Intuitive Ally Counseling Services: Privacy Policy

Tana Noonan, Licensed Marriage and Family Therapist Inc DBA Intuitive Ally Counseling Services

PLAIN LANGUAGE SUMMARY

What You Need to Know About Your Privacy:

What Information We Collect: We collect your name, contact information, health history, mental health diagnoses, treatment notes, insurance information, and payment details needed to provide therapy services.

How We Use It: We use your information solely to provide mental health treatment, manage appointments, process insurance claims, and comply with legal requirements. We do not use your information for marketing or any commercial purposes.

Who We Share With: We only share your information with other healthcare providers involved in your care (with your authorization), your insurance company for billing, secure technology vendors (like our electronic health record system), and when required by law (such as mandatory reporting of abuse or court orders).

Your Rights: You can access your records, request corrections, ask us to delete information (with certain exceptions), limit how we use sensitive information, and file complaints if you believe your privacy has been violated.

We Do Not Sell Your Information: We have never sold your personal information and will never do so.

AI Use Disclosure: We use AI-assisted tools for administrative tasks like scheduling and billing, and for clinical documentation assistance. All clinical decisions are made by licensed therapists, not AI systems.

• Questions or Concerns: Contact us at tana@intuitiveallycounseling.com or 951-384-1380. You can also file complaints with the California Attorney General, U.S. Department of Health and Human Services, or California Board of Behavioral Sciences.

This summary is provided for your convenience. The full Privacy Policy below contains complete details about our privacy practices and your legal rights.

1. INTRODUCTION AND BUSINESS INFORMATION

This Privacy Policy describes how Tana Noonan, Licensed Marriage and Family Therapist Inc DBA Intuitive Ally Counseling Services (“we,” “us,” “our,” or “Practice”) collects, uses, maintains, and discloses personal information obtained from clients and visitors to our mental health practice. This Policy applies to all personal information collected through our mental health services, website (www.intuitiveallycounseling.com), and related communications.

Business Information:

  • Legal Name: Tana Noonan, Licensed Marriage and Family Therapist Inc DBA Intuitive Ally Counseling Services

  • Business Address: 29970 Technology Drive STE 208H, Murrieta, CA 92563

  • Professional License: California Board of Behavioral Sciences MFT #53258

  • Professional Liability Insurance: CPH, 711 S Dearborn St #205, Chicago, IL 60605

  • Primary Services: Mental health services including therapy, counseling, and psychological services

This Privacy Policy is designed to comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA), the Health Insurance Portability and Accountability Act (HIPAA), and all applicable California Board of Behavioral Sciences regulations and California Association of Marriage and Family Therapists (CAMFT) recommendations.

We are committed to protecting your privacy and maintaining the confidentiality of your personal and health information. This Policy explains your rights regarding your personal information and how you can exercise those rights. We do not sell, rent, or monetize personal information in any manner.

2. CATEGORIES OF PERSONAL INFORMATION WE COLLECT

We collect and maintain various categories of personal information necessary to provide comprehensive mental health services. The specific categories of personal information we collect include:

Identifiers and Contact Information:

  • Full name, aliases, and preferred names

  • Residential and mailing addresses

  • Email addresses and telephone numbers

  • Date of birth and age

  • Social Security number (when required for insurance or legal purposes)

  • Driver’s license or state identification numbers

  • Emergency contact information including names, relationships, and contact details

Protected Health Information:

  • Mental health diagnoses and clinical assessments

  • Detailed progress notes and treatment plans

  • Psychological testing results and clinical observations

  • Family history and genetic information relevant to mental health

  • Medical history and current medications

  • Substance use history and treatment records

  • Crisis intervention and safety planning information

  • Therapeutic goals and treatment outcomes

Financial and Insurance Information:

  • Health insurance policy numbers and coverage details

  • Payment method information including credit card details

  • Billing addresses and payment history

  • Insurance claims and reimbursement records

  • Financial assistance or sliding scale fee arrangements

Sensitive Personal Information:

  • Precise geolocation data when using telehealth services

  • Health information as defined under HIPAA and CMIA

  • Information revealing mental health conditions or treatment

  • Contents of communications during therapy sessions

We do not collect biometric information, including fingerprints, voiceprints, iris or retina scans, keystroke patterns, gait patterns, or other biological measurements or characteristics.

3. SOURCES OF PERSONAL INFORMATION

We collect personal information directly from you and from the following sources:

Direct Collection from Clients:

  • Initial intake forms and assessment questionnaires

  • Verbal communications during therapy sessions

  • Written communications including emails and text messages

  • Online client portals and telehealth platforms

  • Insurance verification and authorization forms

Third-Party Sources:

  • Healthcare providers including psychiatrists, medical doctors, and other therapists when you provide authorization

  • Insurance companies for coverage verification and claims processing

  • Legal representatives when required by court order or legal process

  • Family members or emergency contacts when you provide consent or in emergency situations

  • Previous healthcare providers when you authorize transfer of records

Automatic Collection:

  • Electronic health record systems and practice management software

  • Website analytics and usage data

  • Telehealth platform technical data including connection quality and session duration

  • Email communication systems and appointment scheduling platforms

4. HOW WE USE YOUR PERSONAL INFORMATION

We use your personal information solely for legitimate business purposes related to providing mental health services and complying with legal obligations. Specific uses include:

Treatment and Clinical Services:

  • Conducting comprehensive mental health assessments and diagnoses

  • Developing and implementing individualized treatment plans

  • Providing ongoing therapy and counseling services

  • Monitoring treatment progress and adjusting therapeutic interventions

  • Coordinating care with other healthcare providers when authorized

  • Maintaining detailed clinical records and progress notes

  • Conducting crisis interventions and safety assessments

Healthcare Operations:

  • Scheduling and managing appointments

  • Processing insurance claims and obtaining prior authorizations

  • Conducting quality assurance and clinical supervision activities

  • Training and education of clinical staff

  • Accreditation and licensing compliance activities

  • Risk management and professional liability insurance requirements

Payment and Financial Operations:

  • Processing payments and managing billing accounts

  • Verifying insurance coverage and benefits

  • Collecting outstanding balances and managing payment plans

  • Providing financial assistance and sliding scale fee determinations

  • Maintaining financial records for tax and accounting purposes

Financial Privacy Protections:

Payment Plan Confidentiality: All financial arrangements, including payment plans and sliding scale fee agreements, are kept strictly confidential. This information is not shared with insurance companies or third parties except as required for billing purposes.

Collection Agency Privacy Safeguards: If an account is referred to a collection agency, we share only the minimum information necessary: your name, contact information, dates of service, and outstanding balance. We do NOT disclose diagnostic information, treatment details, or the nature of services provided to collection agencies.

Superbill Privacy: When you request a superbill for out-of-network insurance reimbursement, we provide you with a statement containing only the information required by insurers: provider information, dates of service, CPT codes, diagnostic codes, and charges. You control whether and when to submit this to your insurance company.

Financial Assistance Confidentiality: Applications for reduced fees or financial hardship accommodations are kept in a separate confidential file and are not part of your clinical record.

Credit Card Security: We use PCI-compliant payment processing systems that encrypt credit card information. We do not store complete credit card numbers in our systems.

Legal and Regulatory Compliance:

  • Complying with mandatory reporting requirements for child abuse, elder abuse, or threats of harm

  • Responding to court orders, subpoenas, and legal process

  • Maintaining records in accordance with professional licensing requirements

  • Conducting internal audits and compliance monitoring

  • Reporting to professional licensing boards when required

Communication and Administrative Purposes:

  • Sending appointment reminders and scheduling confirmations

  • Providing treatment summaries and discharge planning information

  • Communicating with authorized family members or emergency contacts

  • Sending educational materials and wellness resources when requested

  • Managing client portal access and technical support

We do not use your personal information for marketing purposes, commercial advertising, or any form of data monetization. We do not sell, rent, or share your personal information for commercial purposes.

5. SHARING AND DISCLOSURE OF PERSONAL INFORMATION

We maintain strict confidentiality of your personal information and only share it in limited circumstances as described below. All sharing is governed by HIPAA, CMIA, and professional ethical standards.

Treatment Coordination:

We may share your personal information with other healthcare providers involved in your care, including:

  • Psychiatrists for medication management and consultation

  • Medical doctors for physical health coordination

  • Other licensed therapists or counselors for collaborative treatment

  • Specialized healthcare providers for referrals and consultations

  • Hospital emergency departments in crisis situations

All treatment-related sharing requires your written authorization except in emergency situations where disclosure is necessary to prevent serious harm.

Insurance and Payment Processing:

We share necessary information with:

  • Your health insurance company for coverage verification, prior authorization, and claims processing

  • Third-party billing services and clearinghouses for claims submission

  • Payment processors for secure transaction processing

  • Collection agencies only after exhausting internal collection efforts and providing required notices

Technology Service Providers:

We share limited information with:

  • Sessions Health (our electronic health record system) for secure data storage and practice management

  • Telehealth platform providers for secure video conferencing

  • Email and communication service providers with business associate agreements

  • Cloud storage providers with HIPAA-compliant security measures

  • IT support services with signed confidentiality agreements

Complete List of Technology Vendors with Access to Protected Health Information:

Sessions Health: Electronic health record system, practice management, secure messaging, telehealth platform, and clinical documentation. Data stored in HIPAA-compliant cloud servers in the United States. Business Associate Agreement in place. Security audits conducted annually.

Gemini AI (Google): Administrative assistance for scheduling, appointment reminders, and non-clinical communications only. Does NOT process protected health information or clinical content. Business Associate Agreement in place for administrative functions.

Clinical Notes AI: Transcription and clinical documentation assistance. Used only with client consent. Processes session audio/notes solely for documentation purposes. Data encrypted in transit and at rest. Business Associate Agreement in place. Client opt-out available at any time.

Payment Processor (TBD - specify your actual processor): Credit card and payment processing. PCI-DSS compliant. Encrypts all financial transactions. Does not have access to clinical information.

Cloud Storage Provider (via Sessions Health): Secure encrypted storage of electronic health records. HIPAA-compliant infrastructure. Data residency in United States. Business Associate Agreement in place.

Note: This list reflects vendors with access to protected health information as of the date of this policy. We will update this list as vendors change. You may request a current vendor list at any time by contacting tana@intuitiveallycounseling.com.

Vendor Security Management:

Security Audits: All vendors are required to undergo annual security audits and provide documentation of HIPAA compliance, SOC 2 certification, or equivalent security standards.

Business Associate Agreements: Every vendor with access to protected health information has signed a HIPAA Business Associate Agreement requiring strict data protection, breach notification, and secure data handling.

Vendor Termination Procedures: When we terminate a vendor relationship, all protected health information must be returned to us or securely destroyed within 30 days, with written certification of destruction provided.

