Privacy Policy

At NorthWork Counseling, we are committed to protecting your privacy and the confidentiality of your personal health information. This Privacy Policy describes how we collect, use, disclose, and protect client data for our online mental health services in Kansas and Illinois, in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable state laws. It also serves as our HIPAA Notice of Privacy Practices, which we provide to you as required by law as a covered health care provider. Please read this policy carefully to understand how we handle your information and your rights regarding your data.

HIPAA Notice of Privacy Practices

Our Legal Duties: We are required by law to maintain the privacy of your protected health information (“PHI”), to provide you with this Notice of our legal duties and privacy practices, and to abide by the terms of this Notice. We may update this Privacy Policy and Notice in the future, and any changes will apply to all information we maintain. The most current Notice will be available on our website and by request.

How We Use and Disclose Your Health Information: Under HIPAA, we may use or disclose your health information for certain key purposes without your written authorization, as described below:

  • Treatment: We use and share your information as needed to provide and coordinate your mental health care. For example, your therapist may consult with or refer you to another health care provider (such as a psychiatrist or primary care physician) regarding your condition, and may share relevant information with them to facilitate your treatment.
  • Payment: We use and disclose your information to obtain payment for services we provide. This includes billing you or your insurance company for therapy sessions, verifying coverage, and handling claims. For instance, we will share necessary details (such as diagnoses and treatment dates) with your health insurance plan so they will pay for your care. We may also use your information to bill or collect payment from you or third-party payers (e.g. for co-pays or deductibles) as needed for reimbursement.
  • Health Care Operations: We use and disclose your information for our internal operations to ensure our practice is running properly and to maintain quality care. This can include activities like quality improvement, training and supervision of staff, customer service, record-keeping, audits, compliance monitoring, and other business management activities. These uses of information are necessary for our practice to support the services we provide.

Other Uses and Disclosures Permitted or Required by Law: We may (and sometimes must) share your information in additional circumstances without your authorization when allowed by HIPAA and other laws. For example, such circumstances include:

  • Required by Law: We will disclose information about you if required to do so by federal, Illinois, or Kansas law. For instance, if a court order, warrant, or other legal process compels us to release records, we must comply (after taking steps to verify the request’s validity and seeking protective measures when applicable).
  • Public Health and Safety: We may disclose necessary information to public health authorities or government agencies for public health activities. For example, we may report suspected child abuse, elder abuse, or dependent adult abuse as mandated by law. We may also share information if needed to prevent a serious and imminent threat to your health or safety or that of another person or the public.
  • Health Oversight: We may provide information to health oversight agencies for lawful oversight activities such as audits, inspections, licensure, or investigations (for example, if a state board is investigating a provider, or if HHS is auditing our HIPAA compliance).
  • Judicial and Administrative Proceedings: If you are involved in a lawsuit or legal dispute, we might have to disclose health information in response to a valid court or administrative order, or in response to a subpoena or discovery request. We will only do so after efforts to notify you or to secure an order protecting the confidentiality of the information have been made, as applicable.
  • Law Enforcement: In certain circumstances, we may share information with law enforcement officials. Examples include reporting a crime on our premises or responding to lawful requests for limited information for identification/location purposes or about a victim of a crime (in limited cases), or as required by law in reporting wounds or injuries.
  • Coroners, Medical Examiners, and Research: We may disclose information to a coroner or medical examiner as needed (for example, to determine a cause of death). Your information could also be used for approved research purposes in accordance with privacy law requirements (e.g., if an Institutional Review Board has waived authorization because your data will be used in a limited, privacy-protected manner).
  • Specialized Government Functions: If applicable, we may release information for national security or military purposes or to law enforcement custodial situations (for example, if you are an inmate or under custody and the information is needed for your care, safety, or the safety of others in the correctional facility).
  • Workers’ Compensation: We can disclose health information as authorized to comply with workers’ compensation laws or similar programs providing benefits for work-related injuries or illness.

