This Privacy Policy has been carefully prepared to reflect both United States healthcare privacy law (HIPAA) and European Union data protection law (GDPR). However, privacy laws are complex and subject to interpretation. We recommend that you consult with your own legal counsel to understand how these laws apply to your specific situation.

Dr. Deb Berman and her practice team (collectively, "the Practice"):

Use this Privacy Policy as a foundation document

• Recommend consultation with legal counsel in both the US and EU for ongoing compliance

• Will update this policy as laws and regulations change

This Privacy Policy describes how Dr. Deb Berman's psychotherapy and coaching practice collects, uses, discloses, processes, and manages information about our clients and website visitors. Dr. Deb Berman is committed to protecting your privacy and maintaining the confidentiality of your personal health information and personal data in compliance with:

• HIPAA (Health Insurance Portability and Accountability Act) for clients receiving psychotherapy services in New York

• ·GDPR (General Data Protection Regulation) for EU residents and clients

• Other applicable state, federal, and local privacy laws

This Privacy Policy applies to all clients (whether in psychotherapy or coaching), website visitors, and anyone who interacts with our practice.

A. Information from Psychotherapy and Coaching Clients

Protected Health Information (PHI) and Personal Data:

• Full name, date of birth, gender identity, and sexual orientation

• Contact information (phone number, email address, mailing address)

• Insurance information and billing details (for psychotherapy clients only)

• Payment information (credit card, bank account details)

• Medical and mental health history, including trauma, relationship dynamics, sexual orientation, and gender identity

• Information about current and past relationships, family dynamics, and personal challenges

• Spiritual beliefs, religious background, and faith journey information

• Clinical notes from sessions, assessments, treatment plans, and progress documentation

B. Information from Website Visitors

• Contact forms: name, email, message content, area of interest

• Booking forms: appointment requests and scheduling information

• Server logs: IP address, browser type, pages visited, time spent on site

• Cookies and analytics: traffic patterns, user behavior, geographic location (with consent)

C. How We Collect Information

• Directly from you: intake forms, consultation calls, email, online portals

• Automatically: website analytics, session cookies, video conferencing platform metadata

• From referral sources: with your consent, other healthcare providers or coaches may share relevant information

A. Treatment and Clinical Purposes (HIPAA)

• Providing psychotherapy and coaching services

• Diagnosing and treating mental health conditions (psychotherapy only)

• Developing and implementing treatment plans

• Communicating with you about appointments, progress, and recommendations

B. Billing and Payment

• Processing and collecting payment for service

• Submitting claims to insurance (for NY psychotherapy clients, with your authorization)

• Managing accounts receivable and financial records

C. Legal and Administrative Compliance

• Maintaining accurate clinical and administrative records as required by law

• Responding to legal requests, subpoenas, court orders, or government investigations

• Reporting required information to regulatory bodies (licensing boards, etc.)

• Protecting the health and safety of clients and others in emergency situations

D. Business Operations

• Scheduling and appointment management

• Quality assurance, supervision, and clinical review

• Improvement of our services and client experience

• Website maintenance, security, and analytics

E. Communication

• Appointment reminders and scheduling communications

• Educational emails and newsletters (only with your explicit opt-in consent)

• Responding to inquiries and feedback

We will not use your information for marketing, advertising, or promotional purposes without your explicit written consent.

We take your privacy seriously and limit sharing of your information to circumstances required or permitted by law.

A. Authorized Uses and Disclosures

• With your written consent or authorization

• To other healthcare providers involved in your care (with your authorization)

• To your health insurance provider for billing and claims (psychotherapy clients only, with authorization)

• For clinical supervision and peer consultation (only with identifying information removed when possible)

• When required or permitted by law

B. Legal and Safety Disclosures

• To legal authorities: when required by law, subpoena, court order, or government investigation

• To protect health and safety: when Dr. Deb believes disclosure is necessary to prevent or reduce substantial risk of harm to you or others

• To report abuse or neglect: as mandated by New York State and applicable laws

• Public health authorities: when legally required for disease reporting or public health investigations

C. Service Providers and Third Parties

• Billing and payment processors: to process payments (these companies sign Business Associate Agreements per HIPAA)

• Electronic health record (EHR) vendors: to securely store and manage your records

• Video conferencing platforms: for secure session delivery (HIPAA-compliant platforms only)

• Email and communication services: for secure messaging (encrypted or HIPAA-compliant services)

• Business operations: accounting, legal, and IT support (all under confidentiality agreements)

All third-party service providers are required to maintain the confidentiality and security of your information and to use it only for the purposes for which it was disclosed.

D. What We Do NOT Do

• We do NOT sell or rent your personal information or health records to third parties

• We do NOT share information with marketing companies or data brokers

• We do NOT use your information for purposes unrelated to your care without consent

• We do NOT share information across international borders without appropriate legal safeguards

We implement comprehensive administrative, physical, and technical safeguards to protect your information from unauthorized access, alteration, destruction, and disclosure.