Data Processing Agreements: All vendors are contractually prohibited from using your information for any purpose other than providing services to our practice.

International Data Transfers: We do not use vendors that process or store protected health information outside the United States. All data remains within U.S. jurisdiction.

Legal and Regulatory Disclosures:

We may disclose personal information when required by law:

  • Mandatory reporting of suspected child abuse, elder abuse, or dependent adult abuse

  • Threats of serious harm to self or others requiring intervention

  • Court orders, subpoenas, and other legal process

  • Professional licensing board investigations and disciplinary proceedings

  • Law enforcement requests when legally required

  • Public health authorities for disease reporting or prevention

Business Operations:

We may share information with:

  • Professional liability insurance carriers for coverage and claims

  • Legal counsel for professional advice and representation

  • Clinical supervisors and consultants for quality assurance

  • Accreditation bodies for compliance verification

  • Auditors and accountants for financial and compliance reviews

All third parties who receive your personal information are required to maintain confidentiality and use the information only for the specified purposes. We obtain business associate agreements with all service providers who handle protected health information.

6. YOUR CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

As a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). These rights include:

Right to Know:

You have the right to request disclosure of:

  • The categories of personal information we collect about you

  • The categories of sources from which we collect personal information

  • The business or commercial purposes for collecting personal information

  • The categories of third parties with whom we share personal information

  • The specific pieces of personal information we have collected about you

Right to Delete:

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions including:

  • Information necessary to complete the transaction or provide requested services

  • Information required for legal compliance or regulatory obligations

  • Information necessary for professional licensing and ethical requirements

  • Information needed for internal uses reasonably aligned with your expectations

  • Information required for record retention under mental health practice standards

Right to Correct:

You have the right to request correction of inaccurate personal information we maintain about you. We will use commercially reasonable efforts to correct inaccurate information upon verification of your identity and the requested corrections.

Right to Limit Use of Sensitive Personal Information:

You have the right to limit our use and disclosure of sensitive personal information to:

  • Uses necessary to perform services reasonably expected by you

  • Uses disclosed in this Privacy Policy

  • Uses required by law or professional ethical obligations

Right to Non-Discrimination:

We will not discriminate against you for exercising any of your privacy rights, including:

  • Denying goods or services

  • Charging different prices or rates

  • Providing different levels or quality of services

  • Suggesting you may receive different treatment

Right to Opt-Out of Sale:

We do not sell personal information and have not sold personal information in the preceding 12 months. We do not have actual knowledge of selling personal information of consumers under 16 years of age.

Limitations on Rights:

Certain privacy rights may be limited when exercising them would:

  • Interfere with our ability to provide mental health services

  • Violate professional ethical obligations or licensing requirements

  • Compromise the confidentiality of other individuals

  • Conflict with mandatory reporting or legal obligations

  • Impair ongoing treatment or therapeutic relationships

Practical Examples of Exercising Your Privacy Rights:

The following examples illustrate common scenarios where clients exercise their privacy rights:

Example 1: Right to Know

Situation: You're applying for disability benefits and need to understand what information we have in your records.

Action: Submit a Right to Know request asking for: (1) categories of personal information we've collected, (2) sources of that information, (3) purposes for collection, and (4) any third parties we've shared it with.

Timeline: We will acknowledge your request within 10 business days and provide the information within 45 days.

Example 2: Right to Access (HIPAA)

Situation: You're transferring to a new therapist and want copies of your complete treatment records.

Action: Request access to your health records, including all clinical notes, treatment plans, assessments, and correspondence. Specify if you want electronic or paper copies.

Timeline: We will provide access within 30 days. You may be charged reasonable copying and mailing fees.

Example 3: Right to Correct

Situation: You notice your address is incorrect in our records, or a diagnosis code doesn't accurately reflect your current condition.

Action: Submit a request to correct the inaccurate information, providing the correct information and explaining why the change is needed.

Result: We will correct factual errors like contact information immediately. Clinical corrections (like diagnoses) require professional judgment—we may add an addendum to your record rather than changing the original entry.

Example 4: Right to Request Restrictions

Situation: You pay out-of-pocket for therapy and don't want any information shared with your insurance company (even though you have insurance).

Action: Request that we not disclose any information to your health plan regarding services you paid for in full out-of-pocket.

Result: We MUST agree to this restriction under HIPAA. We will not submit claims or share information with your insurance for these sessions.

Example 5: Right to Confidential Communications

Situation: You don't want appointment reminders or billing statements sent to your home address where others might see them.

Action: Request that we communicate with you only via email, cell phone, or a P.O. Box instead of your home address.

Result: We will accommodate your reasonable request and update our records to use only your preferred contact methods.

Example 6: Right to Delete

Situation: You attended one consultation session two years ago but never continued treatment. You want the record deleted.

Action: Submit a deletion request for that consultation record.

Result: We will likely DENY this request because: (1) we must maintain records for 7 years under California licensing law, (2) the record is necessary for legal compliance, and (3) deletion could interfere with our professional obligations. We will explain the specific reasons for denial in our response.

