Home

HIPAA Privacy Policy

Our commitment to protecting your health information

Last Updated: April 15, 2025

Contents

  1. Introduction
  2. Information We Collect
  3. How We Use Your Information
  4. Disclosure of Your Information
  5. Your Rights Regarding Your Information
  6. Security Measures
  7. Breach Notification
  8. Changes to This Notice
  9. Contact Information

1. Introduction

MentalityMate ("we", "us", "our") is committed to protecting the privacy and security of your protected health information (PHI). This HIPAA Privacy Policy describes how we collect, use, and disclose health information about you in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As a provider of digital mental health services, we are considered a "covered entity" under HIPAA and are required to comply with its Privacy Rule and Security Rule. This policy outlines our legal duties and privacy practices with respect to your protected health information.

Important Notice

Please read this HIPAA Privacy Policy carefully. By using our services, you acknowledge that you have read, understood, and agree to the terms described in this policy. If you do not agree with this policy, please do not use our services.

2. Information We Collect

We collect protected health information (PHI) in order to provide you with mental health services. PHI includes any information that relates to:

  • Your past, present, or future physical or mental health or condition
  • The provision of healthcare to you
  • Payment for your healthcare

The PHI we collect may include:

  • Personal identifiers (name, date of birth, address, phone number, email address)
  • Insurance information and payment details
  • Medical history and mental health assessments
  • Information shared during therapy sessions
  • Messages exchanged with therapists or the AI system
  • Journal entries and self-assessment responses
  • Treatment plans and progress notes
  • Appointment scheduling information

3. How We Use Your Information

We may use and disclose your PHI for the following purposes:

For Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This includes:

  • Sharing information with therapists who provide services through our platform
  • Using your information to personalize AI-based support and recommendations
  • Coordinating care between different providers on our platform

For Payment

We may use and disclose your PHI to obtain payment for services we provide to you, including:

  • Billing and collection activities
  • Submitting claims to your insurance provider
  • Verifying coverage and eligibility

For Healthcare Operations

We may use and disclose your PHI for our operational activities, including:

  • Quality assessment and improvement activities
  • Therapist performance evaluation
  • Training of health professionals and staff
  • Platform maintenance and improvement
  • Service optimization and enhancement

4. Disclosure of Your Information

We may disclose your PHI to third parties in the following circumstances:

With Your Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes other than those described in this notice. You may revoke such authorization at any time by submitting a written revocation through our platform or by contacting our Privacy Officer.

Business Associates

We may disclose PHI to our business associates who perform functions on our behalf or provide us with services if the information is necessary for such functions or services. For example, we may use another company to process insurance claims, provide cloud storage, or handle payment processing. All of our business associates are obligated to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract.

As Required by Law

We will disclose PHI when required to do so by federal, state, or local law. This includes:

  • Reporting suspected abuse, neglect, or domestic violence
  • Responding to judicial or administrative proceedings
  • Complying with law enforcement requests
  • Addressing workers' compensation claims
  • Reporting to health oversight agencies for activities authorized by law

To Avert a Serious Threat to Health or Safety

We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Disclosures, however, will be made only to someone who may be able to help prevent the threat.

Special Note About Mandatory Reporting

Mental health professionals are mandated reporters in many jurisdictions, which means they are legally required to report certain situations to the appropriate authorities, even without your permission. These situations typically include:

  • Suspected child abuse or neglect
  • Suspected abuse of elderly or dependent adults
  • When a client presents a danger to self or others
  • When a client is gravely disabled and unable to care for their basic needs

In these situations, our therapists must follow the reporting laws of their practicing state, which may require disclosure of relevant PHI to appropriate authorities.

5. Your Rights Regarding Your Information

Under HIPAA, you have certain rights regarding your protected health information. These include:

Right to Access and Receive a Copy of Your PHI

You have the right to inspect and obtain a copy of your PHI that may be used to make decisions about your care. This includes medical and billing records but does not include psychotherapy notes. To access your PHI, please submit a request through your account settings or contact our Privacy Officer. We will provide a copy or a summary of your health information, usually within 30 days of your request.

Right to Request Amendments

If you believe that the PHI we have about you is incorrect or incomplete, you may ask us to amend the information. To request an amendment, submit your request with a reason that supports your request through your account settings or contact our Privacy Officer.

Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI that we have made. This right applies to disclosures for purposes other than treatment, payment, healthcare operations, or disclosures you specifically authorized.

Right to Request Restrictions

You have the right to request a restriction or limitation on the PHI we use or disclose for treatment, payment, or healthcare operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care. We are not required to agree to your request, but if we do agree, we will comply with your request unless the information is needed to provide emergency treatment.

Right to Request Confidential Communications

You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we only contact you via email or at a specific address. We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time, even if you have agreed to receive the notice electronically.

6. Security Measures

We implement a variety of security measures to protect your PHI in accordance with the HIPAA Security Rule, including:

  • End-to-end encryption for all communications containing PHI
  • Secure, HIPAA-compliant cloud storage for all PHI
  • Role-based access controls to ensure only authorized personnel can access PHI
  • Multi-factor authentication for all system access
  • Regular security assessments and penetration testing
  • Employee training on privacy and security procedures
  • Physical safeguards for all servers and hardware

7. Breach Notification

In the event of a breach of unsecured PHI, we will notify you promptly in accordance with HIPAA Breach Notification Rule requirements. This notification will include:

  • A description of the breach
  • The types of information involved
  • Steps you should take to protect yourself
  • What we are doing to investigate, mitigate, and prevent future breaches
  • Contact procedures for additional information

8. Changes to This Notice

We reserve the right to change this notice and make the new notice apply to PHI we already have as well as any information we receive in the future. We will post a copy of the current notice on our website and within our application. The notice will contain the effective date on the first page, in the top right-hand corner.

9. Contact Information

If you have any questions about this HIPAA Privacy Policy or would like to exercise your rights, please contact our Privacy Officer:

  • By email: privacy@mentalitymate.com
  • By mail: MentalityMate Privacy Officer, 123 Mental Health Way, San Francisco, CA 94103
  • By phone: (800) 555-1234

Filing a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer using the information above. You can also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by:

We will not retaliate against you for filing a complaint.

Have questions about our HIPAA practices?

Our privacy team is ready to help you understand how we protect your health information.

Contact Our Privacy Officer