Uses and Disclosures Requiring Your Authorization: For any purpose not described above, we will not use or disclose your health information without your written Authorization. Specifically, the following uses and disclosures require your explicit permission (or are not performed by our practice):

  • Psychotherapy Notes: If we maintain separate psychotherapy notes (detailed notes from counseling sessions kept apart from the medical record), those notes will only be used or disclosed with your written authorization, except in very limited situations allowed by law (such as for our own training or defense in a legal proceeding you initiate, or for oversight of the therapist).
  • Marketing: We will not use or disclose your PHI for marketing purposes without your authorization. We do not sell or rent your information to any third-party marketer. You will not receive marketing communications from us about third-party products or services unless you have explicitly consented to such communications. (Even in such cases, you have the right to opt out at any time.)
  • Sale of Health Information: We will never sell your health information. HIPAA prohibits the sale of PHI without your authorization, and we do not engage in such practices.
  • Other Uses: Any other use or sharing of your information outside of treatment, payment, healthcare operations, or the specific exceptions noted above will only be done with your written authorization. For example, if you want us to send information to a life insurance company or to an attorney for purposes outside the ones allowed by law, we will obtain your permission first. You have the right to revoke (take back) any authorization you give, at any time, in writing. If you revoke an authorization, we will stop using or disclosing your information for that purpose, except to the extent we have already acted based on the authorization.

Disclosures to Family or Others Involved in Your Care: With your permission, we may share relevant information with your family members, close friends, or other persons you identify who are involved in your care or payment for your care. For example, if you ask us to keep a spouse or parent informed about your treatment or billing, we will do so. If you are unable to agree or object (for instance, due to an emergency), we may share information as necessary and appropriate in our professional judgment, but only that which is directly relevant to their involvement in your care, and we will inform you after the fact if possible. You have the right to object to or place restrictions on these disclosures (see “Your Rights” below).

Compliance with State Privacy Laws: We adhere to state laws that provide additional protections for mental health information. Both Illinois and Kansas have laws that are more protective of mental health records, and we will comply with the most stringent law applicable. In Illinois, the Mental Health and Developmental Disabilities Confidentiality Act provides heightened privacy protections for mental health service records, strictly prohibiting disclosure of such records except with your consent or in very limited circumstances allowed by law. In Kansas, mental health records are considered privileged and generally cannot be disclosed without the patient’s (or authorized representative’s) written consent, except under specific conditions mandated by law. This means that, in practice, we will obtain your written consent before releasing your therapy records to anyone outside this practice, unless an exception under HIPAA and applicable state law applies (such as a court order or a duty to warn or report abuse). If an applicable state law imposes a stricter requirement or limit on disclosure than HIPAA, we will follow the stricter state law to protect your privacy.

Your Rights Regarding Your Health Information

As a client of our practice, you have the following rights with respect to the health information we maintain about you (these rights are governed by HIPAA, and additional state-law rights may also apply):

  • Right to Access and Obtain a Copy: You have the right to see and get a copy of your health records, including medical and billing records, that we use to make decisions about your care. This includes the right to receive an electronic copy, if available. You may request access in writing. We will provide a copy or summary of your records, usually within 30 days of your request, and we may charge a reasonable, cost-based fee as allowed by law for copies. Note: Psychotherapy notes (if any) are treated specially and are not included in records we will release to you; however, you may request that these notes be sent to another mental health professional of your choice. In rare cases, if we believe that providing you direct access to certain information would likely endanger you or someone else, we may limit or deny your request for that portion, but we will inform you of the reason and of your right to have that decision reviewed.
  • Right to Request Amendment: If you believe that any information in your record is incorrect or incomplete, you have the right to ask us to correct or update your records. Your request must be in writing and provide a reason for the amendment. We may say “no” to your request if we determine the record is accurate and complete or if the information was not created by us (and the originator remains available). If we deny the amendment, we will provide you a written explanation. You have the right to submit a statement of disagreement that will be included with your records if we maintain them.
  • Right to an Accounting of Disclosures: You have the right to request a list (an “accounting”) of certain disclosures of your health information that we have made outside of treatment, payment, or health care operations. This accounting will not include disclosures you authorized or those made for routine purposes (like those mentioned above), but would include, for example, a disclosure made due to a legal requirement or public health reporting. You can request an accounting for up to the past six (6) years. If you request this list more than once in a 12-month period, we may charge a reasonable fee for additional requests.
  • Right to Request Restrictions: You have the right to ask us not to use or share certain health information for treatment, payment, or operations. We are not required to agree to most requested restrictions, and in some cases we may respectfully deny a request if it would impede your care or violate law. However, one important exception: if you pay for a service in full out-of-pocket, you can request that we do not disclose information about that specific service to your health insurer for payment or health care operations purposes, and we must comply with that request (as long as we have received payment in full for that service).
  • Right to Request Confidential Communications: You have the right to request that we contact you in a certain way or at a certain location to preserve your privacy. For example, you may request that we call you at a specific phone number, or send mail to a particular address (such as your work address rather than home). We will accommodate all reasonable requests. You do not need to give a reason for this request; just let us know your preferences for communication, and we will follow them to the extent possible.
  • Right to a Copy of This Notice: You have the right to a paper copy of this Privacy Policy and Notice of Privacy Practices at any time, even if you have agreed to receive it electronically. You may download it from our website or request that we mail or email you a copy. This Notice is also available at our office (if applicable) and on our website for your review.

Right to File a Complaint: If you believe your privacy rights have been violated, you have the right to file a complaint. You can file a complaint directly with us by contacting our office (see Contact Information below). You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). We will provide you the contact information for OCR upon request, or you can find it on the HHS.gov website. We will not retaliate against you or penalize you for filing a complaint with us or with the government. Your trust is important to us, and we take all privacy concerns seriously.

Collection and Use of Data in Our Online Practice

In addition to the above protections for your health records, we want to be transparent about how we collect and handle data through our website and online services. This section describes the types of information we collect from website visitors and clients, including use of third-party tools and our electronic systems.

Information You Provide: When you use our website or online services, you may provide personal information through forms or communications. For example, if you fill out a contact form or request an appointment on our site, we typically ask for information such as your name, email address, phone number, and a message regarding your inquiry or needs. We use this information solely to respond to you and provide our services (for instance, to contact you to schedule an appointment or to discuss our therapy services). Please do not include detailed sensitive information about your mental health history or medical conditions in general website forms. After we receive your inquiry, we will provide a secure method (such as our client portal or phone consultation) for you to share more detailed health information as needed. Any personal health information you do submit through our website (e.g. describing your symptoms or reason for seeking therapy) will be handled as confidential PHI and treated with the same privacy protections described in this Policy and Notice.

Automatic Data Collection (Cookies and Analytics): When you visit our website, certain information about your device and browsing actions may be collected automatically through cookies or similar technologies. This may include data such as your IP address, browser type, pages visited, and referring website. We use third-party analytics tools (for example, Google Analytics) and SEO tools to understand how users find and use our site, which helps us improve our website and services. These tools may set cookies in your browser. Importantly, we do not collect or transmit any personal health information through these analytics or marketing tools in a way that would identify you as an individual patient. The data gathered is generally aggregated and does not include your name, contact information, or specific health details. We configure our use of such tools in accordance with HIPAA guidance to avoid capturing sensitive information. For instance, we do not use tracking on any secure patient forms or on pages where you might enter health details, and we do not allow analytics providers to access any information you submit in our secure client portal. Our use of cookies is limited to improving site functionality and measuring traffic; we do not use cookies for advertising based on sensitive health topics. You can set your browser to refuse cookies if you prefer, though some site features might not function optimally as a result.