A. Technical Safeguards

• Encryption: All data in transit is encrypted using SSL/TLS protocols

• Secure servers: Data at rest is stored on HIPAA-compliant, encrypted servers

• Access controls: Multi-factor authentication and role-based access to sensitive systems

• Regular updates: Security patches and software updates on all systems

• Intrusion detection: Monitoring for unauthorized access attempts

B. Administrative Safeguards

• Privacy policies: Clear policies and training for all staff handling sensitive information

• Confidentiality agreements: All staff, contractors, and service providers sign confidentiality agreements

• Background checks: Screening of individuals with access to sensitive information

• Audit controls: Regular audits and monitoring of information access

• Incident response: Documented procedures for responding to security breaches

C. Physical Safeguards

• Restricted access: Physical offices and server areas are restricted to authorized personnel

• Document storage: Paper records are stored securely in locked cabinets

• Secure disposal: Confidential information is destroyed using shredding or certified data destruction services

• Workstation security: Computers are password-protected and automatically lock after periods of inactivity

While we strive to protect your information, no security system is completely impenetrable. We cannot guarantee absolute security of all data.

We retain your information for as long as necessary to provide services and comply with legal obligations.

A. Clinical Records (Psychotherapy)

• Active clients: Clinical notes and treatment records are maintained throughout the course of treatment

• Closed cases: Records are retained for a minimum of 7 years after the last date of service (per New York licensing requirements)

• Extended retention: Records may be maintained beyond 7 years if required by law, for legal holds, or at your request

B. Coaching Records

• Active coaching clients: Session notes and records are maintained throughout the coaching relationship

• Completed coaching: Records are retained for a minimum of 5 years after completion of the coaching package

• Billing records: Maintained for 7 years for accounting and tax purposes

C. Website Visitor Information

• Contact form submissions: Retained for 1 year unless you request deletion or subscribe to communications

• Analytics data: Retained per platform settings (typically 26 months for Google Analytics)

• Cookies: Expire based on cookie settings (session cookies expire when browser closes; persistent cookies expire per settings)

After the retention period, information is securely destroyed or anonymized.

You have important rights regarding your personal health information and personal data. These rights vary depending on your location and the type of service you receive.

A. HIPAA Rights (For US Psychotherapy Clients)

Right to Access (CFR 164.524): You have the right to inspect and receive a copy of your medical records. Requests must be submitted in writing. Copies will be provided within 30 days.

Right to Amendment (CFR 164.526): You may request correction of inaccurate or incomplete information. We will respond within 60 days.

Right to Accounting of Disclosures (CFR 164.528): You may request a list of disclosures of your health information. You are entitled to one free request per year.

Right to Confidential Communications (CFR 164.522): You may request communication about your care at an alternative address or phone number.

Right to Restrict Uses and Disclosures (CFR 164.522): You may request restrictions on how we use or disclose your health information.

Right to Revoke Authorization (CFR 164.508): You may revoke any authorization in writing at any time, except where we have already acted on it.

B. GDPR Rights (For EU Residents)

Right to Access (Article 15): You may request access to all personal data we hold about you within 30-60 days.

Right to Rectification (Article 16): You may request correction of inaccurate or incomplete data.

Right to Erasure (Article 17): You may request deletion of your data under certain circumstances within 30 days.

Right to Restrict Processing (Article 18): You may request that we limit processing of your data.

Right to Data Portability (Article 20): You may receive your data in a machine-readable format.

Right to Object (Article 21): You may object to processing based on legitimate interests or marketing.

Rights to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing.

Right to Lodge a Complaint (Article 77): You may file a complaint with your national Data Protection Authority.

C. How to Exercise Your Rights

To exercise any of these rights, submit a written request to: drdeb@drdebberman.com

Include your full name, date of birth, and a detailed description of your request.

Dr. Deb Berman operates from both New York, USA and Amsterdam, The Netherlands. EU clients' data may be transferred to the US in connection with coaching services. We rely on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) to ensure adequate safeguards. US coaching clients' data may be transferred to the Netherlands with appropriate HIPAA Business Associate protections. You retain full GDPR rights regardless of where your data is processed.

Our website may contain links to external websites. This Privacy Policy applies only to our website and services. We are not responsible for external websites' privacy practices. Please review their privacy policies when you visit.

Session cookies are automatically deleted when you close your browser. Persistent cookies are stored to remember preferences. You may disable cookies in browser settings. We use analytics tools to understand website usage. Analytics data is aggregated and not linked to clinical or personal health information.

If unauthorized access to personal health information occurs, we will notify affected individuals within 60 calendar days from discovery. Notification will include the type of data exposed, mitigation steps, and our response measures. We will also report breaches to relevant regulators as required by law.

To exercise your privacy rights, request information, or file a complaint:

Dr. Deb Berman, DMin, LCSW
Email: drdeb@drdebberman.com

HIPAA Complaints:
U.S. Department of Health and Human Services
Office for Civil Rights (OCR)
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-800-368-1019
Website: www.hhs.gov/ocr/privacy

GDPR Complaints:
If you are an EU resident, you may lodge a complaint with your national Data Protection Authority.

We reserve the right to update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Significant changes affecting your privacy rights will be communicated via email or website notice before taking effect. Your continued use of our services indicates acceptance of the updated policy.

By using our website, initiating contact, or engaging in services with Dr. Deb Berman, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. For clients, you will be asked to sign a separate Notice of Privacy Practices and Consent to Treatment referencing this policy.