top of page

Privacy Policy

​

Privacy Practices Notice

 

Effective Date: 9/27/25 (Updated from 7/28/23)

Provider: Cindy Jones, LMFT – Sole Proprietor
Practice Name : Cindy Jones Therapy
Contact: 858-376-7333 •cindyjonestherapy@pm.me •cindyjonestherapy.com

​

1. Introduction

This notice explains how we collect, use, protect, and share the protected health information (“PHI”) you entrust to us during telehealth sessions. Our commitment is to safeguard your privacy in line with HIPAA, HITECH, and the privacy statutes of Michigan, California, Wisconsin, Texas, and Florida.

​

2. Information We Collect

  • Personal identifiers: name, date of birth, address, phone number, email address, emergency contacts.

  • Health information: diagnoses, treatment notes, medication lists, and any clinical details you share.

  • Telehealth data: audio/video (only if you consent), session timestamps, IP address/device metadata (used solely for security and troubleshooting).

  • Payment information: billing address, insurance details, payment method.

​

3. How We Use Your Information

We use PHI only for purposes essential to delivering quality therapy:

  1. Treatment & clinical documentation – creating, updating, and storing your treatment plan and notes.

  2. Communication – appointment reminders, scheduling, and administrative messages.

  3. Billing & reimbursement – filing insurance claims, processing payments, issuing receipts.

  4. Legal compliance – mandatory reporting (e.g., child abuse, imminent danger) and responding to lawful requests.

  5. Quality improvement – analyzing aggregated, de‑identified data to enhance our services (never in a way that could identify you).

4. Disclosure of Your Information

We may disclose PHI without your signed authorization only when required or permitted by law.

The disclosure will always contain the minimum amount of information needed.

  • To you – you can request a copy of your records.

  • Other healthcare providers – for coordinated care (with your consent unless law says otherwise).

  • Insurers/payors – for claim filing and payment.

  • Legal authorities – court orders, subpoenas, or mandatory reporting statutes.

  • Business associates – vendors that perform services for us (e.g., secure video platform, billing software). All such partners sign strict confidentiality agreements.

5. Your HIPAA Rights

You have the right to:

  • Access your records (electronic or paper).

  • Request amendments to incorrect information.

  • Obtain an accounting of disclosures made in the past six years (excluding routine disclosures).

  • Ask for restrictions on certain uses/disclosures (we’ll consider them).

  • Request confidential communications (e.g., encrypted email, mailed letters).

  • Receive a paper copy of this notice at no charge.

  • Clinical notes are the routine records a therapist creates to document the medical aspects of a patient’s care—diagnoses, treatment plans, medication orders, and progress updates—that can be shared with other health‑care providers for treatment, payment, or health‑care‑operation purposes under HIPAA. Psychotherapy notes, by contrast, are the therapist’s private, narrative reflections about a counseling session (thoughts, impressions, and detailed observations); they receive a higher level of protection and may be disclosed only with the patient’s explicit written authorization (or a limited legal exception).

  1. To exercise any right, contact us using the details in Section 1.

​

6. State‑Specific Privacy Sections

California (California Consumer Privacy Act & CMIA)

  • Electronic Health Information: All electronic PHI is encrypted both in transit and at rest.

  • No Sale of PHI: We never sell your health information, and we do not share it for marketing purposes.

  • Consumer Rights: You may request that we do not share your PHI with third parties for non‑treatment purposes.

Michigan (MCL 333.1701 et seq.)

  • Breach Notification: In the unlikely event of a breach, we will notify you within 30 days of discovery, describing what happened, what information was involved, and steps you can take to protect yourself.

  • Reasonable Safeguards: Physical, administrative, and technical safeguards are employed, including regular risk assessments.

Wisconsin (WI Stat. §â€¯138.20)

  • De‑identified Data: Any data used for quality improvement is stripped of identifiers. Re‑identification is prohibited unless expressly authorized.

  • Breach Reporting: We will inform you promptly (no later than 45 days) if a breach affecting your PHI occurs.

Texas (Tex. Health & Safety Code §§â€¯181.001‑181.058)

  • Written Notice: This privacy notice satisfies Texas’ requirement for a written statement of privacy practices.

  • Confidential Communication: You may request that we communicate with you via a method other than the one we normally use (e.g., secure portal messages instead of email).

Florida (F.S. 456.053)

  • Access Timeline: Upon request, we will provide a copy of your records within 10 business days.

  • Notice Placement: This notice is posted on our website and will be emailed to you upon the start of therapy.

  •  

7. Security Measures

  • Encryption: All data (including emails, portal messages, video streams) is encrypted end‑to‑end.

  • Secure Telehealth Platform: Our video service is HIPAA‑compliant and does not store recordings without your explicit permission.

  • Access Controls: Only I (the sole therapist) and platforms that bill insurance (such as Grow, Alma,  Thrizer, etc). can view your PHI. Strong passwords and two‑factor authentication protect every login.

  • Routine Audits: Quarterly risk assessments and self‑training keep our safeguards current.

8. Record Retention

Therapy records are kept for minimum 7 years after the last session (or longer if required by state law or professional guidelines). After the retention period, records are destroyed securely (shredded paper, permanent digital deletion).

9. Updates to This Notice

We may revise this notice to reflect changes in law or practice. Any material change will be posted on our website and emailed to active clients. The updated notice becomes effective 30 days after posting, unless a law requires immediate effect.

10. Quick FAQ 

Can I get a copy of my records in PDF?
Absolutely—you can request a secure PDF copy, and I’ll email it to you within ten business days.

What if I move to another state?
The core privacy protections remain the same. If you relocate, I’ll incorporate any new state‑specific requirements that apply to you.

Do you keep recordings of our video sessions?
Only if you give explicit written consent. Otherwise, sessions are not recorded.

How do I know my data is safe on the video platform?
The platform uses AES‑256 encryption and undergoes regular audits to maintain HIPAA compliance.

What should I do if I suspect a breach?
Contact me right away at the phone number listed below. We’ll investigate promptly and, if a breach is confirmed, follow the state‑mandated notification timeline.

11. Contact Us

If you have any questions, concerns, or want to exercise a privacy right, please reach out:

  • Name: Cindy Jones LMFT

  • Phone:858-376-7333

  • Email: cindyjonestherapy@pm.me

  • Mailing Address: PO Box 5146 Traverse City MI 49696

We aim to respond within 10 business days.

 

bottom of page