Third-Party Website Features: Our website may include links to our social media pages or other external sites (for example, a link to our psychology profile or professional listings). Clicking those links may allow third parties to collect data via their own cookies or trackers. Those third-party sites are not governed by this Privacy Policy, and we encourage you to review the privacy policies of any site you visit. However, we do not share your personal information with those third-party sites; the links are simply for your convenience or reference. If we use any embedded third-party widgets (for example, scheduling widgets, maps, or videos), we will do so in compliance with privacy requirements and will inform you as needed.

Online Advertising: We currently do not use targeted advertising such as Google Ads or Facebook Ads that track individual users on our site. If we ever engage in any online advertising or retargeting, we will do so in a HIPAA-compliant manner. For example, we would ensure that no PHI is used for ad targeting, and we would update this policy to reflect such practices and obtain any required consents. As of the effective date of this Policy, any data collected for website analytics is used internally and not shared for third-party advertising purposes.

Third-Party Service Providers and Data Security

To provide you with high-quality, secure care, we utilize certain third-party service providers and technology platforms. We ensure that all such providers are compliant with privacy and security standards and, where required, we have formal agreements in place to protect your information (for example, Business Associate Agreements under HIPAA). Below are key third-party tools we use and how your data is handled with each:

  • Electronic Health Records (SimplePractice): We manage our client records, scheduling, billing, and documentation through a secure electronic health record (EHR) system called SimplePractice. SimplePractice is a HIPAA-compliant practice management platform that is widely used by mental health professionals. We have a Business Associate Agreement (BAA) with SimplePractice, which means they are contractually obligated to safeguard your PHI in accordance with HIPAA regulations. All information you share with us in the course of treatment – including your contact information, intake forms, assessment data, session notes, and insurance details – is stored in SimplePractice’s secure servers. SimplePractice employs robust security measures (including encryption and HITRUST certification) to protect health data. Your data in the EHR is accessible only to authorized members of our practice who need it for treatment, scheduling, billing, or administrative purposes. We do not store your clinical records on unsecured devices or servers – it’s all in this protected system. Using SimplePractice also enables us to offer you a secure client portal for tasks like completing intake paperwork, messaging your therapist, or attending telehealth sessions via video. The SimplePractice portal is encrypted and meets HIPAA security standards, so you can feel confident that communications and records in the portal remain private.
  • Payment Processing: If you pay for services out-of-pocket (for example, private pay therapy sessions or co-payments), we utilize secure third-party payment processing to handle your credit card and payment information. Specifically, SimplePractice partners with Stripe as its integrated payment processor. Stripe is a reputable payment platform that is PCI-DSS Level 1 compliant (the highest level of payment data security in the industry). This means your card information is processed in a highly secure manner. We do not store your credit/debit card numbers on our own systems. When you enter payment details through our client portal, that information is transmitted securely to Stripe and tokenized – we can then charge your card via that token, but we never see your full card number. Any saved payment methods are stored by Stripe/SimplePractice in compliance with PCI and HIPAA requirements. By using these trusted payment services, we ensure that your financial data is protected. If you have any questions about payment security, please let us know.
  • Insurance Claims: If you are using health insurance benefits for therapy, we will have to share certain information with your insurance company (or their third-party administrators) in order to process claims and get paid. This typically includes diagnoses, treatment codes (types of service), dates of service, and your personal details like name, date of birth, and insurance member ID. We submit this information electronically through secure, HIPAA-compliant channels – often directly via our EHR system or a clearinghouse – to your insurer. Insurance companies are also obligated by law to keep your information confidential and use it only for payment purposes or as otherwise allowed by law. We do not share psychotherapy session notes or detailed therapy content with your insurance company; we only disclose the minimum necessary information required for billing (e.g., a diagnosis and procedural code). All insurance-related data is stored in our secure EHR as part of your record.
  • Communication Tools: To communicate with you, we may use various tools: for example, phone, secure messaging through the client portal, or email/text for scheduling reminders. Appointment Reminders: By providing us your contact information, you consent to allow us to contact you with appointment confirmations or reminders. We may send these via SimplePractice’s system (which can deliver email or text reminders) or manually by phone/email. Any emails or texts you receive from us will typically contain minimal information (primarily appointment date/time or a prompt to log into the secure portal) to protect your privacy. If you respond or initiate communication via email or text and it contains sensitive information, please be aware that regular email and SMS are not fully secure. We encourage you to use our secure client portal messaging for any clinical or sensitive communication. If you do choose to communicate with us via unencrypted email or text, you acknowledge and accept the risks. We will always take steps to protect your confidentiality in any case.
  • Analytics and SEO Tools: As noted above, we use analytics services (like Google Analytics) to improve our website. These service providers might technically receive certain information about your device or browsing when you visit our site (via cookies or tracking pixels). However, we have configured our use of these tools to avoid collecting any personal identifiers or health information. We do not send information like your name, contact info, or specific health data to analytics providers. Additionally, any online advertising or SEO services we use are handled in a manner that does not compromise your privacy or violate HIPAA. We do not allow third-party ad trackers on pages where you enter personal health information.

