Privacy Policy

At TherapyOneClinic, we are committed to protecting the privacy and security of your information and the Protected Health Information (PHI) entrusted to us. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our electronic health record system.

1. Information We Collect

1.1 Protected Health Information (PHI)

As a Business Associate under HIPAA, we process PHI on behalf of Covered Entities (healthcare providers). PHI may include:

• Patient demographics (name, date of birth, address, contact information)
• Medical and mental health history
• Clinical documentation (progress notes, assessments, treatment plans)
• Diagnosis and treatment information
• Insurance and billing information
• Appointment and scheduling data
• Telehealth session recordings (with consent)
• Assessment scores and outcomes data

1.2 Account and User Information

We collect information about users of our system, including:

• Name, email address, phone number
• Professional credentials and license information
• Practice or organization name
• User role and access permissions
• Login credentials (passwords are encrypted)

1.3 Usage and Technical Information

We automatically collect technical information about your use of TherapyOneClinic:

• IP address, browser type, and operating system
• Device information and unique device identifiers
• Pages visited, features used, and time spent in the system
• Audit logs of PHI access (required by HIPAA)
• Error logs and system performance data

1.4 Payment Information

Payment information (credit card details) is collected and processed by our third-party payment processors. We do not store complete credit card numbers on our servers.

2. How We Use Information

2.1 Use of PHI

We use PHI solely to provide services to you and as permitted under our Business Associate Agreement:

• To operate and provide the EHR system functionality
• To enable clinical documentation and patient care coordination
• To process billing and claims on your behalf
• To provide technical support and troubleshooting
• To maintain system security and detect unauthorized access
• To comply with legal obligations and respond to lawful requests
• To perform system backups and disaster recovery

2.2 Use of User Information

We use your account and user information to:

• Authenticate users and manage access controls
• Communicate about your account, billing, and service updates
• Provide customer support and respond to inquiries
• Send product announcements and feature updates
• Improve our services based on usage patterns

2.3 De-Identified Data

We may create de-identified data sets that cannot reasonably identify individuals. De-identified data may be used for:

• Research and analytics to improve behavioral health outcomes
• Service improvement and feature development
• Industry benchmarking and reporting
• Marketing and promotional materials (aggregate statistics only)

3. How We Share Information

3.1 We Do NOT Sell PHI

3.2 Disclosure of PHI

We disclose PHI only in the following circumstances:

• To You (Covered Entity): We provide PHI to you and your authorized workforce members as needed to provide services
• Subcontractors: To HIPAA-compliant subcontractors (e.g., hosting providers, backup services) who have signed Business Associate Agreements
• Legal Obligations: When required by law, such as responding to subpoenas, court orders, or regulatory requests
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)
• Protection of Rights: To protect our legal rights, prevent fraud, or protect against malicious activity

3.3 Patient Portal Access

When you enable the patient portal feature, patients may access their own PHI through secure authentication. You control what information is shared with patients through the portal.

3.4 No Marketing Use

We do not use PHI for marketing purposes or disclose PHI to third parties for their marketing without your explicit authorization.

4. Data Security Measures

We implement comprehensive security measures to protect PHI and comply with HIPAA Security Rule requirements:

4.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) with minimum necessary access
• Authentication: Strong password requirements, multi-factor authentication (MFA) support
• Audit Logging: Comprehensive logging of all PHI access with tamper-proof audit trails
• Automatic Logout: Sessions timeout after 30 minutes of inactivity
• Secure Development: Regular security testing, code reviews, and vulnerability assessments

4.2 Administrative Safeguards

• Security Management: Designated Security Officer and incident response procedures
• Workforce Training: Regular HIPAA and security training for all employees
• Background Checks: Background checks for employees with PHI access
• Confidentiality Agreements: All employees sign confidentiality agreements
• Vendor Management: Due diligence and BAAs with all subcontractors
• Risk Assessment: Annual security risk assessments

4.3 Physical Safeguards

• Secure Data Centers: SOC 2 Type II certified hosting facilities
• Access Controls: Restricted physical access to data center facilities
• Environmental Controls: Fire suppression, climate control, and power redundancy
• Media Disposal: Secure disposal of physical media containing PHI

4.4 Disaster Recovery and Backups

• Daily encrypted backups stored in geographically separate locations
• Disaster recovery plan with documented procedures
• Regular testing of backup and recovery processes
• 99.9% uptime SLA with redundant infrastructure

5. Breach Notification

In the event of a breach of unsecured PHI, we will:

• Notify you (as Covered Entity) without unreasonable delay and no later than 60 days after discovery
• Provide details of the breach, including affected individuals and PHI involved
• Describe steps taken to mitigate harm and prevent future breaches
• Cooperate with your breach investigation and notification obligations
• Assist with required notifications to the Department of Health and Human Services (HHS) and affected individuals

You (as Covered Entity) are responsible for notifying affected patients and HHS as required by the HIPAA Breach Notification Rule.

