Privacy Policy and Notice of Privacy Practices

---

Effective Date: October 9th, 2025

This Privacy Policy and Notice of Privacy Practices describes how Mary Smith, LLC (“we,” “us,” “our”) may use, disclose, and protect your Protected Health Information (PHI) and other personal data, in compliance with:

• The federal HIPAA Privacy Rule
   
• Virginia state law (Va. Code § 32.1-127.1:03) regarding health record access, audit trails, and redisclosure restrictions Virginia Law
   
• Applicable District of Columbia requirements
   
• Other relevant federal and state laws
   

This Notice applies to all PHI we create, receive, maintain, or transmit in providing psychotherapy, counseling, or mental health care services. It also addresses non-PHI website & contact data practices.

We commit to safeguarding your privacy. This Notice also states your rights and our obligations regarding your PHI.

• Protected Health Information (PHI): Information about your past, present, or future mental or physical health, provision of health services, or payment for those services, that identifies you or for which there is a reasonable basis to believe it can identify you.
   
• Psychotherapy Notes: Notes recorded by a mental health professional documenting or analyzing conversation during a private therapy session that are kept separate from the rest of your medical record. These enjoy heightened protections.
   
• Use: When we share, employ, apply, access, or leverage PHI within our practice (e.g. staff, internal reviews).
   
• Disclosure: When we release, transfer, or provide access to PHI to external parties outside our practice (e.g. another provider, insurance).
   
• Business Associate: A third party that performs certain functions or activities on behalf of us (e.g. billing company, secure cloud storage) and which must agree contractually to safeguard PHI.
   

We may use and disclose PHI without your explicit written authorization for the following “routine” purposes, subject to applicable law and the “minimum necessary” standard:

PurposeExamples / Details Treatment Sharing PHI with other healthcare providers you authorize, consulting with specialists, coordinating care. Payment Submitting claims to insurers, verifying coverage, collecting fees. Health Care Operations Internal audits, quality improvement, licensing, training staff, compliance reviews. Legal Requirements When required by law, court orders, mandatory reporting (e.g. abuse, threats). Public Health & Safety Preventing serious harm, reporting as required (e.g. communicable diseases). Law Enforcement or Judicial Processes In response to valid subpoenas, court orders, or to assist law enforcement within legal limits. 

We will only share the minimum necessary PHI to achieve the purpose of the use or disclosure.

Your written authorization is required (and you may revoke it) for disclosures of PHI not covered by the above, including but not limited to:

• Psychotherapy notes (if kept separately)
   
• Use of PHI for marketing (unless otherwise exempt)
   
• Sale of PHI
   
• Disclosure of PHI beyond the specific limits of an authorization (redisclosure)
   

You may revoke your authorization at any time in writing, except to the extent we have already acted under that authorization.

Electronic Records & Telehealth Systems

Client Portal
For existing or prospective clients, appointment scheduling, secure messaging, intake forms, and telehealth are conducted through the SimplePractice client portal. This portal is hosted separately from this website and operates under HIPAA-compliant security standards. Any PHI shared through the portal is protected under federal privacy laws and our notice of privacy practices.

Under HIPAA and Virginia law, you have the following rights:

1. Right to Inspect and Copy PHI
   You may request access to your PHI in the “designated record set” (electronic or paper). We must respond within 30 days (or up to 60 days with notice) HHS.gov.
   Under Virginia law, you also have the right to receive audit trails of additions, deletions, or changes to your health records upon request. Virginia Law
    
2. Right to Request Amendment
   You may request corrections or additions to your PHI if you believe something is incomplete or inaccurate. We must respond (accept or deny) within 60 days (or provide notice of extension).
    
3. Right to an Accounting of Disclosures
   You may request a listing of non-routine disclosures of your PHI made in the past six years (or shorter period you choose), excluding certain disclosures (e.g. for treatment, payment, operations).
    
4. Right to Request Restrictions
   You may request limits on how we use or disclose your PHI (e.g. “do not disclose to insurer”). While we are not required to agree, we will consider requests in good faith.
    
5. Right to Confidential Communications
   You may ask that we contact you using alternative means or at alternative locations (e.g. phone number, mailing address).
    
6. Right to Receive This Notice
   You can request a paper copy of this Notice at any time.
    
7. Right to Complain
   If you believe your privacy rights have been violated, you may file a complaint with us (contact information below) or the U.S. Department of Health & Human Services, Office for Civil Rights. We will not retaliate against you.
    

We employ administrative, physical, and technical safeguards to protect PHI:

• Encryption of electronic PHI (ePHI) in storage and transmission
   
• Secure access controls (passwords, role-based access)
   
• Regular risk assessments and audits
   
• Secure physical storage for paper records
   
• Business Associate Agreements with vendors handling PHI
   

In the event of a breach of unsecured PHI, we will comply with the HIPAA Breach Notification Rule and notify you and relevant authorities as required.

When individuals browse the website, contact via forms, or sign up for newsletters, we may collect non-health data, such as:

• Name
   
• Email address
   
• IP address
   
• Analytics data (browser type, pages visited)
   

This non-PHI data is used to respond to inquiries, provide content, improve site functionality, and send optional communications (if you opt in). We do not disclose your PHI collected in therapy to website vendors unless they are HIPAA-compliant and bound by Business Associate Agreements.

You have the right to request deletion or correction of your non-PHI data.

We reserve the right to modify this Notice at any time. Any changes will apply to PHI we already hold. We will post the revised Notice on our website with an updated effective date and provide it upon request.

Mary Smith, LLC
Address: [Address or P.O. Box]
Phone: [Phone number]
Email: [Email address]

If you have privacy or HIPAA questions, or wish to file a complaint, contact us. You may also file with:

U.S. Department of Health & Human Services
Office for Civil Rights (OCR)
[OCR contact info / website]

• Under Virginia law (Va. Code § 32.1-127.1:03), if you request your health records, we must include an audit trail of additions, deletions, or revisions. Virginia Law
   
• Virginia law prevents redissemination of your health records beyond the purpose for which they were disclosed, absent specific authorization. Virginia Law
   
• Some disclosures may occur in emergencies, court orders, or where reporting is required by law (e.g. abuse, self-harm risk) — as allowed under both HIPAA and state statutes.
   
• This Notice does not cover disclosures not involving PHI or non-health related data.