-chained integrity proofs let auditors confirm that data was split, stored, and reconstructed correctly — without accessing the data itself.

XPROVE AUDIT TRAIL

Every XorIDA split generates HMAC-SHA256 integrity tags. xProve chains these into a tamper-evident audit trail that proves data was handled correctly at every step. Upgrade to zero-knowledge proofs when regulators or counterparties need public verification.

Read the xProve white paper →

GET STARTED

Ready to deploy xTherapy?

Talk to Ren, our AI sales engineer, or book a live demo with our team.

Book a Demo

VERIFIABLE WITHOUT CODE EXPOSURE

Ship Proofs, Not Source

xTherapy generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.

XPROVE CRYPTOGRAPHIC PROOF

Download proofs:

Tier 1 HMAC (~0.7KB)
Tier 2 Commit-Reveal (~0.5KB)
Tier 3 IT-MAC (~0.3KB)
Tier 4 KKW ZK (~0.4KB)

Verify proofs online →

Use Cases

🏛️

REGULATORY

FDA / SEC Submissions

Prove algorithm correctness for distributed systems without exposing trade secrets or IP.

Zero IP Exposure

🏦

FINANCIAL

Audit Without Access

External auditors verify secure operations without accessing source code or production systems.

FINRA / SOX Compliant

🛡️

DEFENSE

Classified Verification

Security clearance holders verify distributed systems correctness without clearance for source code.

CMMC / NIST Ready

🏢

ENTERPRISE

Procurement Due Diligence

Prove security + correctness during RFP evaluation without NDA or code escrow.

No NDA Required

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Enterprise SLA available

View Pricing →

📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/xtherapy
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

Complete data sovereignty
Air-gap capable deployment
Custom SLA + dedicated support
Professional services included

Request Quote →

Enterprise On-Premise Deployment

While xTherapy is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
Air-gapped environments — SCIF, classified networks, offline operations
Data residency requirements — EU GDPR, China data laws, government mandates
Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →