
Adaptive Health Psychology PLLC
Grounded in science, guided by compassion
Privacy Policy
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This notice relates to HIPAA (Health Insurance Portability and Accountability Act). A full review of the HIPAA Privacy Rule may be found at www.hhs.gov/ocr/hipaa.
Adaptive Health Psychology PLLC (referred to throughout this Notice as “we,” “our,” or “the Practice”) is committed to protecting the privacy of your health information.
This Notice of Privacy Practices (“NPP”) is provided to you as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the Privacy Rule (45 C.F.R. Parts 160 and 164) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
This Notice explains:
• How we may use and share your Protected Health Information (PHI);
• Your rights regarding your PHI; and
• Our legal duties and privacy practices with respect to your PHI.
We are required by law to: (1) maintain the privacy of your PHI; (2) provide you with this Notice of our legal duties and privacy practices; (3) notify you if we are unable to agree to a requested restriction; and (4) notify you following a breach of your unsecured PHI.
Section 1: What Is Protected Health Information (PHI)?
"Protected Health Information" or "PHI" means individually identifiable health information that is created, received, maintained, or transmitted by our Practice in any form or medium—whether electronic, paper, or oral—that relates to your past, present, or future:
• Physical or mental health condition;
• Provision of health care to you; or
• Payment for the provision of health care to you.
Examples of PHI include, but are not limited to: your name, address, date of birth, Social Security number, diagnosis and treatment information, appointment records, billing information, progress notes, assessment results, medication information, and any other information that could reasonably be used to identify you and your health care.
How We Collect PHI in Our Virtual Practice
As a telehealth-based psychology practice, we collect PHI through multiple channels, including:
-
Intake forms and questionnaires completed electronically prior to your first appointment
-
Video and audio sessions conducted via HIPAA-compliant, encrypted telehealth platforms (e.g., platforms that use end-to-end encryption and Business Associate Agreements (BAAs));
-
Secure messaging and electronic communication transmitted through our encrypted patient portal;
-
Telephone calls and voicemail messages;
-
Electronic health record (EHR) entries, including clinical notes, assessments, and treatment plans;
-
Insurance and billing information you provide; and
-
Information received from other health care providers, schools, or agencies with your authorization.
How We Protect Your PHI
We take the protection of your PHI seriously and employ the following safeguards:
Technical Safeguards
-
All telehealth sessions are conducted on platforms that comply with HIPAA Security Rule requirements and are covered by a signed Business Associate Agreement (BAA);
-
Data is encrypted in transit (using TLS/SSL protocols) and at rest using industry-standard encryption;
-
Access to your electronic records is password-protected and limited to authorized staff only;
-
We use a secure, HIPAA-compliant Electronic Health Record (EHR) system.
Administrative Safeguards
-
All staff and contractors with access to PHI receive HIPAA privacy and security training;
-
We maintain written privacy and security policies and procedures;
-
We conduct regular risk assessments of our information systems.
Physical Safeguards
-
Any paper records are stored in locked, secure locations;
-
Computer screens displaying PHI are not visible to unauthorized individuals;
-
Paper documents containing PHI are shredded when no longer needed.
Section 2: How We May Use and Disclose Your PHI
We are permitted or required to use and disclose your PHI in the following circumstances without your written authorization unless a more stringent state law applies.
A. Uses and Disclosures for Treatment, Payment, and Health Care Operations Treatment
We may use and disclose your PHI to provide, coordinate, or manage your mental health treatment and any related services. This includes:
-
Sharing relevant clinical information with other treating health care providers on your care team (e.g., your primary care physician, psychiatrist, or specialist) as necessary and appropriate for your care;
-
Consulting with other licensed mental health professionals about your care;
-
Referring you to another provider or specialist and transmitting relevant records; and
-
Coordinating care with hospitals, laboratories, pharmacies, or other health care facilities involved in your treatment.
Example: We may share relevant portions of your treatment history with a psychiatrist who is evaluating you for medication management at your request or as clinically necessary.
Payment
We may use and disclose your PHI to obtain payment for the services we provide to you. This includes:
-
Submitting claims to your health insurance company, managed care organization, or other third-party payer;
-
Communicating with your insurer regarding coverage, benefits, and authorization for services;
-
Responding to audits or requests for documentation from your insurer;
-
Billing and collections activities, including coordination of benefits with multiple insurers; and
-
Providing information to a billing service or collection agency acting as our Business Associate under a signed BAA.
Example: We will include diagnosis codes, service dates, and procedure codes on claims submitted to your health insurer to obtain reimbursement for your sessions.
Health Care Operations
We may use and disclose your PHI for our internal health care operations, which are necessary to run our practice and ensure the quality of care we provide. This includes:
-
Quality assessment and improvement activities
-
Internal case review and peer consultation for quality assurance purposes;
-
Staff training, supervision, and competency evaluation;
-
Administrative, financial, legal, and compliance functions;
-
Conducting or arranging for audits of our records;
-
Business planning and development activities; and
-
Credentialing and licensing verifications.
