Privacy Policy & Notice of Privacy Practices

Mindful Journey Counseling LLC is committed to safeguarding the privacy and confidentiality of every person we serve. This combined Privacy Policy and Notice of Privacy Practices describes how your protected health information (PHI) and personal information may be used and disclosed, and how you can access this information. Please review it carefully.

01About This Notice

This Notice describes the privacy practices of Mindful Journey Counseling LLC (“Practice,” “we,” “us,” or “our”), a mental health private practice located in Columbia, South Carolina, owned and operated by Rosalyn Smith, LISW-CP. It applies to all of our services, including in-person sessions, telehealth sessions, and any interactions through our website, mindfuljcounseling.org.

We are required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act, and applicable state laws to:

• Maintain the privacy and security of your protected health information (PHI);
• Provide you with this Notice describing our legal duties and privacy practices regarding PHI;
• Notify you in the event of a breach of unsecured PHI;
• Follow the terms of the Notice currently in effect.

“Protected Health Information” (or PHI) is information about you, including demographic information, that may identify you and that relates to your past, present, or future physical or mental health condition, the provision of care, or the payment for care.

02Information We Collect

In the course of providing care and operating our website, we may collect the following categories of information:

Clinical & Health Information (PHI)

• Name, date of birth, address, phone number, email address;
• Demographic information (gender, race/ethnicity, marital status);
• Insurance information, if applicable;
• Emergency contact information;
• Mental and physical health history, symptoms, diagnoses, and treatment notes;
• Information you share during therapy sessions, intake forms, or assessments;
• Records of services provided, including dates, types of sessions, and progress notes;
• Psychotherapy notes (kept separately and given heightened protection under HIPAA).

Website & Inquiry Information

• Contact form submissions (name, email, phone, message);
• Consultation requests and intake form submissions;
• Communication preferences;
• Technical information such as IP address, browser type, device, and pages visited (see Cookies & Tracking below).

03How We Use & Disclose PHI

We may use and disclose your PHI without your written authorization for the following purposes:

For Treatment

To provide, coordinate, and manage your mental health care, including consultation with other healthcare providers involved in your treatment. For example, we may share information with your primary care physician with your consent.

For Payment

To bill and receive payment for services. This may include sharing information with your insurance company (if applicable), processing payments, or coordinating with billing services.

For Health Care Operations

For quality improvement, training, accreditation, licensing, credentialing, internal audits, business planning, and other administrative functions necessary to operate the practice.

Other Permitted Uses Without Authorization

The law permits or requires us to disclose your PHI without your authorization in these limited situations:

• Required by law: When disclosure is required by federal, state, or local law;
• Public health activities: To report disease, injury, or vital events to public health authorities;
• Abuse, neglect, or domestic violence: Mandated reporting of suspected child abuse or neglect, elder abuse, or vulnerable adult abuse;
• Health oversight: To health oversight agencies for activities authorized by law (audits, investigations, inspections);
• Judicial & administrative proceedings: In response to a court order, subpoena, or other lawful process, subject to applicable confidentiality protections;
• Law enforcement: For limited law enforcement purposes as permitted by law;
• Coroners, medical examiners, funeral directors: As necessary to perform their duties;
• Serious threat to health or safety: When necessary to prevent or lessen a serious and imminent threat to the health or safety of you or others (per the “duty to warn”);
• Workers' compensation: As authorized by and to the extent necessary to comply with workers' compensation laws;
• Military, national security, & specialized government functions: As required by law;
• Inmates: If you are an inmate, to the correctional institution as needed for your care.

04Uses & Disclosures Requiring Your Authorization

Most uses and disclosures of your PHI that are not described above will be made only with your written authorization. This always includes:

• Psychotherapy notes: Notes recorded by your therapist documenting or analyzing the contents of conversation during a private session, kept separate from the rest of your medical record;
• Marketing communications that involve any payment from a third party;
• Sale of PHI (which we do not engage in).

You may revoke any authorization in writing at any time, except to the extent we have already acted in reliance on it.

05Your Rights Under HIPAA

You have the following rights regarding the PHI we maintain about you:

To exercise any of these rights, please contact our Privacy Officer using the information in the Contact section below.

