Consumer Health Data Privacy Policy
How I handle health-related information from website visitors, under Washington's My Health My Data Act.
Effective May 31, 2026. This is a separate policy from the clinical HIPAA Notice of Privacy Practices, which governs the protected health information of established clients.
This is the Consumer Health Data Privacy Policy for matthewsorg.com under Washington's My Health My Data Act (MHMDA), RCW 19.373. It describes how Epoché Psychotherapy, PLLC ("I," Matthew Sorg, MA, LMHC) handles consumer health data collected through this website from visitors who are not yet clients.
Scope
This policy does not cover the protected health information (PHI) of established clients. Once you become a client, your health information is governed by HIPAA and my Notice of Privacy Practices — MHMDA exempts HIPAA-regulated PHI. This policy fills the gap: information collected from website visitors before a therapy relationship exists.
"Consumer health data" means personal information linked to you that identifies your past, present, or future physical or mental health status — which, on a mental-health-therapy website, can include the simple fact that you contacted a trauma therapist or browsed these pages.
1. Categories of consumer health data I collect, and why
Inquiry information — your name, email, optional phone number, and the content of the message you send — through the website contact form when intake is open, or by emailing or calling me directly (the current method while new-client intake is closed). I use it to respond to your inquiry and, if you choose, to begin a conversation about services. The fact that you contacted a therapy practice is itself health-related.
Website usage / device data — pages viewed, approximate (typically city-level) location derived from IP address, and browser type, as recorded in standard hosting logs and aggregated server-side by my hosting provider. I use it to operate, secure, and improve the website and to understand which information is useful. No analytics script runs in your browser, no analytics cookie or identifier is set, and nothing records names or email addresses unless you enter them into a form.
I collect only what is needed for these purposes. I do not use this data for targeted advertising, and I do not sell it.
2. Categories of sources
- Directly from you — when you submit the contact form (when intake is open) or contact me by email or phone.
- Automatically from your device or browser — when you visit the site (standard server/hosting logs, aggregated server-side).
3. Categories of consumer health data I share
Contact-form information is shared only with the service providers that operate the form and my communications (listed in section 4). Website usage / device data is processed only by the hosting provider listed in section 4.
I do not share consumer health data with advertisers, data brokers, or for any party's marketing. I do not sell consumer health data, and I will not collect, use, or share it for any purpose not described here without first getting your affirmative consent.
4. Third parties and affiliates I share with
I have no corporate affiliates. I share consumer health data only with the following service providers (processors), who may use it only to perform services for me:
- Website hosting — Netlify (serves the site; standard server logs).
- Website analytics — Netlify Web Analytics (server-side aggregation of the hosting logs above; no script in your browser, no cookies, no advertising features or identifiers).
- Inquiry intake & email — Google Workspace. When intake is open, the contact form transmits via Google Apps Script to my Gmail and is stored in my Google Workspace account, which operates under a HIPAA Business Associate Agreement; the form is designed to discourage clinical detail (its pre-submission notice asks you to keep diagnoses, trauma history, and urgent or emergency content out of the message). While intake is closed, inquiries reach me by email (Google Workspace) or phone. Once we begin clinical work, communication moves to the secure client portal in Sessions Health.
- Embedded media & maps — a few pages offer Spotify players, a YouTube video (loaded via the privacy-friendly youtube-nocookie.com), and a Google map of the office. These are click-to-load: nothing is requested from Spotify, Google, or YouTube until you choose to load a specific player or map, so simply viewing a page does not share your data with them. If you do load one, your browser then connects to that provider under its own privacy policy. (The site self-hosts its fonts, so visiting does not call Google Fonts.)
I may also disclose information if required by law (for example, valid legal process) or to protect safety.
5. Your rights, and how to exercise them
Under MHMDA (RCW 19.373.040) you have the right to:
- Confirm and access — confirm whether I am collecting, sharing, or selling your consumer health data, and access that data, including a list of the third parties with whom it is shared;
- Withdraw consent — withdraw your consent to my collection and sharing of your consumer health data;
- Delete — have your consumer health data deleted.
To exercise any of these, contact me at matt@matthewsorg.com or (206) 580-4841. Before acting on a request, I will take reasonable steps to verify your identity and will handle it through a secure channel; I will not require you to create an account to make a request. I will respond within the time the law requires (generally 45 days, extendable once). If I deny your request, you may appeal by replying to my decision; if the appeal is denied, you may contact the Washington State Attorney General at www.atg.wa.gov/file-complaint. I will not discriminate against you for exercising any of these rights.
Your other choices
The site sets no analytics, advertising, third-party tracking, or social-media cookies — visitor counting happens server-side from hosting logs, so nothing runs in your browser and there is nothing to block or opt out of. Standard browser privacy modes work normally. The site uses no behavioral tracking, retargeting pixels, social-media tags, or session-recording tools.
Changes to this policy
If I change the categories of data, purposes, sources, sharing, or processors, I will update this policy before the new practice takes effect and obtain your consent where the law requires it. Substantive changes are posted here with a new effective date. Most recent substantive change: June 10, 2026 — in-browser analytics (Google Analytics) removed entirely in favor of server-side measurement by the hosting provider.
Contact
Epoché Psychotherapy, PLLC · Matthew Sorg, MA, LMHC
226 Summit Ave E, Office B-03, Seattle, WA 98102
(206) 580-4841 · matt@matthewsorg.com