Common Reasons Deletion Requests Are Denied:

• Professional licensing requirements mandate retaining records for at least 7 years

• Records are necessary to complete ongoing treatment or services

• Deletion would violate legal or regulatory obligations (tax records, insurance documentation, court orders)

• Records are needed for internal compliance, quality assurance, or risk management

• Deletion could compromise the therapeutic relationship or continuity of care

7. HIPAA NOTICE OF PRIVACY PRACTICES INTEGRATION

This Privacy Policy incorporates and supplements our HIPAA Notice of Privacy Practices. Under HIPAA, you have additional rights regarding your protected health information:

Right to Access Your Health Records:

You have the right to inspect and obtain copies of your health records, including:

  • Clinical notes and progress records

  • Treatment plans and assessments

  • Test results and diagnostic information

  • Billing and payment records

  • Correspondence related to your care

We will provide access within 30 days of your request, with one 30-day extension if necessary. You may also request that we prepare a summary of your treatment instead of providing copies of the full record. We may charge reasonable, cost-based fees for copying records, preparing summaries, and mailing.

Right to Request Amendments:

You may request amendments to your health records if you believe information is incorrect or incomplete. We will respond within 60 days and may deny requests if:

  • The information was not created by our practice

  • The information is accurate and complete

  • The information is not part of your designated record set

  • The information is not available for inspection under HIPAA

Right to Request Restrictions:

You may request restrictions on how we use or disclose your health information for treatment, payment, or healthcare operations. We are not required to agree to restrictions except:

  • Restrictions on disclosures to health plans when you pay out-of-pocket in full

  • Restrictions required by law

  • Restrictions we voluntarily agree to honor

Right to Request Confidential Communications:

You may request that we communicate with you about your health information in a specific manner or at specific locations. We will accommodate reasonable requests that do not interfere with treatment or payment activities.

Right to an Accounting of Disclosures:

You may request an accounting of disclosures of your health information made by our practice for purposes other than treatment, payment, or healthcare operations. The accounting will cover up to six years prior to your request.

Psychotherapy Notes Clarification:

We do not keep "psychotherapy notes" as that term is defined in 45 CFR § 164.501 of the HIPAA regulations. Under HIPAA, "psychotherapy notes" refers to notes recorded by a mental health professional documenting or analyzing the contents of a conversation during a private counseling session, kept separate from the rest of the medical record.

Instead, we maintain a comprehensive clinical record of your treatment, which includes progress notes, treatment plans, diagnoses, medications, test results, and other information necessary for your care. This clinical record is part of your designated record set, and you have the right to access and obtain copies of this record as described above.

Authorization and Revocation of Authorization:

For uses and disclosures of your protected health information not described in this Privacy Policy, we will obtain your written authorization before using or disclosing your information. You have the right to revoke any authorization you have given us at any time.

To revoke an authorization:

• Provide written notice of revocation to our office

• Send your revocation to: tana@intuitiveallycounseling.com or mail to our office address

• Your revocation will be effective immediately upon receipt, except to the extent we have already taken action in reliance on the authorization

• Revoking authorization does not affect any actions we took before receiving your revocation

Emergency Disclosures to Family and Friends:

We may disclose your protected health information to a family member, friend, or other person you have identified as being involved in your care or payment for your care. You have the right to object to these disclosures.

In emergency situations where you are unable to agree or object to such disclosures, we may share your information with these individuals if we determine it is in your best interest based on our professional judgment. We may obtain your consent retroactively when the emergency situation has passed.

Right to File Complaints:

You may file complaints about our privacy practices with:

  • Our Privacy Officer at the contact information provided below

  • The U.S. Department of Health and Human Services Office for Civil Rights

  • The California Department of Public Health

  • The California Board of Behavioral Sciences

8. AUTOMATED DECISION-MAKING TECHNOLOGY DISCLOSURES

We use automated decision-making technology (ADMT) and artificial intelligence systems in our practice operations and client services. In compliance with CCPA regulations effective January 1, 2026, we provide the following disclosures:

AI Systems Currently in Use:

  • Sessions Health: Electronic health record system with automated scheduling, billing, and clinical documentation features

  • Gemini: AI-powered communication and administrative assistance for practice management

  • Clinical Notes AI: Automated transcription and clinical note generation assistance

Pre-Use Notice for Healthcare-Related Decisions:

Before using ADMT for any decision that could significantly impact your healthcare services, we will provide specific notice including:

  • The purpose and intended use of the automated system

  • The type of decision being made using ADMT

  • Your right to request human review of automated decisions

  • The process for requesting human intervention or appeal

  • Contact information for questions about automated decision-making

Human Review and Intervention:

You have the right to:

  • Request human review of any automated decision affecting your care

  • Receive an explanation of the logic and factors used in automated decision-making

  • Challenge or appeal automated decisions through human intervention

  • Opt-out of certain automated decision-making processes where feasible

Limitations and Safeguards:

  • All clinical decisions ultimately require human professional judgment

  • Automated systems are used only to assist, not replace, clinical decision-making

  • Regular auditing and monitoring of AI system performance and bias

  • Ongoing training and oversight of staff using automated systems

  • Compliance with professional ethical standards and licensing requirements

Data Used in Automated Systems:

Automated systems may process:

  • Clinical assessment data and diagnostic information

  • Treatment history and progress notes

  • Scheduling and appointment data

  • Insurance and billing information

  • Communication and correspondence records

All automated processing is subject to the same confidentiality and security protections as manual processing of your information.

Specific AI System Details:

Sessions Health Platform: This electronic health record system uses automated features for appointment scheduling, billing calculations, insurance eligibility verification, and clinical documentation organization. All clinical content and treatment decisions remain under the direct control of your licensed therapist. The platform stores data in HIPAA-compliant, encrypted cloud servers located in the United States.

