At Sage & Sonder Psychotherapy, I am committed to protecting your privacy. This Privacy Policy explains how I collect, use, and safeguard your information when you visit this website and/or opt into SMS communications.

Information Collected

I may collected the following information:

• Name

• Phone number

• Email address

• Any information you voluntarily submit through forms on our website

Use of Information

I may use your information to:

• Provide therapy-related services and communication

• Send appointment reminders and scheduling updates

• Respond to inquiries

• Send SMS messages if you have opted in

Sharing of Personal Information

I do not sell, rent, or share your personal information with third parties for marketing purposes.

SMS consent is not shared with third parties or affiliates.

SMS Communications

If you opt in to receive SMS messages:

• You may receive appointment reminders, scheduling updates, and other service-related messages

• Message frequency may vary

• Message and data rates may apply

Your Privacy Rights

You may:

• Request access to your personal data

• Request corrections or deletion of your data

• Opt out of SMS at any time

SMS Terms of Service

By opting into SMS from a web form or other medium, you agree to receive SMS messages from Sage & Sonder Psychotherapy.

Types of Messages You May Receive

• Appointment reminders

• Scheduling confirmations or changes

• General communication regarding services

Messaging Frequency may vary.

Message & Data Rates

Message and data rates may apply depending on your mobile carrier.

Opt-Out & Help Instructions

You can opt out at any time by sending Whitney an email at whitney@sageandsondertherapy.com. You are not automatically enrolled in any SMS messaging system.

Privacy Policy & Terms

Visit:

• Privacy Policy & Terms of Service: https://www.sageandsondertherapy.com

Notice of Privacy Practices for Protected Health Information

45 CFR 164.520

Background 

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. 

How the Rule Works

General Rule. The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices. The Privacy Rule does not require the following covered entities to develop a notice: 

•  Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity. See 45 CFR 164.500(b)(1).

• A correctional institution that is a covered entity (e.g., that has a covered health care provider component).

• A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information. See 45 CFR 164.520(a). 

Content of the Notice. Covered entities are required to provide a notice in plain language that describes:  

• How the covered entity may use and disclose protected health information about an individual.

• The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.

• The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.

• Whom individuals can contact for further information about the covered entity’s privacy policies. 

The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals. 

Providing the Notice.

• A covered entity must make its notice available to any person who asks for it.

• A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.

• Health Plans must also:

  • Provide the notice to individuals then covered by the plan no later than April 14, 2003 (April 14, 2004, for small health plans) and to new enrollees at the time of enrollment.

  • Provide a revised notice to individuals then covered by the plan within 60 days of a material revision.

  • Notify individuals then covered by the plan of the availability of and how to obtain the notice at least once every three years.

• Covered Direct Treatment Providers must also:

  • Provide the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.

  • When first service delivery to an individual is provided over the Internet, through e-mail, or otherwise electronically, the provider must send an electronic notice automatically and contemporaneously in response to the individual’s first request for service. The provider must make a good faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice.

  • In an emergency treatment situation, provide the notice as soon as it is reasonably practicable to do so after the emergency situation has ended. In these situations, providers are not required to make a good faith effort to obtain a written acknowledgment from individuals.

  • Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider’s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility.

• A covered entity may e-mail the notice to an individual if the individual agrees to receive an electronic notice. See 45 CFR 164.520(c) for the specific requirements for providing the notice. 

Organizational Options.

• Any covered entity, including a hybrid entity or an affiliated covered entity, may choose to develop more than one notice, such as when an entity performs different types of covered functions (i.e., the functions that make it a health plan, a health care provider, or a health care clearinghouse) and there are variations in its privacy practices among these covered functions. Covered entities are encouraged to provide individuals with the most specific notice possible.

• Covered entities that participate in an organized health care arrangement may choose to produce a single, joint notice if certain requirements are met. For example, the joint notice must describe the covered entities and the service delivery sites to which it applies. If any one of the participating covered entities provides the joint notice to an individual, the notice distribution requirement with respect to that individual is met for all of the covered entities. See 45 CFR 164.520(d). 

• YOUR HEALTH INFORMATION PRIVACY RIGHTS
  
  Most of us feel that our health information is private and should be protected. That is why there is a federal law that sets rules for health care providers and health insurance companies about who can look at and receive our health information. This law, called the Health Insurance Portability and Accountability Act of 1996 (HIPAA), gives you rights over your health information, including the right to get a copy of your information, make sure it is correct, and know who has seen it.

• You can ask to see or get a copy of your medical record and other health information. If you want a copy, you may have to put your request in writing and pay for the cost of copying and mailing. In most cases, your copies must be given to you within 30 days.

• You can ask to change any wrong information in your file or add information to your file if you think something is missing or incomplete. For example, if you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file. In most cases, the file should be updated within 60 days.

