Health Information Privacy Policy

THIS NOTICE DESCRIBES HOW YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED, AND HOW YOU CAN ACCESS THIS INFORMATION, IN ACCORDANCE WITH HIPAA COMPLIANCE. PLEASE REVIEW OUR PRIVACY POLICY CAREFULLY. YOU MAY HAVE ADDITIONAL RIGHTS UNDER STATE AND LOCAL LAW. IF YOU HAVE QUESTIONS REGARDING YOUR RIGHTS TO ACCESS PROTECTED HEALTH INFORMATION, PLEASE SEEK LEGAL COUNSEL FROM AN ATTORNEY LICENSED IN YOUR STATE. NOTE: **Protected health information (PHI) in this privacy policy includes psychotherapy notes from sessions.

Under the Health Insurance Portability and Accountability Act of 1996 (hereafter, "HIPAA"), you have specific rights regarding the use and disclosure of your protected health information (hereafter, "PHI").

I am required by law to ensure that PHI that identifies you is kept private, in accordance with HIPAA compliance standards. HIPAA mandates that providers of health care, including mental health care, uphold the privacy policy concerning patient records and health information. It also requires the federal Department of Health and Human Services (HHS) to implement the necessary rules. These rules apply to health care providers, health plans, and any other entities processing health insurance claims, collectively referred to as "HIPAA covered entities." Additionally, the business associates of these covered entities that access PHI must also adhere to HIPAA regulations.

On March 26, 2013, HHS' Final Omnibus Rule, adopted pursuant to HIPAA and related federal laws, went into effect. This final rule encompasses the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The HIPAA Privacy Rule grants consumers rights over their health information and imposes limits on who can view and obtain a consumer's PHI. This rule applies to all forms of PHI, whether oral, electronic, or written. The HIPAA Security Rule safeguards PHI that is in electronic format and requires HIPAA-covered entities to implement reasonable safeguards to ensure that electronic PHI is secure. Lastly, the HIPAA Breach Notification Rule mandates that HIPAA covered entities and their business associates notify affected consumers and HHS in the event of a breach of unsecured PHI.

Imminent Danger to Self or Others: A therapist may disclose confidential information in compliance with HIPAA regulations to medical or law enforcement personnel if they determine there is a probability of: 

Imminent physical injury by the patient to themselves (suicide risk). 

Imminent physical injury to another person (threat of violence). 

Immediate mental or emotional injury to the patient. 

Note on "Duty to Warn": While Texas law permits disclosure to law enforcement to protect others, Texas courts have historically been more restrictive than other states regarding a therapist's "duty to warn" a specific third-party victim directly, emphasizing reporting to authorities instead, which aligns with the privacy policy guidelines. 

Mandatory Reporting of Abuse or Neglect: Therapists in Texas are mandatory reporters and must break confidentiality to comply with the law and file a report with the Texas Department of Family and Protective Services (DFPS) if they suspect and/or are informed by a client about: 

Child Abuse or Neglect: Suspected abuse of anyone under 18 years old. Professionals must report this within 48 hours of discovery. 

Elder Abuse: Abuse, neglect, or financial exploitation of an adult aged 65 or older. 

Disabled Adult Abuse: Abuse of any adult with a disability. 

Legal and Judicial Proceedings: Confidentiality of protected health information may be waived or bypassed in judicial or administrative settings if: 

A judge issues a court order or a specific subpoena for the records. 

The patient is involved in a lawsuit where their mental condition is an element of the claim (e.g., claiming emotional distress). 

The therapist is being evaluated by a court-appointed examiner. 

The patient files a malpractice suit or formal complaint against the therapist. 

Administrative and Operational Needs: Disclosure without specific session-by-session consent is also allowed for: 

Billing and Payment: Sharing minimal necessary info with insurance companies to secure payment in accordance with HIPAA compliance. 

Treatment Teams: Sharing information with other professionals within the same facility who are participating in the patient’s diagnosis or care. 

Deceased Patients: Releasing information to a personal representative of a deceased patient.

Psychotherapy Notes. I do keep “psychotherapy notes” as defined in 45 CFR § 164.501, and any use or disclosure of these notes requires your Authorization unless the use or disclosure is: a. For my use in treating you. b. For my use in training or supervising mental health practitioners to enhance their skills in group, joint, family, or individual counseling or therapy. c. For my use in defending myself in legal proceedings initiated by you. d. For use by the Secretary of the Department of Health and Human Services (HHS) to investigate my compliance with HIPAA regulations. e. Required by law, with the use or disclosure limited to what such law necessitates. f. Required by law for specific health oversight activities related to the originator of the psychotherapy notes. g. Required by a coroner performing duties authorized by law. h. Required to help avert a serious threat to the health and safety of others. Use of AI in Mental Health. Effective in 2025, Texas law Senate Bill 1188 (SB 1188) mandates that if a mental health professional sends protected health information (PHI) to an Artificial Intelligence (AI) system for any purpose beyond basic treatment, payment, or operations, they must obtain explicit patient authorization. SB 1188, enacted in June 2025, significantly amends the Texas Health and Safety Code by introducing stringent new requirements for Electronic Health Records (EHR) and the use of AI in healthcare, ensuring a commitment to patient privacy policy and HIPAA compliance.

Disclosures to family, friends, or others: You have the right and choice to inform me that I may provide your protected health information (PHI) to a family member, friend, or other individual whom you specify is involved in your care or the payment for your health care. This also applies to sharing your information in a disaster relief situation, in accordance with our privacy policy. In emergency situations, the opportunity for HIPAA compliance may allow for retroactive consent to be obtained to address a serious and immediate threat to health or safety, especially if you are unconscious.