Business Associate Agreement Policy

Last updated: April 13, 2026

What Is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a legally binding contract required by the Health Insurance Portability and Accountability Act (HIPAA). It establishes the responsibilities and obligations between a Covered Entity (such as a healthcare provider or psychedelic facilitator) and a Business Associate (a third-party service provider that handles Protected Health Information on their behalf).

When you use CoreJourney to manage client records, session notes, intake forms, or any other health-related data, you are entrusting us with Protected Health Information (PHI). The BAA defines exactly how we are permitted to use, store, and safeguard that information.

Without a BAA in place, sharing PHI with a third-party service provider is a violation of HIPAA. CoreJourney takes this obligation seriously and ensures every customer has a signed BAA before any PHI is processed through our platform.

CoreJourney's BAA Commitment

CoreJourney executes a Business Associate Agreement with every customer as a standard part of our onboarding process. There is no additional cost, no separate negotiation required, and no exceptions.

We believe that HIPAA compliance should not be an afterthought or an add-on. It is built into how we operate. Every facilitator who signs up for CoreJourney receives a BAA before they begin using the platform, ensuring that your practice is protected from day one.

What the BAA Covers

Our Business Associate Agreement addresses the following areas:

PHI Handling and Use

The BAA specifies the permitted uses and disclosures of Protected Health Information. CoreJourney may only access, store, or process PHI for the purpose of providing the Service. We do not use PHI for marketing, analytics, product development, or any purpose outside the scope of the agreement.

Safeguards and Security

We are required to implement administrative, physical, and technical safeguards to protect PHI against unauthorized access, use, or disclosure. This includes encryption at rest (AES-256) and in transit (TLS 1.2+), role-based access controls, audit logging, automatic session timeouts, and regular security assessments.

Breach Notification

In the event of a security incident involving unauthorized access to or disclosure of PHI, CoreJourney is obligated to notify the affected customer without unreasonable delay and no later than 60 days after discovery. The notification will include a description of the incident, the types of information involved, the steps we are taking to investigate and mitigate the breach, and recommendations for the facilitator to protect affected clients.

Subcontractors

If CoreJourney engages any subcontractor that may access PHI, we are required to execute a BAA with that subcontractor as well, ensuring the same level of protection flows through the entire chain of custody.

Data Disposal

Upon termination of the agreement or at the customer's request, CoreJourney will securely destroy or return all PHI in our possession within 30 days. Destruction methods meet NIST SP 800-88 guidelines for media sanitization, ensuring that data cannot be recovered after deletion.

Individual Rights

The BAA confirms that CoreJourney will support the facilitator in fulfilling their obligations to clients, including responding to individual requests for access to PHI, amendment of records, and accounting of disclosures, as required by HIPAA.

How to Request a Copy

If you are a current CoreJourney customer and would like a copy of your executed BAA, you can:

Download it directly from your account settings within the platform
Email us at hello@corejourney.co, and we will send a copy within two business days

If you are evaluating CoreJourney and would like to review our BAA template before signing up, contact us and we will provide a copy for your review.