• By law, your health information can be used and shared for specific reasons not directly related to your care. In many of these cases, you can find out who has seen your health information. Learn how your health information is used and shared by your doctor or health insurer. Generally, your health information cannot be used for purposes not directly related to your care without your permission.

• You probably received a notice telling you how your health information may be used on your first visit to a new health care provider or when you got new health insurance, but you can ask for another copy anytime.

• Let your providers or health insurance companies know if there is information you do not want to share. You can ask that your health information not be shared with certain people, groups, or companies. You can ask for other kinds of restrictions, but they do not always have to agree to do what you ask, particularly if it could affect your care.

• Finally, you can also ask your health care provider or pharmacy not to tell your health insurance company about care you receive or drugs you take, if you pay for the care or drugs in full and the provider or pharmacy does not need to get paid by your insurance company. You can make reasonable requests to be contacted at different places or in a different way.

If you think your rights are being denied or your health information is not being protected, you have the right to file a complaint with your provider, health insurer, or the U.S. Department of Health and Human Services.

PRIVACY, SECURITY, AND ELECTRONIC HEALTH RECORDS

Your health care provider may be moving from paper records to electronic health records (EHRs) or may be using EHRs already. EHRs allow providers to use information more effectively to improve the quality and efficiency of your care, but EHRs will not change the privacy protections or security safeguards that apply to your health information.

EHRs and Your Health Information

EHRs are electronic versions of the paper charts in your doctor’s or other health care provider’s office. An EHR may include your medical history, notes, and other information about your health including your symptoms, diagnoses, medications, lab results, vital signs, immunizations, and reports from diagnostic tests such as x-rays. Providers are working with other doctors, hospitals, and health plans to find ways to share that information. The information in EHRs can be shared with other organizations involved in your care if the computer systems are set up to talk to each other. Information in these records should only be shared for purposes authorized by law or by you. You have privacy rights whether your information is stored as a paper record or stored in an electronic form. The same federal laws that already protect your health information also apply to information in EHRs.

Benefits of Having EHRs

Whether your health care provider is just beginning to switch from paper records to EHRs or is already using EHRs within the office, you will likely experience one or more of the following benefits:

• Improved Quality of Care. As your doctors begin to use EHRs and set up ways to securely share your health information with other providers, it will make it easier for everyone to work together to make sure you are getting the care you need. For example: Information about your medications will be available in EHRs so that health care providers don’t give you another medicine that might be harmful to you. EHR systems are backed up like most computer systems, so if you are in an area affected by a disaster, like a hurricane, your health information can be retrieved. EHRs can be available in an emergency. If you are in an accident and are unable to explain your health history, a hospital that has a system may be able to talk to your doctor’s system. The hospital will get information about your medications, health issues, and tests, so decisions about your emergency care are faster and more informed.

• More Efficient Care. Doctors using EHRs may find it easier or faster to track your lab results and share progress with you. If your doctors’ systems can share information, one doctor can see test results from another doctor, so the test doesn’t always have to be repeated. Especially with x-rays and certain lab tests, this means you are at less risk from radiation and other side effects. When tests are not repeated unnecessarily, it also means you pay less for your health care in copayments and deductibles.

• More Convenient Care. EHRs can alert providers to contact you when it is time for certain screening tests. When doctors, pharmacies, labs, and other members of your health care team are able to share information, you may no longer have to fill out all the same forms over and over again, wait for paper records to be passed from one doctor to the other, or carry those records yourself.

Privacy, Security, and Electronic Health Records

Keeping Your Electronic Health Information Secure Most of us feel that our health information is private and should be protected. The federal government put in place the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to ensure you have rights over your own health information, no matter what form it is in. The government also created the HIPAA Security Rule to require specific protections to safeguard your electronic health information. A few possible measures that can be built in to EHR systems may include: “Access control” tools like passwords and PIN numbers, to help limit access to your information to authorized individuals. “Encrypting” your stored information. That means your health information cannot be read or understood except by those using a system that can “decrypt” it with a “key.” An “audit trail” feature, which records who accessed your information, what changes were made and when.

Finally, federal law requires doctors, hospitals, and other health care providers to notify you of a “breach.” The law also requires the health care provider to notify the Secretary of Health and Human Services. If a breach affects more than 500 residents of a state or jurisdiction, the health care provider must also notify prominent media outlets serving the state or jurisdiction. This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable for EHR protection.

Washington is a national leader in protecting the privacy of consumer health decisions and health data. In 2023, the Attorney General requested legislation to significantly expand privacy protections for personal health data. The Washington My Health My Data Act (HB 1155) passed the Washington State Legislature on April 17, 2023, and was signed into law by Governor Jay Inslee on April 27, 2023. Washington My Health My Data Act, 2023 Wash. Laws 191.