Gemini AI Assistant: Used exclusively for administrative tasks such as scheduling coordination, appointment reminders, general practice management communications, and non-clinical correspondence. This system does NOT process protected health information, clinical notes, or treatment-related content. It operates solely for operational efficiency and does not influence any healthcare decisions.

Clinical Notes AI: This tool provides transcription assistance and documentation support during therapy sessions. Important: You will be notified before this tool is used in your sessions, and you have the right to opt out of AI-assisted documentation at any time. All AI-generated content is reviewed, edited, and approved by your licensed therapist before being finalized in your clinical record. The AI does not make clinical judgments, diagnoses, or treatment recommendations—it only assists with administrative documentation tasks.

Client Consent and Opt-Out Rights:

Before using any AI system that processes your clinical information or assists with session documentation, we will:

• Provide you with specific written notice describing how the AI tool will be used

• Explain what information the AI will process and how it will be used

• Obtain your explicit written consent before implementation

• Offer you the option to opt out without any negative impact on your treatment

• Provide alternative documentation methods if you decline AI assistance

You may withdraw your consent and opt out of AI-assisted documentation at any time by notifying your therapist verbally or by contacting our office at tana@intuitiveallycounseling.com or 951-384-1380.

Data Processing and Security:

Data Storage Location: All AI systems processing protected health information use servers located within the United States and comply with HIPAA data residency requirements.

Encryption: All data transmitted to and from AI systems is encrypted using industry-standard protocols (TLS 1.2 or higher).

Access Controls: AI systems access only the minimum information necessary for their specific function and operate under strict access control policies.

No Training on Your Data: Your personal information and clinical data are NOT used to train AI models or improve commercial AI systems.

Vendor Agreements: All AI service providers have signed Business Associate Agreements (BAAs) ensuring HIPAA compliance and data protection.

9. DATA RETENTION AND STORAGE

We maintain your personal information in accordance with professional standards, legal requirements, and business needs:

Mental Health Records Retention:

  • Clinical records, progress notes, and treatment documentation: 7 years after the last date of service

  • Assessment and diagnostic records: 7 years after completion

  • Correspondence and communication records: 7 years after last contact

  • Insurance and billing records: 7 years after final payment or claim resolution

  • Legal and compliance documentation: 7 years or as required by specific legal obligations

Extended Retention Circumstances:

We may retain records longer than the standard retention period when:

  • Ongoing legal proceedings or potential litigation exists

  • Professional licensing board investigations are pending

  • Insurance claims or audits are unresolved

  • Court orders or legal holds require extended retention

  • The client is a minor (records retained until age 25 or 7 years after last service, whichever is longer)

Secure Storage Methods:

  • Electronic records stored in HIPAA-compliant cloud systems with encryption

  • Physical records maintained in locked, fireproof filing systems

  • Access controls limiting staff access to authorized personnel only

  • Regular backup and disaster recovery procedures

  • Secure destruction of records after retention period expires

Data Minimization Practices:

We collect and retain only the minimum personal information necessary to:

  • Provide effective mental health services

  • Comply with professional and legal obligations

  • Maintain continuity of care and treatment history

  • Support insurance claims and payment processing

  • Meet documentation requirements for licensing and accreditation

Record Destruction:

At the end of the retention period, we securely destroy records through:

  • Electronic data wiping and destruction of storage media

  • Shredding of physical documents and files

  • Certificate of destruction for sensitive materials

  • Verification that all copies and backups are eliminated

  • Documentation of destruction dates and methods

10. SECURITY MEASURES AND DATA PROTECTION

We implement comprehensive security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction:

Technical Safeguards:

  • End-to-end encryption for all electronic communications and data transmission

  • Multi-factor authentication for all system access

  • Automatic session timeouts and screen locks

  • Regular security updates and patch management

  • Firewall protection and intrusion detection systems

  • Secure backup systems with encrypted storage

  • Anti-malware and antivirus protection on all devices

  • Virtual private networks (VPNs) for remote access

Physical Safeguards:

  • Locked offices and filing cabinets for physical records

  • Controlled access to facilities with keycard entry systems

  • Security cameras and alarm systems

  • Clean desk policies and secure workstation practices

  • Proper disposal of printed materials containing personal information

  • Restricted access to server rooms and IT equipment

  • Environmental controls for temperature and humidity

  • Fire suppression and disaster recovery systems

Administrative Safeguards:

  • Comprehensive staff training on privacy and security policies

  • Background checks for all employees and contractors

  • Signed confidentiality agreements and business associate agreements

  • Regular security risk assessments and vulnerability testing

  • Incident response procedures and breach notification protocols

  • Access controls based on job responsibilities and need-to-know basis

  • Regular auditing and monitoring of system access and usage

  • Disciplinary procedures for security policy violations

Ongoing Security Monitoring:

  • Continuous monitoring of network traffic and system access

  • Regular penetration testing and security assessments

  • Automated alerts for suspicious activities or unauthorized access attempts

  • Quarterly review and updates of security policies and procedures

  • Annual third-party security audits and compliance assessments

  • Staff security awareness training and phishing simulation exercises

Vendor and Third-Party Security:

All third-party service providers must:

  • Sign business associate agreements with security requirements

  • Demonstrate HIPAA compliance and security certifications

  • Undergo security assessments before engagement

  • Provide regular security reports and compliance documentation

  • Notify us immediately of any security incidents or breaches

  • Maintain appropriate cyber liability insurance coverage

11. BREACH NOTIFICATION PROCEDURES

In the event of a security incident or data breach involving your personal information, we have established comprehensive notification procedures:

Immediate Response (0-24 hours):

  • Immediate containment and assessment of the security incident

  • Documentation of the breach scope, affected systems, and potential impact

  • Engagement of our incident response team and legal counsel

  • Preservation of evidence and forensic analysis

  • Implementation of additional security measures to prevent further unauthorized access

Regulatory Notification (24-72 hours):

  • Notification to the U.S. Department of Health and Human Services within 72 hours for HIPAA-covered breaches

  • Notification to the California Attorney General for breaches affecting 500 or more California residents, as required by both HIPAA and the California Confidentiality of Medical Information Act (CMIA). CMIA requires notification for ANY unauthorized access to medical information, even if the breach affects fewer than 500 individuals

  • Notification to professional liability insurance carriers

  • Coordination with law enforcement if criminal activity is suspected

  • Documentation of all notification activities and responses

Individual Notification (Within 60 days):

We will notify affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach. Notification will include:

  • Description of the breach and when it occurred

  • Types of personal information involved in the breach

  • Steps we have taken to investigate and address the breach

  • Measures individuals can take to protect themselves

  • Contact information for questions and additional assistance

  • Resources for credit monitoring or identity protection services when appropriate (we will provide at least 12 months of free credit monitoring services for breaches involving Social Security numbers, financial account information, or other sensitive financial data)

Notification Methods:

  • Written notice by first-class mail to last known address

  • Email notification if you have agreed to electronic communications

  • Telephone notification for urgent situations requiring immediate action

  • Substitute notice through website posting or media notification if contact information is insufficient

  • Direct notification to emergency contacts when individuals cannot be reached

Post-Breach Activities:

  • Comprehensive investigation and root cause analysis

  • Implementation of additional security measures and controls

  • Review and update of security policies and procedures

  • Additional staff training and awareness programs

  • Ongoing monitoring for signs of identity theft or fraud

  • Cooperation with regulatory investigations and enforcement actions

  • Documentation of lessons learned and process improvements

Types of Incidents Requiring Notification:

  • Unauthorized access to or disclosure of personal information

  • Theft or loss of devices containing personal information

  • Hacking or cyber attacks affecting our systems

  • Inadvertent disclosure to unauthorized recipients

  • Disposal of records without proper destruction procedures

  • Employee misconduct involving personal information

11A. TELEHEALTH PRIVACY PROTECTIONS

When we provide mental health services through telehealth (secure video conferencing), additional privacy considerations apply:

Telehealth Platform and Security:

We use HIPAA-compliant telehealth platforms that provide end-to-end encryption for all video, audio, and chat communications. Our telehealth platform includes:

• Encrypted video and audio transmission using industry-standard protocols

• Secure authentication requiring unique login credentials

• Automatic session timeout after periods of inactivity

• No recording capability without explicit participant consent

• Waiting room features to prevent unauthorized access

• Business Associate Agreements ensuring HIPAA compliance

Client Responsibilities for Telehealth Privacy:

To protect your privacy during telehealth sessions, you are responsible for:

Private Location: Participating from a private location where you cannot be overheard by others and where confidential information will not be compromised.

Secure Internet Connection: Using a secure, password-protected internet connection. Avoid public Wi-Fi networks when possible.

Device Security: Ensuring your device (computer, tablet, smartphone) has up-to-date security software, firewalls, and antivirus protection.

Screen Privacy: Positioning your device so others cannot view your screen during the session.

Notification to Others: If someone else is present in your location during the session, you must notify your therapist at the beginning of the session.

Technical Requirements and Privacy Implications:

Camera and Microphone Access: Our telehealth platform requires access to your device's camera and microphone. This access is used only during scheduled sessions and is terminated when the session ends.

Location Data: For emergency purposes, we may collect your location information when you use telehealth services. This allows us to dispatch emergency services to your location if you are in crisis.

Connection Quality Monitoring: The platform may collect technical data about connection quality (bandwidth, latency) to ensure adequate service delivery. This data is not linked to session content.

Session Logs: We maintain logs of session dates, times, duration, and participants for billing and clinical record-keeping purposes.

Recording Policy:

We do NOT record telehealth sessions unless:

• You provide explicit written consent in advance

• The recording serves a specific clinical, training, or legal purpose

• You are informed when recording begins and ends

• You have the right to revoke consent and request deletion of recordings

You may NOT record telehealth sessions without the express written consent of your therapist and all participants.

Jurisdictional Limitations:

Our therapists are licensed in California. Telehealth services are generally provided only to clients physically located in California at the time of the session. If you are temporarily located outside California, you must notify us in advance to ensure compliance with licensing and privacy laws in that jurisdiction.

