SESSION NOTES AND BILLING RECORDS:

We take the data security of your personal information seriously. Everyone in our practice uses an established software platform called Simple Practice for session notes, billing, your contact information and scheduling. Simple Practice follows industry best practices to ensure that your personal health information is kept secure. You can read more about their security process at: https://www.simplepractice.com/security/

EMAIL / MESSAGING:

If you send an email directly to one of our therapists, the data is only as secure as your email provider so please use extra caution. Use of regular email (such as gmail) is usually not HIPAA compliant. Simple Practice has a secure messaging system which has extra security. Feel free to request for your therapist to activate this messaging platform.

We prioritize the confidentiality and security of your online therapy sessions. Our therapists use different video conferencing platforms for sessions, with the primary options being Google Meet and SimplePractice Video. Google Meet Meet encrypts meetings in transit by default and includes multiple anti-abuse controls (e.g., strong meeting codes, admin controls) to reduce hijacking risks. Admin guides detail the encryption model and management options. Read more: Google’s user-facing security overview and IT admin security docs. Links:

• Google Meet Security & Privacy (overview): https://support.google.com/meet/answer/9852160

• Admin/security details: https://support.google.com/a/answer/7582940
  

SimplePractice Video SimplePractice runs always-on encryption for data in transit, offers 2-step verification for accounts, and holds HITRUST certification for its security program. Their privacy and security pages outline technical controls and operational safeguards. Read more here: SimplePractice Security and “Your Data & Security.” Links:

• SimplePractice Security: https://www.simplepractice.com/features/security/

• Your Data & Security (support hub): https://support.simplepractice.com/hc/en-us/sections/360010505072--Your-Data-and-Security
  

We believe that the safety and privacy of your information are paramount, which is why we carefully select platforms that are committed to maintaining high security standards.

Please understand that, in the world of psychology, confidentiality refers to protection of information shared with a therapist from being shared with third parties without the client's express consent.

Privacy, on the other hand, refers to the legal protection of personal medical information from being shared on a public platform.

I will discuss "confidentiality" below.

The session content and all relevant materials to the client’s treatment will be held confidential unless the client requests in writing to have all or portions of such content released to a specifically named person/persons.

Limitations of such client-held privilege of confidentiality exist and are itemized below:

1. If a client threatens or attempts to commit suicide or otherwise conducts him/her self in a manner in which there is a substantial risk of incurring serious bodily harm.

2. If a client threatens grave bodily harm or death to another person.

3. If the therapist has a reasonable suspicion that a client or other named victim is the perpetrator, observer of, or actual victim of physical, emotional or sexual abuse of children under the age of 18 years.

4. Suspicions as stated above in the case of an elderly person who may be subjected to these abuses.

5. Suspected neglect of the parties named in items #3 and # 4.

6. If a court of law issues a legitimate subpoena for information stated on the subpoena.

7. If a client is in therapy or being treated by order of a court of law, or if information is obtained for the purpose of rendering an expert’s report to an attorney.

Occasionally, your therapist may need to consult with other professionals in their areas of expertise in order to provide the best treatment for you. Information about you may be shared in this context without using your name.

UNPLANNED MEETING WHILE IN PUBLIC:

If you see your therapist accidentally outside of the therapy office, your therapist will not acknowledge you first as this may inadvertently inform others of the therapeutic relationship. Your right to privacy and confidentiality is of the utmost importance to us, and we do not wish to jeopardize your privacy. However, if you initiate contact with your therapist first, she or he will be more than happy to speak briefly with you. Nonetheless, your therapist will not engage in lengthy discussions in public or outside of the therapy office as the discussion may be overheard and put your privacy at risk.

COACHING vs PSYCHOTHERAPY:

The above confidentiality and privacy framework addresses psychotherapy. If you are receiving coaching, the rules differ slightly and are explained in the coaching intake form.

Yes, if someone inquires, we do not acknowledge or deny that any individual is a client of ours. It is best if the person inquiring speak directly to their loved one.

Only you, our client, can authorize us to speak to a third party (unless the therapist discloses information due to one of the rare exceptions as discussed in the previous question about confidentiality).

Short answer: No—our default is not to record sessions. We don’t record, and we ask clients not to record.

When recording might happen: In limited cases—e.g., to use AI-assisted tools, skills rehearsal, or for a specific clinical purpose—we’ll talk it through with you first. We’ll explain the why, what’s captured, who can access it, how long it’s kept, and risks/alternatives. We only proceed with your written consent, and saying “no” will not affect your care.

If a recording is made, how is it protected? Our default storage for any approved recording is our organization’s Google Workspace. Key protections include:

• Encryption in transit (TLS) and encryption at rest.

• Least-privilege access controls (only your clinician and minimal authorized staff can access; link-sharing is disabled).

• Strong authentication (enforced multi-factor auth and device management).

• Admin oversight with audit logs, access monitoring, and alerting.

• Data Loss Prevention (DLP) options to reduce the chance of improper sharing.

• Hardened, redundant data centers with robust physical and network security.

Retention & deletion: Recordings (when they occur) are kept only as long as needed for the stated purpose, then securely deleted. You can withdraw consent at any time; we’ll stop new recordings and handle existing files per policy and law.

AI tools & your data: If we use AI-assisted workflows, we select vendors and configurations that do not use your content to train public models and that maintain contractually bounded security and privacy safeguards.