HIPAA Compliance for Psychedelic Facilitators: What You Actually Need

If you are a psychedelic facilitator collecting participant health information, you have HIPAA obligations. Full stop. This is true whether you are in Oregon, Colorado, New Mexico, or running a ketamine-assisted therapy practice in any state.

Many facilitators know they need to be "HIPAA compliant" but are unclear on what that actually means in practice. This guide covers the essentials: what HIPAA requires, what counts as Protected Health Information in a facilitation context, and how to build compliance into your daily workflows without overcomplicating it.

Does HIPAA Apply to Psychedelic Facilitators?

Yes. HIPAA applies to any entity that handles Protected Health Information (PHI) as part of providing healthcare services. Psychedelic facilitators collect and store:

• Medical history and medication lists
• Mental health screening results
• Contraindication assessments
• Informed consent documentation
• Session notes (preparation, administration, integration)
• Follow-up and integration records

All of this is PHI under HIPAA.

Even though facilitators are not physicians or licensed therapists in the traditional sense, the regulatory frameworks in Oregon and Colorado classify psilocybin services as a form of healthcare. If you collect health information from participants, HIPAA applies to you.

The Five Things HIPAA Actually Requires

HIPAA is often treated as a vague, intimidating standard. In practice, it breaks down into five concrete requirements for facilitators:

1. Encrypt Everything

All PHI must be encrypted both at rest (when stored) and in transit (when transmitted). This means:

• Session notes stored on your computer or in the cloud must be encrypted (AES-256 is the standard)
• Emails containing PHI must be sent through encrypted channels, not standard Gmail or Outlook
• Any cloud storage holding participant records must use encryption

If your notes are in a Google Doc or a standard spreadsheet, they are not HIPAA-compliant. If you email session summaries through a regular email account, that is a violation.

2. Control Access

Only authorized individuals should have access to PHI. This means:

• Password-protected accounts with strong, unique passwords
• Two-factor authentication on any system that stores PHI
• Session timeouts that automatically lock your screen after inactivity (15 minutes is the standard)
• If you share a computer or workspace, PHI must not be visible or accessible to others

3. Log Everything

HIPAA requires audit trails. You need to know who accessed what information and when. This means:

• Your systems should log every access to participant records
• You should be able to produce an access report if asked
• Logs should be retained for a minimum of six years

For a solo facilitator, this feels like overkill. But if a participant files a complaint or a breach occurs, audit logs are what protect you.

4. Execute BAAs

A Business Associate Agreement (BAA) is a legal contract between you and any third-party service that handles PHI on your behalf. If you use a cloud platform to store notes, a scheduling tool that captures health information, or a billing system that links to participant records, you need a BAA with that vendor.

Common services that require BAAs:

• Practice management platforms
• Cloud storage providers (Google Workspace, Dropbox for Business)
• Email services that transmit PHI
• Payment processors (if they touch health data)

Notably, standard consumer tools like free Gmail, Calendly, and Google Forms do not offer BAAs. Using them for PHI is a compliance gap.

5. Have a Breach Response Plan

HIPAA requires a documented plan for what happens when (not if) a data breach occurs. Your plan should cover:

• How you will identify and contain the breach
• How you will notify affected participants (within 60 days of discovery)
• How you will notify the Department of Health and Human Services
• What corrective actions you will take

You do not need a 50-page incident response manual. A one-page document covering these four steps is sufficient for a solo practice.

Common HIPAA Mistakes Facilitators Make

Using Google Forms for intake: Google Forms is not HIPAA-compliant. Google does not sign BAAs for its free consumer products. If you collect medical history or screening data through Google Forms, that is a violation.

Texting participants about sessions: Standard SMS is not encrypted. Discussing session details, health information, or scheduling that reveals someone is receiving psychedelic services over text is a compliance risk.

Storing notes in unencrypted files: A Word document on your desktop is not encrypted. A spreadsheet in personal Google Drive is not encrypted. Notes must be stored in systems with at-rest encryption and access controls.

No session timeout on devices: If your laptop stays unlocked and a participant's records are visible, anyone who walks by has unauthorized access to PHI. Set a 15-minute screen lock at minimum.

Skipping BAAs with vendors: Many facilitators use tools like Calendly, Notion, or Airtable without checking whether those services offer BAAs. If the service touches PHI and there is no BAA, you are out of compliance.

Building Compliance Into Your Practice

The easiest way to handle HIPAA compliance is to use tools that are compliant by default, rather than trying to retrofit compliance onto consumer tools.

A purpose-built practice management platform like CoreJourney handles encryption, audit logging, session timeouts, and BAA management as part of the core architecture. You do not need to think about whether your notes are encrypted or whether your vendor has signed a BAA, because those safeguards are built into every feature.

If you prefer to assemble your own stack, make sure every tool that touches PHI:

• Offers a BAA (ask before you sign up)
• Encrypts data at rest and in transit
• Provides audit logging
• Supports access controls and session timeouts

The Cost of Non-Compliance

HIPAA violations carry penalties ranging from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. For a solo facilitator, a single complaint or breach investigation can be financially devastating.

Beyond fines, a HIPAA violation damages the trust that is foundational to facilitation work. Participants share deeply personal health information. They need to know it is protected.

Compliance is not a checkbox. It is the foundation of a professional practice.