Technology Interruptions and Privacy:

In the event of technology failure or interruption during a telehealth session:

• We will attempt to reconnect via the same platform

• If reconnection is not possible, we will contact you via your preferred backup method (phone or text)

• Sensitive information discussed before the interruption remains confidential and protected

• We will document the interruption in your clinical record without compromising confidential content

12. SPECIAL PROTECTIONS FOR MINORS

We provide enhanced privacy protections for clients under 18 years of age in accordance with California law and professional ethical standards:

Parental Rights and Consent:

  • Parents or legal guardians generally have the right to access their minor child’s health records

  • Minors aged 12 and older may consent to outpatient mental health treatment without parental consent under California Family Code § 6924, which allows minors to consent if they are mature enough to participate intelligently in treatment and either (1) would present a danger of serious physical or mental harm to self or others without treatment, or (2) are the alleged victim of child abuse

  • We will discuss confidentiality boundaries with both minors and parents at the beginning of treatment

  • Special protections apply for sensitive topics including substance abuse, sexual health, and mental health crises

Minor’s Privacy Rights:

Minors have the right to:

  • Confidential communications about certain sensitive health matters

  • Request restrictions on disclosures to parents or guardians in specific circumstances

  • Access their own health records when legally permitted

  • Participate in decisions about sharing information with parents or other family members (minors aged 12 and older have enhanced rights to consent to mental health treatment independently under California law)

Mandatory Reporting Obligations:

We are required to report suspected child abuse or neglect regardless of confidentiality agreements. This includes:

  • Physical, sexual, or emotional abuse

  • Neglect or abandonment

  • Exploitation or endangerment

  • Situations where a minor poses a serious threat to themselves or others (defined as imminent risk of suicide, homicide, or grave disability requiring immediate intervention)

CCPA Rights for Minors:

  • We do not sell personal information of consumers under 16 years of age

  • Enhanced consent requirements apply for processing personal information of minors

  • Parents or guardians may exercise privacy rights on behalf of minor children

  • Special procedures for verifying parental authority and identity

Transition to Adult Status:

When minor clients reach age 18:

  • Full privacy rights transfer to the individual

  • Previous parental access rights generally terminate

  • We will discuss confidentiality preferences with the new adult client

  • Existing treatment relationships may continue with updated consent and privacy agreements

Educational Records:

When we provide services in school settings:

  • Coordination with educational privacy requirements

  • Clear delineation between educational and health records

  • Appropriate consent procedures for sharing information with school personnel

  • Protection of student privacy rights in educational environments

12A. GROUP THERAPY PRIVACY CONSIDERATIONS

If you participate in group therapy, couples counseling, or family therapy sessions, additional privacy considerations apply due to the presence of multiple participants:

Confidentiality Expectations Among Group Members:

All group therapy participants are expected to maintain confidentiality regarding:

• The identity of other group members

• Information shared by other participants during sessions

• Personal details, stories, or experiences disclosed in the group

• Any observations about other members' mental health or treatment

Limitations of Privacy in Group Settings:

Important: While we require all group members to agree to confidentiality rules, we cannot guarantee that other participants will maintain confidentiality. Unlike our legal and ethical obligations as licensed therapists, other group members are not bound by professional licensing laws or HIPAA. We cannot control what group members do outside of sessions.

We recommend that you:

• Share only what you are comfortable having others know

• Avoid disclosing highly sensitive information that could cause significant harm if disclosed outside the group

• Use discretion in sharing identifying details about yourself

• Understand that you cannot control others' behavior outside the group setting

Signed Group Confidentiality Agreements:

Before participating in group therapy, all members must sign a group confidentiality agreement that includes:

• Agreement to keep all information shared in group sessions confidential

• Understanding that breach of confidentiality may result in removal from the group

• Acknowledgment that the therapist cannot guarantee other members' compliance

• Agreement not to discuss other group members outside of sessions

• Commitment to respect others' privacy and dignity

Protection of Group Members' Information in Clinical Records:

Separate Individual Records: Each group member has their own individual clinical record. Information about other members is not included in your record except as necessary to document your treatment.

Limited Group Notes: Our group session notes focus on your individual participation, progress, and treatment goals rather than detailed information about other members.

Privacy Requests: If you request access to your records, you will receive only YOUR individual information, not information about other group participants.

Confidential Identifying Information: Contact information and identifying details about other group members are kept confidential and not disclosed to other participants.

Special Considerations for Couples and Family Therapy:

In couples or family therapy, each participant has privacy rights. We will discuss confidentiality boundaries at the start of treatment, including:

• Whether individual sessions will be kept confidential from other family members

• How information from individual sessions may or may not be shared in joint sessions

• Your right to your own individual records

• Procedures for handling requests for information from one family member about another

13. HOW TO EXERCISE YOUR PRIVACY RIGHTS

You may exercise your privacy rights through the following procedures:

Submitting Privacy Rights Requests:

You may submit requests to exercise your privacy rights through:

  • Email: tana@intuitiveallycounseling.com (preferred method)

  • Phone: 951-384-1380 during regular business hours

  • Mail: 29970 Technology Drive STE 208H, Murrieta, CA 92563

Required Information for Requests:

To process your request, please provide:

  • Your full name and date of birth

  • Contact information (email address and phone number)

  • Specific description of the privacy right you wish to exercise

  • Date range for information requests (if applicable)

  • Preferred method for receiving response

  • Any additional information necessary to verify your identity

Identity Verification Process:

To protect your privacy, we will verify your identity before processing requests through:

  • Email verification to your registered email address

  • Plus one additional identifier such as:

    • Phone number verification through registered contact number

    • Address confirmation for mailing address on file

    • Date of birth and last four digits of Social Security number

    • Recent service dates or appointment information

Enhanced Verification for Sensitive Requests:

For requests involving deletion of records or highly sensitive information:

  • In-person identity verification may be required

  • Government-issued photo identification

  • Additional security questions about your treatment history

  • Notarized authorization forms for certain requests

Authorized Agent Procedures:

If you wish to use an authorized agent to submit privacy rights requests:

  • Written Authorization: Provide a signed written authorization specifically permitting the agent to act on your behalf for privacy matters

