Frequently asked questions

We're an AI-native EHR. The receptionist that answers your phone is built into the product (it's not a third-party integration you add later). The note-drafting AI, the treatment-plan drafting AI, the crisis-pattern detector, the audit anomaly review — all native, all gated by a per-patient opt-out, all reviewed by you before anything reaches a chart or a patient.

TherapyNotes and SimplePractice are mature EHRs with strong feature sets and large customer bases. They've added AI note-taking as a paid add-on ($35-40/month extra). Harbor's AI is included in the base price and integrated end-to-end.

Yes, for the practice-managed billing path: Harbor generates Stedi-compliant 837P claims, submits them to payers, tracks 277CA acknowledgments, and posts 835 ERA payments to invoices. Your therapist is the rendering provider; your practice is the billing provider. We don't take a cut of revenue.

What we don't do: we are NOT a payer-network like Headway, Alma, or Grow Therapy. We don't aggregate clinicians under our Tax ID. If you want someone else to be the billing entity and to credential you on insurance panels, those platforms are a better fit.

No. Credentialing is its own industry — Headway, Alma, and Grow Therapy specialize in it. Harbor assumes you're already credentialed (or self-pay) and gives you the software side: the EHR, the AI receptionist, the patient portal, the billing pipeline. If you need credentialing, pair us with one of those services or work with an independent credentialer.

Yes. Harbor is a HIPAA Business Associate; we sign a BAA with every practice on signup. BAAs are executed with AWS (cloud + AI), Paubox (email), and Stedi (eligibility/claims). Voice and SMS transport runs on SignalWire and Retell, whose BAAs are in active negotiation; until they’re executed we keep PHI off any path those vendors carry. Data is encrypted in transit (TLS 1.2+) and at rest (AWS KMS). MFA is required for all clinician accounts. Every action is audit-logged immutably for 6 years per HIPAA §164.530(j). Current BAA status is on the HIPAA page.

You own it. On cancellation you get a 90-day window to export everything via the dashboard's data-export tools. Your records remain accessible through the patient portal during that window so you can transition cleanly. After 90 days we delete or anonymize except where state law requires longer retention (Oregon: 7 years for adult clinical records, longer for minors).

We import from CSV today (basic patient demographics + insurance + contact info). Direct EHR-to-EHR migration is on the roadmap but requires custom work per source — contact us during onboarding and we'll scope it. For most practices the CSV path covers 90% of what they need; clinical history typically stays in the previous EHR's archive.

With your direction, Harbor's AI drafts notes from session transcripts or your dictation, drafts treatment plans from intake data, drafts portal-message replies, suggests billing codes (ICD-10 and CPT), summarizes call recordings, and flags risk indicators so they reach you in time. You review and approve everything before it enters a chart or reaches a patient. The AI never sends a note, posts a reply, or makes a clinical decision on its own.

Yes. Every patient can opt out of AI processing of their record. When a patient opts out, Harbor stops running AI on their PHI: their notes are written manually, their portal replies are written manually, their record is not included in any per-practice AI tuning. Opt-out doesn't affect their care; the clinician adapts the workflow.

About 30 minutes for the basics: practice info, hours, your AI receptionist greeting, insurance carriers accepted, calendar connection, your professional credentials and licensing board. The full Compliance Settings (which fill in your jurisdiction's variables on patient-facing legal documents) take another 15 minutes. You can start taking calls the same day.

Honest answer: Harbor is a pre-launch C-corp as of 2026. We have funding runway but no business is guaranteed to survive. Our commitments to mitigate the risk:

• Your data is exportable in standard formats at any time.
• Our 90-day post-cancellation retention window applies even in a shutdown scenario.
• We hold cybersecurity insurance and professional liability insurance.
• If we were acquired, the successor would honor the BAA + your data retention rights.
• We will not sell patient PHI under any circumstances.

For self-pay and commercial insurance: fully supported. For Medicare and Medicaid: the EHR + scheduling + AI features work the same, but we don't yet have the dedicated Medicare/Medicaid claims-submission flow that some practices need. If 80%+ of your billing is Medicare or Medicaid, pair Harbor with a Medicare-experienced biller (or wait until our Medicare/Medicaid flow lands).

Harbor's software runs anywhere in the United States; nothing is geo-restricted. The COMPLIANCE side is more nuanced:

• Your state-specific legal documents (HIPAA NPP, Patient Rights, Telehealth Consent, Mandated Reporter agency, etc.) interpolate variables from your Practice Compliance Settings.
• We do not hardcode any state-specific facts ourselves.
• For telehealth: you must be licensed in the state where your patient is physically located at session time.

Today our launch focus is Oregon and the West Coast. We'll grow geographically as we sign customers.

Yes. Ellie (the AI receptionist) has direct access to your Google Calendar after OAuth. She offers your real availability, books the slot, sends the patient a confirmation, and emails you a summary. She handles new-patient intake (collects name, DOB, insurance, presenting concern), sends the PHQ-9 and GAD-7 to complete after the call, and detects crisis language in real time with a 988 referral.

SMS reminders use non-PHI message text only (e.g. “Reminder: appointment tomorrow at 2pm with your therapist” — no diagnosis, no clinical detail). Patients must opt in; STOP / START / HELP are handled per FCC TCPA rules. The SignalWire BAA covering the voice and SMS transport is in active negotiation and not yet executed; until it’s signed we keep PHI off SMS entirely and fall back to email (Paubox, BAA executed) for any message that would otherwise carry sensitive content.

$397/month for the first 20 founding-member practices (lifetime rate as long as you stay subscribed). $597/month thereafter. No setup fee, no per-seat extras, no per-patient charges, no per-call charges. Includes everything — AI receptionist, EHR, patient portal, billing, intake screening, crisis detection, telehealth, audit dashboards. Monthly billing via Stripe. First 30 days money-back; after that, cancel any time end-of-period.

See full pricing →