Example: We may review a sample of treatment records to evaluate whether our documentation meets professional and regulatory standards.
B. Other Uses and Disclosures Permitted Without Your Authorization
In addition to treatment, payment, and health care operations, we may use or disclose your PHI in the following circumstances without your authorization:
As Required by Law
-
We will disclose your PHI when required to do so by applicable federal, state, or local law, including disclosures to government agencies and oversight bodies.
Public Health Activities
-
We may disclose PHI to authorized public health authorities for activities authorized by law, including reporting of disease, injury, or vital statistics; reporting abuse, assault, or neglect; and reporting adverse events or product defects to the FDA.
Health Oversight Activities
-
We may disclose PHI to health oversight agencies (such as state licensing boards) for activities authorized by law, including audits, investigations, and inspections necessary for oversight of the health care system.
Judicial and Administrative Proceedings
-
We may disclose PHI in response to a court order, subpoena, discovery request, or other lawful process (see Section 4 for additional detail).
Law Enforcement
-
We may disclose PHI to law enforcement officials as permitted by law, such as to report a crime on our premises, to identify or locate a suspect, or in response to a valid legal process.
Serious Threats to Health or Safety
-
We may use or disclose PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law and our professional ethical obligations (see Section 4).
Research
-
We may use PHI for research purposes only with appropriate authorization, a waiver of authorization approved by an Institutional Review Board (IRB) or Privacy Board, or when the research involves only a review of decedent information.
Incidental Disclosures
-
We may make incidental uses and disclosures that are a by-product of an otherwise permitted use or disclosure, provided we have implemented reasonable safeguards and the minimum necessary standard has been applied.
C. Disclosures Requiring Your Written Authorization
The following uses and disclosures of your PHI require your specific, written authorization before we may proceed:
-
Most disclosures of psychotherapy notes (see Section 5 for a full explanation);
-
Uses or disclosures of PHI for marketing purposes;
-
Sale of PHI;
-
Use or disclosure of PHI for purposes not otherwise described in this Notice; and
-
Sharing your records with individuals or organizations not directly involved in your care or payment, unless otherwise permitted by law.
You have the right to revoke any authorization you have provided, in writing, at any time. Your revocation will not apply to uses or disclosures already made in reliance on your prior authorization.
Section 3: Your Rights Regarding Your PHI
You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to our administrator. We will respond to your request within the timeframes required by applicable law.
A. Right to Request Restrictions
You have the right to ask us to restrict the ways in which we use or disclose your PHI for treatment, payment, or health care operations purposes. You may also request that we limit disclosures to family members, friends, or other individuals involved in your care.
Important limitations:
-
We are not required to agree to your requested restriction, except in one circumstance: if you request that we not disclose PHI to a health plan (insurer) for payment or health care operations purposes, and you have paid for the service entirely out-of-pocket, we are required to honor that restriction
-
If we agree to a restriction, we must abide by it except in emergency treatment situations.
-
Either party may terminate an agreed-upon restriction with notice; however, termination by us will not apply to PHI already disclosed in reliance on the restriction.
-
To request a restriction, please contact your provider at Adaptive Health Psychology PLLC.
B. Right to Request Confidential Communications
You have the right to request that we communicate with you about your health matters in a different way or at a different location than our standard practice. For example, you may ask that we:
-
Contact you only at a specific phone number (e.g., your cell phone rather than your home phone)
-
Send written communications only to a specific mailing address (e.g., a post office box rather than your home address);
-
Communicate with you only through our secure patient portal rather than by email; or
-
Avoid leaving voicemail messages at a particular number.
We will accommodate all reasonable requests. You do not need to explain the reason for your request. We may require that you provide information about how payment will be handled or another address or method of contact as a condition of honoring the request.
C. Right to Access and Inspect Your Records
You have the right to inspect and obtain a copy of PHI that we maintain about you in a designated record set. A "designated record set" includes your medical and billing records and any other records used to make decisions about your care.
How to request access:
-
Submit a written request to our administrator;
-
We will provide access or copies within 30 days (or 60 days if the records are maintained off-site), with one 30-day extension permitted;
-
We may charge a reasonable, cost-based fee for copying, postage, and labor;
-
If requested, we will provide your records in the electronic format you specify, if readily producible.
We may deny your request to access certain records in limited circumstances, such as when access could endanger your life or the life of another person, or when the records were compiled for use in civil, criminal, or administrative proceedings. If we deny your request, you may request a review of the denial.