  • Agent Verification: The agent must provide proof of their identity and authority to act

  • Power of Attorney: General power of attorney documents must specifically include privacy rights authority

  • Direct Confirmation: We may require direct confirmation from you that you authorized the agent to act

Response Timeframes:

  • Acknowledgment: We will acknowledge receipt of your request within 10 business days

  • Response Time: We will respond to requests within 45 days, with one possible 45-day extension for complex requests

  • Urgent Requests: Requests involving safety concerns or legal deadlines will receive priority processing

  • Incomplete Requests: We will notify you within 10 days if additional information is needed to process your request

Request Processing:

  • All requests are processed manually by trained privacy staff

  • Requests are logged and tracked through completion

  • Regular status updates provided for complex or extended requests

  • Detailed response letters explaining actions taken or reasons for denial

  • Appeal procedures available for denied requests

No Fee for Most Requests:

  • Initial requests for access, deletion, or correction are processed without charge

  • Reasonable fees may apply for:

    • Excessive or repetitive requests

    • Copying and mailing costs for large volumes of records

    • Expedited processing when requested

    • Complex research or compilation of information

14. CONTACT INFORMATION FOR PRIVACY REQUESTS

For all privacy-related inquiries, requests, and concerns, please contact us using the following information:

Primary Privacy Contact:

  • Business Name: Tana Noonan, Licensed Marriage and Family Therapist Inc DBA Intuitive Ally Counseling Services

  • Privacy Officer: Tana Noonan, LMFT

  • Email: tana@intuitiveallycounseling.com

  • Phone: 951-384-1380

  • Business Address: 29970 Technology Drive STE 208H, Murrieta, CA 92563

Business Hours for Privacy Requests:

  • Monday through Friday: 9:00 AM to 5:00 PM Pacific Time

  • Emergency Situations: 24-hour crisis line available for urgent privacy concerns involving safety

  • Response Time: We respond to privacy inquiries within 2 business days

  • Appointment Scheduling: In-person consultations available for complex privacy matters

Mailing Address for Written Requests:

Tana Noonan, LMFT - Privacy Officer

Intuitive Ally Counseling Services

29970 Technology Drive STE 208H

Murrieta, CA 92563

Alternative Contact Methods:

  • Secure Client Portal: Available through Sessions Health platform for existing clients

  • Fax: Available upon request for confidential communications

  • In-Person: Office visits by appointment for sensitive privacy discussions

Regulatory Complaint Contacts:

If you believe your privacy rights have been violated, you may file complaints with:

California Attorney General:

  • Website: oag.ca.gov/privacy

  • Phone: 916-210-6276

  • Address: California Department of Justice, Privacy Unit, P.O. Box 944255, Sacramento, CA 94244-2550

U.S. Department of Health and Human Services:

  • Website: hhs.gov/ocr/privacy/hipaa/complaints

  • Phone: 1-800-368-1019

  • Address: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201

California Board of Behavioral Sciences:

  • Website: bbs.ca.gov

  • Phone: 916-574-7830

  • Address: 1625 North Market Blvd., Suite N-212, Sacramento, CA 95834

Professional Liability Insurance:

  • CPH & Associates: 711 S Dearborn St #205, Chicago, IL 60605

15. UPDATES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or business operations. Updates will be handled as follows:

Notification of Changes:

  • Material Changes: We will provide at least 30 days advance notice of material changes that significantly affect your privacy rights

  • Minor Updates: Administrative or clarifying changes will be posted immediately with notification at your next appointment

  • Emergency Changes: Changes required by law or court order will be implemented immediately with prompt notification

Methods of Notification:

  • Email Notice: Sent to your registered email address for significant changes

  • Website Posting: Updated policy posted on our website with effective date

  • Office Notice: Posted notice in our office waiting area

  • Direct Mail: Written notice for changes affecting fundamental privacy rights

  • Appointment Discussion: Review of changes during your next scheduled appointment

Effective Date of Changes:

  • Prospective Application: Changes generally apply only to information collected after the effective date

  • Retroactive Application: Limited to circumstances required by law or court order

  • Grandfathering: Existing privacy preferences and restrictions will be honored unless legally required to change

  • Opt-Out Period: 30-day period to object to material changes before implementation

Version Control:

  • Each version of this Privacy Policy will be dated and archived

  • Previous versions available upon request for reference

  • Change log maintained documenting all modifications and reasons

  • Annual comprehensive review and update process

Your Continued Rights:

Updates to this Privacy Policy do not diminish your existing privacy rights under California or federal law. You retain all rights to:

  • Access your personal information

  • Request corrections or deletions

  • Limit use of sensitive personal information

  • File complaints about privacy practices

  • Receive notice of data breaches

Legal Requirements:

This Privacy Policy will be updated as necessary to comply with:

  • Changes in California privacy laws (CCPA/CPRA)

  • Federal healthcare privacy regulations (HIPAA)

  • Professional licensing requirements and ethical standards

  • Court decisions affecting privacy practices

  • New technology implementations affecting data processing

Effective Date: February 20, 2019

Last Updated: April 02, 2026

This Privacy Policy has been prepared in compliance with the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), California Confidentiality of Medical Information Act (Cal. Civ. Code §56 et seq.), Health Insurance Portability and Accountability Act (Public Law 104-191), and all applicable California Board of Behavioral Sciences regulations.

For questions about this Privacy Policy or to exercise your privacy rights, please contact us at tana@intuitiveallycounseling.com or 951-384-1380.