BetweenSessions.care - Client Journaling for Mental Health Providers

BetweenSessions.care is a product of NeuroHarbor LLC. It is a HIPAA-compliant platform for therapists to communicate with and monitor their clients. We implement comprehensive technical, administrative, and physical safeguards to protect Protected Health Information (PHI).

Business Associate Agreements

Microsoft Azure BAA

ActiveAutomatically included via Microsoft Product Terms

The HIPAA BAA covers all Azure services used by BetweenSessions.care. No separate contract signature required.

NeuroHarbor LLC BAA for Providers

RequiredPresented during subscription signup

NeuroHarbor LLC (operating BetweenSessions.care) acts as your Business Associate. Our BAA outlines our respective responsibilities for protecting PHI.

Technical Safeguards

Encryption

Component	At Rest	In Transit
Database	TDE (Transparent Data Encryption)	TLS 1.2
File Storage	AES-256	HTTPS only, TLS 1.2
Web Applications	N/A	HTTPS only, TLS 1.2

Access Controls

Unique User Identification: Providers use email + password with JWT tokens. Clients use secure magic link authentication.
Role-Based Access: Providers only see their own clients. Clients only see their own data.
Automatic Session Expiry: Authentication tokens expire automatically for security.

Audit Controls

Comprehensive audit logging is maintained for all database operations, file access, and authentication events. Logs are retained for 6 years (2,190 days) as required by HIPAA.

Administrative Safeguards

Data Access Policy

PHI is only accessible to:

The provider who created the client relationship
The client themselves
BetweenSessions.care system administrators (for support/maintenance only)

Physical Safeguards

All infrastructure is hosted on Microsoft Azure, which maintains:

SOC 1, SOC 2, SOC 3

Certifications

ISO 27001

Certification

HIPAA Compliant

For covered services

West US 2

Data center location

Data We Protect

Data Type	Classification
Client names and emails	PHI
Journal entries and images	PHI
Provider posts and messages	PHI
File attachments	PHI
Provider account information	PII

Your Responsibilities

As a Covered Entity using BetweenSessions.care, you acknowledge that:

You are a Covered Entity under HIPAA
You will only use the platform for legitimate healthcare purposes
You will maintain appropriate safeguards on your own devices and accounts
You will report any suspected security incidents to support@betweensessions.care

Questions?

For security or compliance questions, contact us at support@betweensessions.care

Last updated: December 2025

HIPAA Compliance