HPA Privacy Policy

HEBERT PSYCHOLOGICAL ASSESSMENTSPRIVACY POLICYEffective Date: June 18, 2026Next Scheduled Review: June 18, 2027IMPORTANT NOTICE: This Privacy Policy governs how Hebert Psychological Assessments ("HPA") collects, uses, stores, and discloses your personal and health information. By accessing our website or using our services, you acknowledge that you have read and understood this policy. If you are a minor, your parent or legal guardian must review and consent to this policy on your behalf.1. Introduction and ScopeHebert Psychological Assessments ("HPA," "we," "us," or "our") is a professional psychological assessment practice committed to protecting the privacy, confidentiality, and security of the personal and health information entrusted to us by our clients, their families, and other individuals who interact with our services.This Privacy Policy applies to:•All individuals who visit our website or contact us for information•All current and former clients who receive or have received psychological assessment services•Parents, guardians, or authorized representatives acting on behalf of minor clients•Referring professionals and third parties who share information about clients•All information collected through our website, electronic communications, telephone, and in-person interactionsHPA operates in compliance with all applicable federal, state, and local privacy laws and regulations, including but not limited to:•The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations•The Health Information Technology for Economic and Clinical Health Act (HITECH)•The Americans with Disabilities Act (ADA)•Applicable state psychological licensing laws and ethics codes•The American Psychological Association (APA) Ethical Principles of Psychologists and Code of Conduct•The Family Educational Rights and Privacy Act (FERPA), where applicable2. DefinitionsFor the purposes of this Privacy Policy, the following terms have the meanings set forth below:"Protected Health Information" or "PHI" means individually identifiable health information that is created, received, or maintained by HPA and relates to: (a) the past, present, or future physical or mental health or condition of an individual; (b) the provision of health care to an individual; or (c) the past, present, or future payment for the provision of health care to an individual."Personal Information" means any information that identifies or can reasonably be used to identify a specific individual, including name, address, telephone number, email address, date of birth, Social Security number, and similar identifiers."Assessment Data" means all test scores, behavioral observations, clinical interview information, rating scales, questionnaire responses, and any other data collected during the psychological assessment process."Authorized Representative" means a parent, legal guardian, or other individual legally authorized to make health care decisions on behalf of a client."Covered Entity" has the meaning assigned under HIPAA, 45 C.F.R. § 160.103.3. Information We Collect3.1 Information You Provide DirectlyWe collect information that you or your authorized representative voluntarily provide to us, including:•Full legal name, date of birth, and contact information (address, phone number, email)•Emergency contact information•Health insurance information and billing details•Reason for referral and presenting concerns•Medical history, psychiatric history, and prior assessment or treatment records•Educational history, including school records and prior evaluations (with consent)•Developmental and family history•Completed intake forms, questionnaires, and rating scales•Payment information (processed through secure third-party payment processors)3.2 Information Collected During AssessmentDuring the course of providing psychological assessment services, we collect:•Standardized psychological and neuropsychological test scores and protocols•Clinical interview notes and behavioral observations•Collateral information from teachers, therapists, or other providers (with authorization)•Academic records, report cards, or Individualized Education Program (IEP) documents provided with consent•Medical records and documentation provided with authorization3.3 Website and Technical InformationWhen you visit our website, we may automatically collect certain technical information, including:•IP address and general geographic location•Browser type, version, and operating system•Pages viewed, time spent on pages, and referring URLs•Cookies and similar tracking technologies (see Section 10 for more information)3.4 Information We Do Not CollectWe do not intentionally collect sensitive personal information that is not necessary for the provision of our services, including social media profiles, political views, or financial account information beyond what is necessary for payment processing. We do not purchase or obtain personal information from data brokers or third-party marketers.4. How We Use Your Information4.1 Treatment and Clinical PurposesWe use your personal and health information primarily to provide psychological assessment services, including:•Conducting psychological evaluations and preparing written reports•Communicating with referring professionals with your authorization•Coordinating care with other healthcare providers with your authorization•Providing feedback sessions to discuss assessment results and recommendations•Maintaining clinical records as required by professional and legal standards4.2 Administrative and Business PurposesWe also use your information for legitimate administrative and business purposes, including:•Scheduling appointments and sending appointment reminders•Processing payments and managing billing and insurance claims•Responding to your inquiries and communications•Verifying your identity and eligibility for services•Complying with legal, regulatory, and ethical obligations•Maintaining the security and integrity of our systems and records4.3 Quality Improvement and TrainingWith appropriate safeguards and, where required, your authorization, we may use de-identified information (from which all identifying information has been removed) for:•Internal quality improvement and clinical practice development•Staff training and supervision purposes•Program evaluation and outcome monitoring4.4 Marketing and CommunicationsWe will not use your personal or health information for marketing purposes without