close-iimg

HIPAA Privacy and Policy

Mental Root

Introduction

Mental Root (“Company”) has adopted this HIPAA Privacy and Security Policy to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related regulations issued by the U.S. Department of Health and Human Services (“HHS”).

Members of Mental Root’s workforce may have access to Protected Health Information (“PHI”) while performing job-related responsibilities. Mental Root is committed to safeguarding PHI and complying with:

  • HIPAA Privacy Rule

  • HIPAA Security Rule

  • HITECH Breach Notification Rule

HIPAA restricts how PHI may be used, accessed, stored, and disclosed.

Definition of Protected Health Information (PHI)

“Protected Health Information” (“PHI”) includes any information created or received by Mental Root that:

  • Relates to an individual’s past, present, or future physical or mental health

  • Relates to healthcare services provided

  • Relates to payment for healthcare

  • Identifies the individual, or could reasonably be used to identify them

Electronic PHI (“ePHI”) refers to PHI transmitted or stored electronically and is subject to additional HIPAA Security Rule protections.

Unless otherwise specified, “PHI” in this Policy includes “ePHI.”

Workforce Compliance Requirement

All workforce members who may access PHI must comply with:

  • This HIPAA Privacy and Security Policy

  • Mental Root’s Use and Disclosure Procedures

  • Applicable HIPAA laws and safeguards

“Workforce” includes employees, contractors, trainees, volunteers, and any individual whose work is under the direct control of Mental Root.

ARTICLE I — RESPONSIBILITIES

1.1 Privacy Officer and Contact Person

Mental Root will designate a Privacy Officer responsible for administering HIPAA privacy compliance.

Privacy Officer:
Name: Amanda
Email: Amanda@mentalroot.com

The Privacy Officer will also serve as the primary contact for member privacy questions, concerns, or complaints.

1.2 Security Officer

Mental Root will designate a Security Officer responsible for HIPAA Security Rule implementation, including technical safeguards for ePHI.

Security Officer:
Name: Ethan
Email: Ethan@mentalroot.com

1.3 Workforce Access Controls and Training

Mental Root limits access to PHI strictly to workforce members who require it to perform their job duties.

Mental Root will provide HIPAA training that includes:

  • Privacy Rule obligations

  • Security awareness and incident reporting

  • Proper handling of PHI and ePHI

  • Minimum necessary access standards

Training is provided:

  • Upon hiring

  • Periodically thereafter

  • After material policy updates

1.4 Administrative, Technical, and Physical Safeguards

Mental Root maintains safeguards to protect confidentiality, integrity, and availability of PHI.

Risk Assessments

Mental Root conducts periodic risk analyses to identify:

  • Internal and external threats

  • System vulnerabilities

  • Risk mitigation strategies

Security Measures Include:

Access Controls

  • Role-based access permissions

  • Unique user IDs

  • Secure password requirements

  • Multi-factor authentication where appropriate

  • Automatic logoff after inactivity

  • Account lockout after repeated failed login attempts

Transmission Security

  • Encryption of ePHI during transmission

  • Secure communication platforms for clinical information

  • Restricted email use for PHI unless encrypted

Remote Access Protections

Remote access is permitted only through:

  • Approved secure devices

  • VPN or equivalent encrypted channels

  • Authorized user-level permissions

Physical Safeguards

  • Restricted access to server/storage locations

  • Secure workstation positioning to prevent unauthorized viewing

  • Password-protected screen locks

  • Visitor access controls

Device and Media Controls

PHI may not be stored on mobile devices unless:

  • Encrypted

  • Password-protected

  • Approved by the Security Officer

Secure disposal procedures apply to all PHI-containing media.

1.5 Notice of Privacy Practices

Mental Root maintains a HIPAA Notice of Privacy Practices explaining:

  • How PHI may be used or disclosed

  • Individual rights under HIPAA

  • Complaint procedures

  • Contact information for the Privacy Officer

1.6 Complaint Process

Individuals may file privacy complaints through the Privacy Officer.

Mental Root will investigate all complaints promptly and document resolution steps.

1.7 Sanctions for Violations

Workforce members who violate HIPAA policies may face disciplinary action, including:

  • Retraining

  • Suspension

  • Termination

  • Legal reporting where required

1.8 Mitigation of Improper Disclosures

Mental Root will mitigate harmful effects of any unauthorized disclosure of PHI whenever possible.

Workforce members must report suspected violations immediately to the Privacy Officer.

1.9 Breach Notification Requirements

Mental Root complies with HITECH breach notification requirements.

If unsecured PHI is compromised, Mental Root will:

  • Conduct a risk assessment

  • Notify affected individuals as required

  • Notify HHS and media outlets when applicable

  • Provide notice without unreasonable delay, no later than 60 days

A breach is presumed unless Mental Root determines a low probability of compromise.

1.10 No Retaliation

Mental Root prohibits intimidation, retaliation, or discrimination against individuals who:

  • Exercise HIPAA rights

  • File complaints

  • Participate in investigations

No individual is required to waive HIPAA rights as a condition of care or eligibility.

1.11 Business Associate Requirements

Mental Root may share PHI with Business Associates only when:

  • A valid Business Associate Agreement (“BAA”) is in place

  • The Business Associate agrees to HIPAA safeguards

A Business Associate is any entity performing services involving PHI access, such as:

  • Billing vendors

  • IT providers

  • Consultants

  • Legal or accounting services

1.12 Documentation and Retention

Mental Root retains HIPAA compliance documentation for at least six (6) years, including:

  • Policies and procedures

  • Training records

  • Complaints and investigations

  • Breach documentation

  • Authorizations and disclosures

ARTICLE II — USE AND DISCLOSURE OF PHI

2.1 Permitted Uses and Disclosures

Mental Root may use or disclose PHI only as permitted by HIPAA, including:

  • Treatment coordination

  • Payment activities

  • Healthcare operations

  • Legal or public safety purposes

  • Required disclosures to HHS

2.2 Minimum Necessary Standard

Mental Root limits PHI use/disclosure to the minimum necessary amount required to accomplish the intended purpose.

Exceptions include:

  • Disclosures to the individual

  • Authorized disclosures

  • Disclosures required by law

2.3 De-Identified Information

Mental Root may use or disclose de-identified information freely, provided it cannot reasonably identify an individual.

ARTICLE III — INDIVIDUAL RIGHTS

Individuals have rights to:

  • Access their PHI

  • Request amendments

  • Receive disclosure accountings

  • Request confidential communication

  • Request restrictions on certain uses

Requests must be submitted in writing to the Privacy Officer.

Policy Updates

Mental Root reserves the right to amend this Policy at any time to remain compliant with evolving HIPAA requirements.