Privacy Notice
How I handle your information — clinical, administrative, and on my site.
Effective March 3, 2026. Last updated as part of the Sessions Health migration.
This page covers two things that often get conflated: how I handle your protected health information as a clinical practice (the HIPAA Notice of Privacy Practices), and how my site handles information from visitors. Both matter; they involve different kinds of data and different obligations. Part One is what you sign acknowledgment of at intake. Part Two covers website data and links to my Consumer Health Data Privacy Policy under Washington's My Health My Data Act (MHMDA), which applies to anyone visiting matthewsorg.com.
If anything here is unclear, contact me at matt@matthewsorg.com or (206) 580-4841.
Part One: Notice of Privacy Practices (Clinical)
This notice describes how medical information about you may be used and disclosed, and how you can get access to this information. This is the HIPAA-required Notice of Privacy Practices, mirrored from the document you sign acknowledgment of at intake.
My commitment to your privacy
Your health information is personal, and I take my responsibility to protect it seriously. I create and maintain records of the care and services you receive in order to provide you with quality treatment and to meet certain legal requirements. This notice applies to all records generated by this practice.
I am required by law to keep your protected health information (PHI) private, provide you with this notice of my legal duties and privacy practices, follow the terms of the notice currently in effect, and notify you following a breach of your unsecured PHI. I may update the terms of this notice at any time. The current version will always be available at my office, upon request, and on this page.
How I may use and disclose your health information
Treatment, payment, and health care operations. Federal privacy law permits me to use or disclose your PHI without your written authorization in order to provide treatment, process payment, and conduct health care operations. Disclosures for treatment purposes are not subject to a minimum necessary standard, because complete information is often required to provide quality care.
Use of technology in practice operations. This practice uses artificial intelligence (AI) tools to assist with clinical documentation, administrative tasks, and practice management. AI features are built into platforms used in this practice, including Google Workspace and Sessions Health. All AI tools used with your health information operate under HIPAA Business Associate Agreements and are subject to the same privacy and security protections as all other systems in this practice. I do not use any technology that records, transcribes, or listens to our therapy sessions. All clinical decisions, treatment planning, and therapeutic judgments remain entirely my responsibility. AI tools do not interact directly with clients, do not make clinical decisions, and do not have independent access to your records.
Lawsuits and legal proceedings. If you are involved in a lawsuit or dispute, I may disclose your health information in response to a court or administrative order, subpoena, or other lawful process. I will make reasonable efforts to notify you before doing so or to seek a protective order where appropriate.
Uses and disclosures requiring your authorization
Psychotherapy notes. I maintain psychotherapy notes separately from your general treatment record. Any use or disclosure of these notes requires your authorization unless the use or disclosure is: (a) for my use in treating you; (b) for training or supervising mental health practitioners; (c) for my defense in legal proceedings you initiate; (d) required by HHS to investigate HIPAA compliance; (e) required by law; (f) required for health oversight; (g) required by a coroner; or (h) necessary to prevent a serious threat to health or safety.
Marketing. I will not use or disclose your PHI for marketing purposes.
Sale of PHI. I will not sell your PHI.
You may revoke any authorization at any time, in writing. Revocation does not affect uses or disclosures made before I received your revocation.
Uses and disclosures without your authorization
Subject to certain legal limitations, I may use or disclose your PHI without authorization:
- When required by state or federal law
- For public health activities, including reporting suspected abuse or preventing a serious threat to health or safety
- For health oversight activities, including audits and investigations
- For judicial or administrative proceedings in response to a court or administrative order
- For law enforcement purposes, including reporting crimes occurring on my premises
- To coroners or medical examiners performing duties authorized by law
- For legitimate research purposes, subject to applicable legal requirements
- For specialized government functions, including military missions and national security
- For workers' compensation purposes, to the extent required by law
- To send you appointment reminders or information about treatment alternatives
Disclosures requiring opportunity to object
I may share your PHI with a family member, friend, or other person you identify as involved in your care or payment for your care, unless you object. In emergency situations, I may make such disclosures without your prior consent and obtain your agreement afterward.
Your rights
Request limits on use and disclosure. You may ask me not to use or disclose certain PHI for treatment, payment, or health care operations. I am not required to agree, and may decline if doing so would affect your care.
Restrict disclosures for out-of-pocket services. If you have paid in full out of pocket for a service, you have the right to request that I not disclose PHI related to that service to your health plan.
Choose how I contact you. You may ask me to reach you in a specific way or at a specific address, and I will honor all reasonable requests.
Access your records. You have the right to obtain a copy of your health record within 30 days of your written request. A reasonable, cost-based fee may apply. Psychotherapy notes are excluded.
Accounting of disclosures. You may request a list of disclosures I have made for purposes other than treatment, payment, or operations. The list covers the prior six years. The first request each year is free.
Amend your records. If you believe your PHI contains an error, you may request a correction. I may decline but will explain my reasons in writing within 60 days.
Receive a copy of this notice. You may request a paper or electronic copy at any time.
Questions and complaints
If you have questions about this notice or believe your privacy rights have been violated, contact me at matt@matthewsorg.com or (206) 580-4841.
You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. Filing a complaint will not affect your care.
U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201. 1-877-696-6775. www.hhs.gov/ocr/privacy
Part Two: Website & Consumer Health Data
How my website handles information from visitors — including consumer health data under Washington's My Health My Data Act (MHMDA), RCW 19.373 — is covered in a dedicated policy:
Consumer Health Data Privacy Policy →
In short: the site uses Google Analytics 4 with no advertising features; inquiries (the contact form when intake is open, or email/phone while it's closed) reach a HIPAA-BAA-covered Google Workspace account; embedded Spotify/YouTube players and the office map are click-to-load (no third-party contact until you choose to load them); and I do not sell consumer health data or share it for anyone's marketing. The dedicated policy sets out the categories collected and why, the sources, what is shared and with which service providers, and how to exercise your MHMDA rights to confirm, access, withdraw consent, and delete — including the appeal path and the Washington State Attorney General complaint route.