We limit all third-party access to the minimum necessary information needed for them to perform their function. Each of our vendors has been evaluated for strong security practices. For example, as noted, SimplePractice and Stripe both undergo independent security assessments and comply with industry standards for data protection. We will never share your information with third parties for purposes not outlined in this Policy without your consent.

Data Security Measures: We employ administrative, physical, and technical safeguards to protect your information. Electronically, our systems use encryption in transit (e.g., SSL/TLS for our website and portal) and encryption at rest for stored records. We use secure passwords and access controls to ensure only authorized staff can access your records. Our computers and devices are kept up-to-date with security patches and protected by firewalls and antivirus software. We train our staff on privacy and security best practices, and we conduct periodic risk assessments to identify and address potential vulnerabilities. In the event of any security incident or data breach that affects your PHI, we will notify you and the authorities as required by law (for example, HIPAA’s Breach Notification Rule and applicable state data breach laws). We strive to exceed the minimum standards to keep your data safe and will continue to update our security protocols as technology and best practices evolve.

Contact Information and Effective Date

Effective Date: This Privacy Policy and Notice is effective as of March 19, 2025. It will remain in effect until superseded by a new revision. We reserve the right to change the terms of this Policy as needed. In case of any significant changes, the updated policy will be posted on our website and provided to current clients as required.

Contact Us: If you have any questions about this Privacy Policy or our privacy practices, if you need more information, or if you want to exercise any of your rights, please contact our Privacy Officer:

NorthWork Counseling
Attn: Privacy Officer
Email: [email protected]
Phone: (618) 582-3021
Address: 111 W Jackson Blvd Ste 1700, Chicago, IL, 60604

You may also discuss any concerns with your therapist directly, who can assist you or direct you to the appropriate person. We are committed to protecting your privacy and upholding your rights. If you have a concern about how your information is handled, we encourage you to reach out so we can address it promptly. Your trust in us as your healthcare provider is extremely important, and we want you to feel secure in the knowledge that your personal health information remains confidential.

Acknowledgment of Notice: You will be asked to acknowledge that you have received or been offered this Privacy Policy/Notice of Privacy Practices (for example, by electronic acceptance or in writing). This acknowledgment does not indicate that you have read the entire document or agree with any specific terms; it merely documents that we have provided you with this important information about how we protect your privacy, as required by law. Regardless of whether you sign an acknowledgment, we will provide services and will continue to protect your health information as described herein.

Thank you for taking the time to review our Privacy Policy. We are dedicated to safeguarding your information while providing you with excellent online mental health care in Kansas and Illinois. If you have any questions or feedback about this policy, please do not hesitate to contact us.