The My Health My Data Act is the first privacy-focused law in the country to protect personal health data that falls outside the ambit of the Health Insurance Portability and Accountability Act, or HIPAA. The Act was developed to protect a consumer’s sensitive health data from being collected and shared without that consumer’s consent. Washington’s concern for the urgent need to enhance privacy protections for health data is widely shared: 76% of Washingtonians express support for the My Health My Data Act.

Under the law, regulated entities must follow specific requirements about how and when they may collect and share personal health data. 

Frequently Asked Questions

1: What are the effective dates for the My Health My Data Act?

The My Health My Data Act includes effective dates on a section-by-section basis.

All persons, as defined in the Act, must comply with section 10 beginning July 23, 2023. Regulated entities that are not small businesses must comply with sections 4 through 9 beginning March 31, 2024. Small businesses, as defined in the Act, must comply with sections 4 through 9 beginning June 30, 2024. For sections 4 through 9, the effective dates apply to the entirety of the section and are not limited to the subsections in which the effective dates appear.

2: What is the Attorney General’s role in enforcing the My Health My Data Act?

Section 11 of the My Health My Data Act provides that any violation of the Act is a per se violation of the Washington Consumer Protection Act (CPA), RCW 19.86, which is enforced by the Attorney General as well as through private action.

3: How will a business located outside of the state of Washington but that stores its data in Washington be impacted?

Generally, all persons and businesses that conduct business in Washington (or provide services or products to Washington), and that collect, process, share, or sell consumer health data are impacted by the Act. Subject to some exceptions, a regulated entity is a legal entity that (a) conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. An entity that only stores data in Washington is not a regulated entity.

A processor is as a person that processes consumer health data on behalf of a regulated entity or a small business. Out-of-state entities that are processors for regulated entities or a small business must comply with the Act.

Sections 9 and 10 of the Act apply to persons, which generally includes natural persons, corporations, trusts, unincorporated associations, and partnerships. Out-of-state entities that fall within the definition of person must comply with sections 9 and 10 of the Act.

4: Is a business that is covered by the My Health My Data Act required to place a link to its Consumer Health Data Privacy Policy on the company’s homepage?

Yes. Section 4(1)(b) of the My Health My Data Act explicitly provides that “[a] regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage.” The Consumer Health Privacy Policy must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under the My Health My Data Act.

5: Does the definition of consumer health data include the purchase of toiletry products (such as deodorant, mouthwash, and toilet paper) as these products relate to “bodily functions”?

Information that does not identify a consumer’s past, present, or future physical or mental health status does not fall within the Act’s definition of consumer health data. Ordinarily, information limited to the purchase of toiletry products would not be considered consumer health data. For example, while information about the purchase of toilet paper or deodorant is not consumer health data, an app that tracks someone’s digestion or perspiration is collecting consumer health data.

6: If a regulated entity or small business draws inferences about a consumer’s health status from purchases of products, could that information be considered consumer health data?

Yes. The definition of consumer health data includes information that is derived or extrapolated from nonhealth data when that information is used by a regulated entity or their respective processor to associate or identify a consumer with consumer health data. This would include potential inferences drawn from purchases of toiletries. For example, in 2012 the media reported that a retailer was assigning shoppers a “pregnancy prediction score” based on the purchase of certain products; this information is protected consumer health data even though it was inferred from nonhealth data.  Likewise, any inferences drawn from purchases could be consumer health data.

In contrast, nonhealth data that a regulated entity collects but does not process to identify or associate a consumer with a physical or mental health status is not consumer health data.

7: How may a regulated entity or a small business comply with its obligation to retain copies of a consumer’s valid authorization for sale of consumer health data under section 9 and a consumer’s request to delete their consumer health data under section 6 of the Act?

Under section 9 of the My Health My Data Act, it is unlawful for anyone to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. When a consumer grants a person valid authorization to sell their consumer health data, both the seller and purchaser are required to retain a copy of the valid authorization for six years. Section 6 of the My Health My Data Act empowers consumers to have their consumer health data deleted from a regulated entity’s or small business’ network, including archived or backup systems.

If after executing a valid authorization, a consumer exercises their section 6 right to have their consumer health data deleted, a regulated entity or small business may meet its obligation to delete the consumer’s health data and its obligation to retain a copy of the valid authorization by redacting the portion of the valid authorization that specifies the consumer health data for sale (for example, by applying a redaction that states: “REDACTED pursuant to consumer deletion request on [insert date]”).

8: Does the definition of consumer health data include the purchase of non-prescription medication?

MHMD defines consumer health data to include the “use and purchase of prescribed medication.” Non-prescription data is only considered consumer health data if the regulated entity draws an inference about a consumer’s health status from its purchase of non-prescription medication.