Privacy Notice
How I handle your information — clinical, administrative, and on my site.
Effective March 3, 2026. Last updated as part of the Sessions Health migration.
This page covers two things that often get conflated: how I handle your protected health information as a clinical practice (the HIPAA Notice of Privacy Practices), and how my site handles information from visitors. Both matter; they involve different kinds of data and different obligations. Part One is what you sign acknowledgment of at intake. Part Two applies to anyone visiting matthewsorg.com.
If anything here is unclear, contact me at matt@matthewsorg.com or (206) 580-4841.
Part One: Notice of Privacy Practices (Clinical)
This notice describes how health information about you may be used and disclosed, and how you can access this information. This is the HIPAA-required Notice of Privacy Practices, mirrored from the document you sign acknowledgment of at intake.
My commitment to your privacy
Your health information is personal, and I take my responsibility to protect it seriously. I create and maintain records of the care and services you receive in order to provide you with quality treatment and to meet certain legal requirements. This notice applies to all records generated by this practice.
I am required by law to keep your protected health information (PHI) private, provide you with this notice of my legal duties and privacy practices, and follow the terms of the notice currently in effect. I may update the terms of this notice at any time. The current version will always be available at my office, upon request, and on this page.
How I may use and disclose your health information
Treatment, payment, and health care operations. Federal privacy law permits me to use or disclose your PHI without your written authorization in order to provide treatment, process payment, and conduct health care operations. Disclosures for treatment purposes are not subject to a minimum necessary standard, because complete information is often required to provide quality care.
Use of technology in practice operations. This practice uses artificial intelligence (AI) tools to assist with clinical documentation, administrative tasks, and practice management. AI features are built into platforms used in this practice, including Google Workspace and Sessions Health. All AI tools used with your health information operate under HIPAA Business Associate Agreements and are subject to the same privacy and security protections as all other systems in this practice. I do not use any technology that records, transcribes, or listens to our therapy sessions. All clinical decisions, treatment planning, and therapeutic judgments remain entirely my responsibility. AI tools do not interact directly with clients, do not make clinical decisions, and do not have independent access to your records.
Lawsuits and legal proceedings. If you are involved in a lawsuit or dispute, I may disclose your health information in response to a court or administrative order, subpoena, or other lawful process. I will make reasonable efforts to notify you before doing so or to seek a protective order where appropriate.
Uses and disclosures requiring your authorization
Psychotherapy notes. I maintain psychotherapy notes separately from your general treatment record. Any use or disclosure of these notes requires your authorization unless the use or disclosure is: (a) for my use in treating you; (b) for training or supervising mental health practitioners; (c) for my defense in legal proceedings you initiate; (d) required by HHS to investigate HIPAA compliance; (e) required by law; (f) required for health oversight; (g) required by a coroner; or (h) necessary to prevent a serious threat to health or safety.
Marketing. I will not use or disclose your PHI for marketing purposes.
Sale of PHI. I will not sell your PHI.
You may revoke any authorization at any time, in writing. Revocation does not affect uses or disclosures made before I received your revocation.
Uses and disclosures without your authorization
Subject to certain legal limitations, I may use or disclose your PHI without authorization:
- When required by state or federal law
- For public health activities, including reporting suspected abuse or preventing a serious threat to health or safety
- For health oversight activities, including audits and investigations
- For judicial or administrative proceedings in response to a court or administrative order
- For law enforcement purposes, including reporting crimes occurring on my premises
- To coroners or medical examiners performing duties authorized by law
- For legitimate research purposes, subject to applicable legal requirements
- For specialized government functions, including military missions and national security
- For workers' compensation purposes, to the extent required by law
- To send you appointment reminders or information about treatment alternatives
Disclosures requiring opportunity to object
I may share your PHI with a family member, friend, or other person you identify as involved in your care or payment for your care, unless you object. In emergency situations, I may make such disclosures without your prior consent and obtain your agreement afterward.
Your rights
Request limits on use and disclosure. You may ask me not to use or disclose certain PHI for treatment, payment, or health care operations. I am not required to agree, and may decline if doing so would affect your care.
Restrict disclosures for out-of-pocket services. If you have paid in full out of pocket for a service, you have the right to request that I not disclose PHI related to that service to your health plan.
Choose how I contact you. You may ask me to reach you in a specific way or at a specific address, and I will honor all reasonable requests.
Access your records. You have the right to obtain a copy of your health record within 30 days of your written request. A reasonable, cost-based fee may apply. Psychotherapy notes are excluded.
Accounting of disclosures. You may request a list of disclosures I have made for purposes other than treatment, payment, or operations. The list covers the prior six years. The first request each year is free.
Amend your records. If you believe your PHI contains an error, you may request a correction. I may decline but will explain my reasons in writing within 60 days.
Receive a copy of this notice. You may request a paper or electronic copy at any time.
Questions and complaints
If you have questions about this notice or believe your privacy rights have been violated, contact me at matt@matthewsorg.com or (206) 580-4841.
You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. Filing a complaint will not affect your care.
U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201. 1-877-696-6775. www.hhs.gov/ocr/privacy
Part Two: Website Privacy
This section covers what happens when you visit matthewsorg.com. It applies to all visitors regardless of whether you are or become a client.
What my site collects
Analytics. My site uses Google Analytics 4 to understand which pages visitors read and how they arrived. Google Analytics records information like page views, approximate location (typically city-level, derived from IP address), device type, and how long someone spent on a page. It doesn't record names, email addresses, or other identifying information unless someone enters them into a form. My site doesn't use Google Analytics audience features, advertising IDs, or remarketing.
The contact form. If you send a message through the form on my contact page, your name, email address, optional phone number, and message are transmitted via Google Apps Script to my Gmail and stored in my Google Workspace account. Google Workspace operates under a HIPAA Business Associate Agreement, but my form isn't a clinical record system. It's for initial inquiries. Once we begin clinical work, ongoing communication moves to the secure client portal in Sessions Health.
I designed my form to discourage clinical detail. The pre-submission notice asks that you keep clinical specifics, diagnoses, trauma history, and urgent or emergency content out of the message. A short note about what you're looking for is enough; we'll have room for the rest when we talk.
Cookies. My site uses cookies set by Google Analytics for the analytics functions described above. I don't set advertising cookies, third-party tracking cookies, or social media cookies. You can disable cookies in your browser; my site works normally without them, though the analytics data will reflect fewer visitors than actually used it.
What my site doesn't do
I don't sell, share, or transfer visitor data to advertisers or third-party marketing services. My site doesn't use behavioral tracking, retargeting pixels, social media tracking tags, or session-recording tools.
Your choices
If you would prefer not to be counted in analytics, you can use any of the standard browser privacy modes (Chrome Incognito, Firefox Private Browsing, Safari Private), use a browser-level analytics blocker, or install the official Google Analytics opt-out add-on.
If you sent a message through my form and want it deleted from my Gmail and any associated records, email me at matt@matthewsorg.com and I'll remove it.
Changes to this notice
If this notice changes substantively, the updated version will be posted here with a new effective date. The clinical section (Part One) will always mirror the current version of the Notice of Privacy Practices you receive at intake.