Skip to content

HIPAA Compliance

Last updated: April 13, 2026

CoreJourney is built from the ground up to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. Psychedelic facilitators handle sensitive client health information, and our platform is designed to ensure that data is protected at every layer.

This page outlines the specific technical, administrative, and organizational controls we have implemented to maintain compliance.

Encryption

Data at Rest

All Protected Health Information stored in our databases is encrypted using AES-256 encryption, one of the strongest block ciphers available. Encryption keys are managed through a dedicated key management service with automatic key rotation.

Data in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across every connection, with no fallback to unencrypted protocols. HSTS headers ensure browsers always use secure connections.

Database backups are also encrypted at rest, and all inter-service communications within our infrastructure use mutual TLS authentication.

Audit Logging

CoreJourney maintains comprehensive audit logs that track all access to Protected Health Information. Every interaction with PHI generates a tamper-resistant log entry that includes:

  • The identity of the user who accessed the data
  • The timestamp of the access event
  • The type of action performed (view, create, update, delete, export)
  • The specific records that were accessed
  • The IP address and device information associated with the session

Audit logs are retained for a minimum of six years in accordance with HIPAA requirements. They are stored in a separate, access-restricted environment and cannot be modified or deleted by platform users or administrators.

Access Controls

CoreJourney implements role-based access controls (RBAC) to enforce the principle of least privilege. This means every user only has access to the data and functions required for their role.

  • Facilitators have full access to their own client records and practice data
  • Practice administrators can manage team members and billing without accessing client health records
  • CoreJourney support staff cannot access PHI without explicit, time-limited authorization from the account holder
  • Multi-factor authentication (MFA) is available and strongly recommended for all accounts
  • Unique user IDs ensure individual accountability across the platform

Session Management

To protect against unauthorized access from unattended sessions, CoreJourney enforces automatic session timeouts after 15 minutes of inactivity. When a session times out:

  • The user is logged out and returned to the sign-in screen
  • Any unsaved work is preserved as a draft where possible
  • A new authentication is required to resume the session
  • The timeout event is recorded in the audit log

Facilitators working in clinical settings can rely on this safeguard to reduce the risk of PHI exposure on shared or unattended devices.

Business Associate Agreement Management

CoreJourney executes a Business Associate Agreement (BAA) with every customer as part of the onboarding process. The BAA is a HIPAA-required contract that defines our obligations when handling PHI on your behalf.

We also maintain BAAs with all downstream subcontractors and service providers that may access PHI, ensuring the chain of compliance extends through our entire infrastructure.

For full details on our BAA policy, visit our BAA Policy page.

Breach Notification Procedures

In the unlikely event of a security breach involving PHI, CoreJourney follows a structured notification and response process:

1

Identification and Containment

Our security team identifies and contains the incident immediately upon discovery, isolating affected systems to prevent further exposure.

2

Investigation

We conduct a thorough investigation to determine the scope, cause, and impact of the breach, including which records and individuals may be affected.

3

Notification

Affected customers are notified without unreasonable delay and no later than 60 days after discovery. The notification includes a description of the incident, the types of PHI involved, steps taken to mitigate the breach, and recommended actions for the facilitator and their clients.

4

Remediation and Reporting

We implement corrective actions to prevent recurrence and, where required by law, report the breach to the U.S. Department of Health and Human Services (HHS) and any applicable state authorities.

Employee Training

All CoreJourney employees and contractors with potential access to PHI or platform systems complete mandatory HIPAA training:

  • Initial training during onboarding before any system access is granted
  • Annual refresher training covering updates to HIPAA regulations and internal policies
  • Role-specific training for engineering, support, and operations staff
  • Documented completion records maintained for each employee
  • Incident response tabletop exercises conducted quarterly

Employees who do not complete required training have their system access suspended until the training is fulfilled.

Infrastructure and Hosting

CoreJourney is hosted on cloud infrastructure provided by leading, HIPAA-eligible service providers. Our infrastructure includes:

  • Geographically redundant data centers within the United States
  • Automated failover and disaster recovery with a Recovery Point Objective (RPO) of less than one hour
  • Network segmentation and firewalls isolating PHI from public-facing services
  • Regular penetration testing and vulnerability scanning by third-party security firms
  • Continuous monitoring with real-time alerting for suspicious activity

SOC 2 Certification

CoreJourney is currently pursuing SOC 2 Type II certification, which validates our security controls, availability, processing integrity, confidentiality, and privacy practices. We expect to complete the audit and receive certification by the end of 2026.

Your Role in Compliance

While CoreJourney provides the technical infrastructure for HIPAA compliance, facilitators share responsibility for protecting client data. We recommend:

  • Enabling multi-factor authentication on your CoreJourney account
  • Using strong, unique passwords and a trusted password manager
  • Reviewing access permissions regularly if you have a multi-person practice
  • Logging out of the platform when using shared or public devices
  • Keeping your own HIPAA policies and procedures current
  • Training any staff members who access the platform on proper data handling

Questions?

Contact us at hello@corejourney.co