Right to Request Amendment
If you believe that PHI we hold about you is incorrect or incomplete, you have the right to request that we amend that information. To request an amendment:
-
Submit a written request to our administrator explaining the basis for the amendment;
-
We will act on your request within 60 days (one 30-day extension is permitted);
-
We may deny your request if the information was not created by us, if the information is not part of a designated record set, if the information is not available for inspection, or if we determine the record is accurate and complete.
-
If we deny your amendment request, you have the right to submit a statement of disagreement that will be included in your record.
D. Right to an Accounting of Disclosures
You have the right to request a written accounting of disclosures of your PHI that we have made outside of treatment, payment, and health care operations during the six years prior to the date of your request.
This accounting will include:
-
The date of each disclosure;
-
The name (and address, if known) of the person or entity that received the PHI;
-
A brief description of the PHI disclosed; and
-
A brief statement of the purpose of the disclosure or a copy of your written authorization or the written request for disclosure.
We will provide the first accounting in any 12-month period free of charge. For additional requests within the same period, we may charge a reasonable fee. The following disclosures are not included in an accounting: disclosures made pursuant to your authorization, disclosures for treatment/payment/operations, disclosures to you, and certain other disclosures permitted or required by law.
E. Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Notice at any time, even if you have previously agreed to receive it electronically. To request a paper copy, contact our administrator.
F. Right to Be Notified of a Breach
You have the right to receive notification if there is a breach of your unsecured PHI. In the event of a breach, we will notify you without unreasonable delay and no later than 60 calendar days after discovery of the breach. Our notice will describe the nature of the breach, the PHI involved, steps you should take to protect yourself, and what we are doing to investigate and remediate the breach.
G. Right to File a Complaint
If you believe your privacy rights have been violated, you have the right to file a complaint. You may file a complaint with:
U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR): www.hhs.gov/ocr/privacy/hipaa/complaints/ or toll-free 1-800-368-1019
We will not retaliate against you in any way for filing a complaint.
You will not be penalized or denied services for exercising your rights under HIPAA.
Section 4: State Law and Legal Exceptions to Confidentiality
As a mental health practice, we are subject to both federal HIPAA requirements and applicable state privacy laws. Where state law provides greater protection for your PHI than HIPAA, we are required to comply with the more stringent state law. The following exceptions to confidentiality are established by law and do not require your authorization.
Important: The following disclosures may be made without your consent when legally required or permitted. We will, whenever possible, inform you before making such a disclosure and will limit the disclosure to the minimum necessary information.
A. Duty to Warn or Protect (Tarasoff Obligations)
Under applicable state law, we may be required to take protective action—including disclosing confidential information—if we have reasonable cause to believe that a client presents a serious and imminent threat of physical violence to an identifiable third party (or third parties). In such circumstances, we may:
-
Warn the identifiable potential victim(s);
-
Notify law enforcement; and/or
-
Take other necessary steps to prevent the threatened harm, as required or permitted by applicable state law.
Such disclosures will be limited to information necessary to fulfill the protective purpose. The specific requirements of the duty to warn or protect vary by state; please consult with your clinician if you have questions about how this applies in your jurisdiction.
B. Mandatory Reporting Obligations
We are mandated reporters under applicable state and federal law. This means we are required by law to report certain information to designated authorities, regardless of your consent or the confidential nature of our relationship. Mandatory reporting requirements include:
-
Child Abuse and Neglect
If we have reasonable cause to believe that a minor child has been subjected to abuse (physical, emotional, or sexual), neglect, or exploitation, we are required to make a report to the appropriate child protective services agency and/or law enforcement. We do not need confirmation that abuse has occurred; reasonable suspicion is sufficient to trigger the reporting obligation.
-
Elder Abuse and Dependent Adult Abuse
If we have reasonable cause to believe that an elderly person (typically age 65 or older) or a dependent adult has been subjected to physical abuse, financial exploitation, neglect, abandonment, abduction, isolation, or other forms of mistreatment, we are required to report this to the appropriate adult protective services agency and/or law enforcement.
-
Imminent Danger to Self
If we determine that a client presents an imminent danger to themselves—including a serious and imminent risk of suicide or self-harm—we may be required or permitted under applicable law to take protective action, which may include disclosure of PHI to emergency personnel, mental health crisis services, or family members, as necessary to prevent harm.
C. Response to Court Orders, Subpoenas, and Legal Process
We may be required to disclose your PHI in connection with judicial or administrative proceedings. Specifically:
Valid Court Orders
We are required to comply with a valid court order directing us to produce your records or testimony. We will seek to protect your PHI to the maximum extent permitted, including by requesting a protective order when appropriate.
Subpoenas and Discovery Requests
We may disclose PHI pursuant to a lawfully issued subpoena, discovery request, or other similar legal process, provided that we receive satisfactory assurances that (1) the party seeking the information has made reasonable efforts to notify you of the request, and you have had an opportunity to object, or (2) a qualified protective order has been sought. We will make reasonable efforts to provide you with notice before complying with such requests.