6. Patient Rights Under HIPAA

As a Business Associate, we support your efforts to honor patient rights under HIPAA:

6.1 Right of Access

We will make PHI available to you within 30 days when requested to fulfill a patient's right to access their records.

6.2 Right to Amend

We will cooperate with your amendment of PHI when directed to do so by you following a patient's request for amendment.

6.3 Accounting of Disclosures

Our audit logs track all disclosures of PHI. We will provide disclosure information to you within 60 days when needed for a patient's accounting of disclosures request.

6.4 Restrictions on Use

We will comply with any restrictions you place on our use or disclosure of PHI, such as when a patient requests restrictions under HIPAA.

7. Cookies and Tracking Technologies

7.1 Cookies We Use

TherapyOneClinic uses the following types of cookies:

• Essential Cookies: Required for authentication and system functionality (cannot be disabled)
• Security Cookies: Used to detect fraudulent activity and protect your account
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Help us understand how the system is used (de-identified)

7.2 Third-Party Cookies

We do not allow third-party advertising cookies. Analytics cookies are configured to anonymize IP addresses and not track PHI.

7.3 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect system functionality.

8. Third-Party Service Providers

We work with HIPAA-compliant third-party service providers who assist in delivering our services:

• Cloud Hosting: SOC 2 Type II certified infrastructure providers
• Backup Services: Encrypted backup and disaster recovery providers
• Payment Processing: PCI-DSS compliant payment processors
• Email Services: HIPAA-compliant email delivery for notifications
• SMS Services: HIPAA-compliant SMS providers for appointment reminders
• Telehealth: HIPAA-compliant video conferencing (Doxy.me)

All service providers with access to PHI have signed Business Associate Agreements and are contractually obligated to protect PHI in accordance with HIPAA requirements.

9. Data Retention and Deletion

9.1 Active Accounts

We retain PHI for as long as you maintain an active subscription and as required by law or your record retention policies.

9.2 After Account Termination

Upon account termination:

• You have 30 days to export your data
• Data is retained for 90 days to allow for account reinstatement
• After 90 days, PHI is permanently deleted using secure deletion methods
• Backup copies are deleted according to our backup retention schedule (maximum 1 year)

9.3 Legal Hold

Data may be retained longer if required by law, legal hold, or ongoing legal proceedings.

9.4 Audit Log Retention

Audit logs are retained for a minimum of 6 years as required by HIPAA regulations.

10. Children's Privacy

TherapyOneClinic is not intended for use by children under 18 without parental consent. Healthcare providers are responsible for obtaining appropriate consent before entering PHI of minor patients into the system.

11. International Data Transfers

TherapyOneClinic is hosted in the United States. PHI is stored on servers located in the United States and is subject to U.S. laws and regulations, including HIPAA.

If you access TherapyOneClinic from outside the United States, you consent to the transfer of data to the United States. We do not transfer PHI outside the United States without appropriate safeguards.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to Know: What personal information we collect and how we use it
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out: We do not sell personal information, so opt-out is not applicable
• Non-Discrimination: We will not discriminate against you for exercising your rights

Note: PHI covered by HIPAA is exempt from CCPA. HIPAA rights take precedence for healthcare data.

13. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right of Access: Access your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion (subject to legal obligations)
• Right to Restriction: Limit processing in certain circumstances
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to certain processing activities

To exercise these rights, contact us at contact@TherapyOneClinic.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated to you via:

• Email notification to your account email address
• Notice in the system upon login
• Posting the updated policy with a new "Last Updated" date

Changes will be effective 30 days after notification unless otherwise required by law. Your continued use of TherapyOneClinic after the effective date constitutes acceptance of the updated policy.

15. Contact Information

If you have questions about this Privacy Policy or our privacy practices, please contact:

HIPAA Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

• TherapyOneClinic Privacy Officer (contact information above)
• U.S. Department of Health and Human Services Office for Civil Rights:
  https://www.hhs.gov/hipaa/filing-a-complaint/

You will not be retaliated against for filing a complaint.