your explicit written authorization. We may send general educational or informational communications to individuals who have affirmatively opted in to receive such communications. You may opt out of any non-essential communications at any time.5. Disclosure of Your Information5.1 With Your AuthorizationWe will not disclose your PHI or personal information to third parties without your written authorization, except as described in this Privacy Policy. Your authorization must be voluntary, informed, and in writing. You have the right to revoke any authorization at any time by submitting a written request to HPA, except to the extent that we have already taken action in reliance on the authorization.5.2 Disclosures Permitted Without AuthorizationConsistent with applicable law, including HIPAA, we may disclose your PHI without your authorization under the following limited circumstances:Treatment, Payment, and Healthcare Operations: We may disclose your PHI to other healthcare providers involved in your care, to process insurance claims, and for certain internal healthcare operations as permitted by HIPAA.Required by Law: We may disclose your PHI as required by federal or state law, including in response to valid legal processes such as court orders, subpoenas, or warrants.Public Health Activities: We may disclose your PHI to authorized public health authorities for activities such as mandatory disease reporting, as required by law.Abuse, Neglect, and Domestic Violence: As a licensed mental health professional, HPA is a mandated reporter and is required by law to report suspected child abuse or neglect, elder abuse, or dependent adult abuse to appropriate authorities.Serious Threat to Health or Safety: We may disclose your PHI if we believe in good faith that disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law and professional ethics.Workers' Compensation: We may disclose your PHI as authorized or required by workers' compensation laws.Oversight Activities: We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, and inspections.5.3 Business AssociatesWe may share your PHI with certain vendors and service providers ("Business Associates") who perform functions on our behalf, such as billing services, electronic health record systems, and IT support. All Business Associates are required to enter into a HIPAA-compliant Business Associate Agreement and are contractually obligated to safeguard your PHI.5.4 Sale of InformationHPA does not sell, rent, trade, or otherwise transfer your personal information or PHI to third parties for commercial or marketing purposes. This prohibition applies regardless of any other provision of this Privacy Policy.6. Your Privacy RightsSubject to applicable law, you have the following rights with respect to your personal information and PHI:6.1 Right to Access and Receive a CopyYou have the right to inspect and obtain a copy of your PHI that HPA maintains in a designated record set. We will respond to your request within thirty (30) days of receipt. We may charge a reasonable, cost-based fee for providing copies of your records. We may deny access in limited circumstances as permitted by law.6.2 Right to AmendYou have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request if we determine that the PHI is accurate and complete, was not created by HPA, is not part of the information you are permitted to inspect, or is not information that we maintain.6.3 Right to an Accounting of DisclosuresYou have the right to receive an accounting of certain disclosures of your PHI made by HPA. This right does not apply to disclosures made for treatment, payment, or healthcare operations, or to disclosures you specifically authorized.6.4 Right to Request RestrictionsYou have the right to request that we restrict the use or disclosure of your PHI. We are not required to agree to most requested restrictions, but we will seriously consider each request. If we do agree to a restriction, we will honor it except in emergency situations.6.5 Right to Request Confidential CommunicationsYou have the right to request that we communicate with you about your PHI through alternative means or at alternative locations (for example, by contacting you only at a specific phone number or address). We will accommodate reasonable requests.6.6 Right to Receive Notice of BreachYou have the right to receive written notification from HPA if there is a breach of your unsecured PHI, as required by HIPAA and applicable state law.6.7 Rights of Minors and Authorized RepresentativesFor minor clients, rights under this Privacy Policy are generally exercised by the minor's parent or legal guardian. However, consistent with state law, minors may have independent rights to certain health information. In cases of shared custody, HPA will comply with applicable court orders and state law regarding parental access to records.7. Data Security and Safeguards7.1 Administrative SafeguardsHPA implements comprehensive administrative safeguards to protect your information, including:•Designation of a Privacy and Security Officer responsible for overseeing HIPAA compliance•Staff training on privacy and security policies, procedures, and legal obligations•Background verification procedures for staff with access to PHI•Regular risk assessments and security evaluations•Written privacy and security policies and procedures, reviewed annually•Workforce sanctions for violations of privacy and security policies7.2 Physical SafeguardsWe maintain physical safeguards to protect your information, including:•Secure, locked storage of paper records and physical media•Access controls limiting entry to areas containing PHI to authorized personnel•Secure disposal of paper records containing PHI (cross-cut shredding)•Workstation security policies, including screen locks and physical positioning7.3 Technical SafeguardsWe employ technical safeguards appropriate to the sensitivity of the information we maintain, including:•Encryption of electronic PHI at rest and in transit using industry-standard protocols•Unique user accounts and strong password requirements for all systems•Automatic logoff features for electronic systems containing PHI•Audit logging of access to electronic PHI•Secure, HIPAA-compliant electronic health record and practice management systems•Regular software updates and security patching•Secure, encrypted backup systems with tested restoration procedures7.4 Limitations of SecurityWhile HPA implements robust security measures, no security system is impenetrable. We cannot guarantee the absolute security of your information. In the event of a security incident that affects your PHI, we will notify you as required by applicable law.8. Record Retention and DisposalHPA retains clinical and administrative records in accordance with applicable state and federal law, professional licensing requirements, and applicable standards of care. In general:•Adult client records are retained for a minimum of seven (7) years following the last date of service•Minor client records are retained until the client reaches the age of majority plus seven (7) years, or as otherwise required by law•Records subject to pending litigation, audit, or investigation will be retained until such matter is resolvedUpon expiration of the applicable retention period, records containing PHI or personal information will be disposed of in a manner that renders the information unreadable, unreconstructable, and indecipherable, consistent with HIPAA requirements and applicable state law.9. Electronic Communications and Telehealth9.1 Email and Text Message CommunicationsPlease be aware that standard email and text message communications are not fully secure or confidential. If you choose to communicate with HPA via email or text message, you do so at your own risk. We will take reasonable steps to protect any PHI included in electronic communications; however, we strongly recommend that you avoid including sensitive health information in unencrypted email or text messages.We offer secure messaging through our HIPAA-compliant client portal for communications involving PHI. We encourage you to use this secure communication channel whenever possible.9.2 Telehealth and Video ConferencingHPA may offer certain services through telehealth or secure video conferencing platforms. Any telehealth services will be provided through HIPAA-compliant platforms. Use of telehealth services may be subject to separate consent and technical requirements.10. Website Information and Cookies10.1 Information Collected on Our WebsiteOur website may collect certain non-identifying technical information automatically, such as your IP address, browser type, and pages visited. This information is used to maintain and improve our website and is not used to identify you personally.10.2 CookiesOur website may use cookies, which are small data files stored on your device. We use cookies solely for essential website functions (such as maintaining session state) and to improve your experience. We do not use cookies to track your activity across third-party websites or to serve targeted advertising.You may configure your browser to refuse cookies or to alert you when cookies are being sent. However, some portions of our website may not function properly if you disable cookies.10.3 Third-Party LinksOur website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We encourage you to review the privacy policies of any third-party sites you visit.10.4 AnalyticsWe may use privacy-respecting, aggregate web analytics tools to understand how our website is used. Any such tools used by HPA will be configured to respect user privacy and will not be used to collect or process PHI.11. Privacy Protections for MinorsA significant portion of HPA's practice involves the assessment of children and adolescents. We take the privacy of minor clients extremely seriously.•We collect only the minimum information necessary to provide assessment services to minor clients•PHI of minor clients will not be disclosed without the authorization of a parent or legal guardian, except as required by law or as otherwise permitted under applicable state law•Our website is not directed to children under the age of 13, and we do not knowingly collect personal information directly from children under 13 through our website•Parents and guardians may request access to their minor child's records consistent with applicable state law and any applicable court orders12. Privacy Complaints and ConcernsIf you believe that your privacy rights have been violated, or if you have concerns about how HPA has handled your personal or health information, you have the right to file a complaint. You will not be retaliated against for filing a complaint.To file a complaint with HPA directly, please contact our Privacy Officer in writing at the address provided in Section 14 of this policy. We will investigate all complaints promptly and respond within thirty (30) days.You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), which enforces HIPAA privacy protections. Complaints may be submitted at:•Website: www.hhs.gov/ocr/privacy/hipaa/complaints•Phone: 1-800-368-1019 (TTY: 1-800-537-7697)•Mail: Office for Civil Rights, U.S. Department of Health & Human Services, 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 2020113. Changes to This Privacy PolicyHPA reserves the right to modify this Privacy Policy at any time. Material changes to this policy will be posted on our website with an updated effective date. Where required by applicable law, we will provide you with advance written notice of material changes to how we handle your PHI. Your continued use of our services after the effective date of any change constitutes your acceptance of the revised policy.We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. The "Effective Date" at the top of this policy indicates when it was last updated.14. Contact InformationIf you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal or health information, please contact our Privacy Officer:Hebert Psychological Assessments Privacy Officer [Address Line 1] [City, State, ZIP Code] Phone: [Phone Number] Fax: [Fax Number] Email: [Privacy Officer Email] (for general inquiries only — do not send PHI via standard email) Website: [Website URL]15. AcknowledgmentBy using the services of Hebert Psychological Assessments, you acknowledge that you have received, read, and understand this Privacy Policy, and that you consent to the collection, use, and disclosure of your personal and health information as described herein. This Privacy Policy constitutes part of the notice of privacy practices required under HIPAA, 45 C.F.R. § 164.520.A signed copy of your acknowledgment of receipt of this Privacy Policy will be retained in your clinical record. If you have questions about any aspect of this policy, please ask a member of our staff before signing.