Law Enforcement Requests
We may disclose PHI to law enforcement as required by law or in response to a valid warrant, summons, court order, or grand jury subpoena, or as otherwise permitted by 45 C.F.R. § 164.512(f).
Section 5: Special Protections for Psychotherapy Notes
Psychotherapy Notes Receive the Highest Level of Protection Under HIPAA
Unlike general medical records, psychotherapy notes are subject to a separate and heightened standard of protection that requires your explicit written authorization before they may be shared with virtually any third party.
What Are Psychotherapy Notes?
"Psychotherapy notes" are defined under HIPAA (45 C.F.R. § 164.501) as notes recorded by a mental health professional that document or analyze the contents of conversations during a private, group, joint, or family counseling session, and that are kept separate from the rest of the client’s medical record. They are sometimes referred to as "process notes" or "personal notes."
Psychotherapy notes are distinct from the general treatment record and typically include:
-
The therapist’s personal observations, impressions, and hypotheses;
-
Details of therapeutic conversations that go beyond what is recorded in the standard clinical record;
-
The therapist’s analysis of a client’s statements and behavior; and
-
Any other information the therapist does not ordinarily include in a summary of the session.
What Is NOT Considered a Psychotherapy Note?
The following types of information are specifically excluded from the definition of psychotherapy notes under HIPAA and may be used or disclosed for treatment, payment, and health care operations without a separate written authorization:
-
Medication prescription and monitoring information;
-
Counseling session start and stop times;
-
Modalities and frequencies of treatment furnished;
-
Results of clinical tests (e.g., psychological assessments);
-
Summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date; and
-
Information in the general medical record.
Authorization Required to Share Psychotherapy Notes
Except as described below, we will not use or disclose your psychotherapy notes without your separate, written authorization. This authorization is distinct from—and in addition to—any general authorization you may have signed for the release of your medical records.
An authorization to release psychotherapy notes must specifically identify the notes to be disclosed and the purpose of the disclosure. You have the right to:
-
Refuse to authorize the release of psychotherapy notes;
-
Revoke a previously given authorization in writing at any time (the revocation will not apply to disclosures already made in reliance on the prior authorization); and
-
Receive a copy of any authorization you sign.
Permitted Uses of Psychotherapy Notes Without Authorization
Under HIPAA, psychotherapy notes may be used or disclosed without your authorization only in the following narrow circumstances:
-
By the originating provider for supervision or training of mental health students or professionals in the practice;
-
To defend against a legal action or other proceeding initiated by the client;
-
To the Secretary of HHS for compliance and enforcement investigations;
-
To prevent or lessen a serious and imminent threat to the health or safety of a person or the public (see Section 4—Duty to Warn);
-
As required by mandatory reporting laws (see Section 4—Mandatory Reporting); and
-
As required by applicable law or a valid court order.
Please note that even in the above circumstances, we will share only the minimum information necessary and will document such disclosures in our records.
Section 6: Privacy Practices Specific to Telehealth Services
Because our practice operates as a virtual (telehealth) psychology practice, we want to make you aware of the following privacy considerations specific to remote care delivery:
Platform Security
All video sessions are conducted on telehealth platforms that are (1) HIPAA-compliant, (2) covered by a Business Associate Agreement (BAA) with our Practice, and (3) utilize end-to-end encryption. We do not conduct sessions over standard, unencrypted video platforms (e.g., FaceTime, standard Zoom consumer accounts, or Google Meet personal accounts).
Your Responsibility in Telehealth Sessions
You are responsible for ensuring the privacy and security of your environment during telehealth sessions. We recommend that you:
-
Conduct sessions from a private location where you cannot be overheard;
-
Use a personal device (not a shared or work device) for sessions when possible;
-
Use a secure, private Wi-Fi network rather than public Wi-Fi;
-
Use headphones or earbuds to prevent others from hearing session audio; and
-
Close other applications and browser tabs during your session.
Recording Prohibition
Sessions may not be recorded by either party without the prior explicit written consent of all session participants. Any recording made without such consent may violate applicable state wiretapping or eavesdropping laws.
Electronic Communications
Email and standard text messaging are not fully secure methods of communication. If you choose to communicate with us via email or text, please be aware that there is some risk that your PHI could be intercepted or accessed by unauthorized parties. We encourage you to use our secure patient portal for all non-urgent communications. By initiating electronic communication with us, you acknowledge and accept the inherent risks of that communication method.
Section 7: Changes to This Notice
We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain, including PHI created or received prior to the effective date of the revised Notice. If we make a material change to this Notice, we will:
-
Post the revised Notice prominently on our website;
-
Make the revised Notice available upon request at our office or via our patient portal; and
-
Provide you with a copy of the revised Notice at your next appointment following the change.
-
The most current version of this Notice is available upon request.