Consumer Health Data Privacy Policy
How I handle health-related information from website visitors, under Washington's My Health My Data Act.
Effective May 31, 2026. This is a separate policy from the clinical HIPAA Notice of Privacy Practices, which governs the protected health information of established clients.
This is the Consumer Health Data Privacy Policy for matthewsorg.com under Washington's My Health My Data Act (MHMDA), RCW 19.373. It describes how Epoché Psychotherapy, PLLC ("I," Matthew Sorg, MA, LMHC) handles consumer health data collected through this website from visitors who are not yet clients.
Scope
This policy does not cover the protected health information (PHI) of established clients. Once you become a client, your health information is governed by HIPAA and my Notice of Privacy Practices — MHMDA exempts HIPAA-regulated PHI. This policy fills the gap: information collected from website visitors before a therapy relationship exists.
"Consumer health data" means personal information linked to you that identifies your past, present, or future physical or mental health status — which, on a mental-health-therapy website, can include the simple fact that you contacted a trauma therapist or browsed these pages.
1. Categories of consumer health data I collect, and why
Inquiry information — your name, email, optional phone number, and the content of the message you send — through the website contact form when intake is open, or by emailing or calling me directly (the current method while new-client intake is closed). I use it to respond to your inquiry and, if you choose, to begin a conversation about services. The fact that you contacted a therapy practice is itself health-related.
Website usage / device data — pages viewed, links clicked, approximate (typically city-level) location derived from IP address, and device/browser information tied to a visit to a mental-health-services site. I use it to operate, secure, and improve the website and to understand which information is useful. My site uses Google Analytics 4 for this, with no audience features, advertising IDs, or remarketing, and it doesn't record names or email addresses unless you enter them into a form.
I collect only what is needed for these purposes. I do not use this data for targeted advertising, and I do not sell it.
2. Categories of sources
- Directly from you — when you submit the contact form (when intake is open) or contact me by email or phone.
- Automatically from your device or browser — when you visit the site (analytics and standard server/hosting logs).
3. Categories of consumer health data I share
Contact-form information is shared only with the service providers that operate the form and my communications (listed in section 4). Website usage / device data is shared with the analytics and hosting providers listed in section 4.
I do not share consumer health data with advertisers, data brokers, or for any party's marketing. I do not sell consumer health data, and I will not collect, use, or share it for any purpose not described here without first getting your affirmative consent.
4. Third parties and affiliates I share with
I have no corporate affiliates. I share consumer health data only with the following service providers (processors), who may use it only to perform services for me:
- Website hosting — Netlify (serves the site; standard server logs).
- Website analytics — Google Analytics 4 (page-level usage measurement only; no advertising features, remarketing, or Google Ads identifiers).
- Inquiry intake & email — Google Workspace. When intake is open, the contact form transmits via Google Apps Script to my Gmail and is stored in my Google Workspace account, which operates under a HIPAA Business Associate Agreement; the form is designed to discourage clinical detail (its pre-submission notice asks you to keep diagnoses, trauma history, and urgent or emergency content out of the message). While intake is closed, inquiries reach me by email (Google Workspace) or phone. Once we begin clinical work, communication moves to the secure client portal in Sessions Health.
- Embedded media & maps — a few pages offer Spotify players, a YouTube video (loaded via the privacy-friendly youtube-nocookie.com), and a Google map of the office. These are click-to-load: nothing is requested from Spotify, Google, or YouTube until you choose to load a specific player or map, so simply viewing a page does not share your data with them. If you do load one, your browser then connects to that provider under its own privacy policy. (The site self-hosts its fonts, so visiting does not call Google Fonts.)
I may also disclose information if required by law (for example, valid legal process) or to protect safety.
5. Your rights, and how to exercise them
Under MHMDA (RCW 19.373.040) you have the right to:
- Confirm and access — confirm whether I am collecting, sharing, or selling your consumer health data, and access that data, including a list of the third parties with whom it is shared;
- Withdraw consent — withdraw your consent to my collection and sharing of your consumer health data;
- Delete — have your consumer health data deleted.
To exercise any of these, contact me at matt@matthewsorg.com or (206) 580-4841. Before acting on a request, I will take reasonable steps to verify your identity and will handle it through a secure channel; I will not require you to create an account to make a request. I will respond within the time the law requires (generally 45 days, extendable once). If I deny your request, you may appeal by replying to my decision; if the appeal is denied, you may contact the Washington State Attorney General at www.atg.wa.gov/file-complaint. I will not discriminate against you for exercising any of these rights.
Your other choices
If you would prefer not to be counted in analytics at all, you can use any standard browser privacy mode (Chrome Incognito, Firefox Private Browsing, Safari Private), a browser-level analytics blocker, or the official Google Analytics opt-out add-on. My site uses cookies set by Google Analytics for the functions above; it sets no advertising, third-party tracking, or social-media cookies, and works normally if you disable them. The site uses no behavioral tracking, retargeting pixels, social-media tags, or session-recording tools.
Changes to this policy
If I change the categories of data, purposes, sources, sharing, or processors, I will update this policy before the new practice takes effect and obtain your consent where the law requires it. Substantive changes are posted here with a new effective date.
Contact
Epoché Psychotherapy, PLLC · Matthew Sorg, MA, LMHC
226 Summit Ave E, Office B-03, Seattle, WA 98102
(206) 580-4841 · matt@matthewsorg.com