06Our Duties

We are required by law to:

• Maintain the privacy of your PHI;
• Provide you with this Notice of our legal duties and privacy practices;
• Abide by the terms of the Notice currently in effect;
• Notify you if we are unable to agree to a requested restriction;
• Accommodate reasonable requests to communicate with you by alternative means or at alternative locations;
• Notify affected individuals of a breach of unsecured PHI.

07Website Privacy Practices

This section describes how we handle information collected through our website, mindfuljcounseling.org, separate from the clinical context.

Information You Provide

When you complete a contact form, request a consultation, or send us a message, we collect the information you provide (typically name, email, phone, and a brief message). We use this information solely to respond to your inquiry and, if you become a client, to establish a treatment relationship.

Information Collected Automatically

When you visit the site, we and our service providers automatically collect certain information using cookies and similar technologies, including IP address, browser type, device type, pages visited, referring website, and dates and times of visits.

08Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate our website, understand how visitors interact with it, and improve user experience. The categories include:

• Strictly necessary cookies required for the site to function;
• Analytics cookies to understand visitor behavior in aggregate (e.g., which pages are most viewed);
• Marketing & attribution cookies to measure the effectiveness of our outreach, including a first-party tracking script that records anonymous page activity and associates it with a contact record only after a form is submitted.

You can control cookies through your browser settings. Disabling cookies may limit some features of the site. We do not use cookies to collect PHI.

09Third-Party Service Providers

We use carefully selected service providers to support our practice. When these providers handle PHI on our behalf, we enter into a HIPAA Business Associate Agreement (BAA) requiring them to safeguard PHI consistent with HIPAA standards. Categories include:

• Electronic health record (EHR) and practice-management platforms;
• Secure telehealth video platforms;
• Secure client portal and intake-form providers;
• Payment processors and billing services;
• Website hosting and CRM platforms;
• Email and secure messaging providers.

We do not sell, rent, or trade your information to third parties for their marketing purposes.

10Telehealth Privacy

We provide telehealth services in South Carolina, North Carolina, Georgia, and Texas. All telehealth sessions are conducted using a HIPAA-compliant video platform with a signed BAA.

To protect your privacy during telehealth, we recommend that you:

• Participate from a private, quiet space where you cannot be overheard;
• Use a secure, private internet connection rather than public Wi-Fi;
• Use headphones to prevent others from hearing the session audio;
• Confirm that household members or others nearby will not enter the room.

We will inform you at the start of each session if anyone else is present on our end. You should do the same on yours.

11Data Security

We implement administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of your PHI in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards include:

• Encryption of electronic PHI at rest and in transit where feasible;
• Access controls limiting PHI access to authorized personnel only;
• Secure storage of paper records in locked locations;
• Regular review of system activity and security practices;
• Workforce training on confidentiality and privacy;
• Business Associate Agreements with all qualifying vendors.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we work continuously to maintain reasonable and appropriate safeguards.

12Children's Privacy

Our services are intended for adults (18 and older). Our website is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through the website. If we learn we have inadvertently collected such information, we will delete it promptly. If you believe we have collected information from a child under 13, please contact us.

13State-Specific Rights

Where state law provides protections greater than HIPAA, we follow the stricter standard. South Carolina law contains additional protections for mental health records, substance use treatment information, and HIV-related information; we follow those laws where they apply.

Residents of certain states may have additional rights under state privacy laws (such as the right to know, delete, or correct certain personal information, or to opt out of certain processing). To exercise any such rights, please contact us using the information below.

14Breach Notification

In the unlikely event of a breach of unsecured PHI, we will provide notice to affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery, in accordance with 45 CFR §§ 164.400–414. Notice will include a description of the incident, the types of information involved, steps you can take to protect yourself, and what we are doing to mitigate harm and prevent recurrence.

15Changes to This Notice

We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have about you as well as any information we receive in the future. The current Notice will be posted on our website, and a copy will be available at our office. Material changes will be communicated as required by law. The effective date at the top of this Notice will always indicate the current version.

16Complaints

If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer (below). You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services:

• Online: www.hhs.gov/ocr/complaints
• By mail: Office for Civil Rights, U.S. Dept. of Health and Human Services, 200 Independence Avenue SW, Room 509F, HHH Building, Washington, D.C. 20201
• By phone: 1-877-696-6775

We will not retaliate against you for filing a complaint.

17Contact & Privacy Officer

For questions about this Notice, to request access to your records, or to file a privacy complaint, please contact our Privacy Officer: