HIPAA Notice of Privacy Practices

Please review this notice carefully.

This Notice describes how medical information about you may be used and disclosed, how you may access this information, and what rights you have regarding your protected health information.

Samata Health respects the privacy of people seeking mental health care. We handle health information with care, clarity, and security.

This Notice applies to protected health information, also called PHI, that Samata Health creates, receives, maintains, or transmits when providing services covered by the Health Insurance Portability and Accountability Act of 1996 and related regulations, known as HIPAA.

This Notice may apply to Samata Health and, where applicable, affiliated professional entities, licensed providers, or clinical services supported through the Samata Health platform. If you receive care from an independent therapist or provider, that provider may also have their own Notice of Privacy Practices.

This Notice applies to individuals who use Samata Health to access mental health care, including:

This Notice also describes how Samata Health may work with employers, therapists, technology vendors, payment processors, and operational partners while protecting your privacy.

Samata Health provides a secure digital platform that helps people access licensed therapists and mental health support. The platform may support intake, therapist matching, scheduling, secure messaging, session management, employer-sponsored coverage, billing, reporting, and related services.

Samata Health may act in different privacy roles depending on the service:

The specific role may affect how HIPAA applies. Samata Health will follow applicable privacy and security obligations in each context.

Protected health information may include information that identifies you and relates to your health, care, payment, or eligibility for services.

Examples may include:

Some information may have additional protections under federal or state law, including certain substance use disorder records, psychotherapy notes, reproductive health care information, or information relating to minors.

Samata Health may use and disclose PHI for treatment, payment, and health care operations, as permitted by HIPAA.

We may use and disclose your PHI to support care and coordinate services.

This may include:

Therapists are responsible for clinical judgment, diagnosis, treatment, and care decisions within their professional relationship with you.

We may use and disclose your PHI to support payment and billing.

This may include:

For employer-sponsored coverage, Samata Health may share limited information necessary for payment, eligibility, and benefit administration. Clinical session details remain protected.

We may use and disclose PHI to operate, improve, secure, and support Samata Health.

This may include:

We may use de-identified or aggregated information for research, analytics, product improvement, reporting, or educational purposes where permitted by law.

If you use Samata Health through an employer-sponsored benefit, your employer may receive aggregated, de-identified, or anonymized reporting.

Employer reports may include:

Employer reports do not include:

Samata Health designs employer reporting to help organizations understand benefit use while protecting individual privacy.

Samata Health may contact you about account, care, scheduling, billing, security, support, or platform-related matters.

Communications may occur by:

Some communications may include sensitive information. You may request confidential communications as described in the “Your Rights” section below.

Marketing communications may be sent where permitted by law. You may unsubscribe from marketing emails using the unsubscribe link in those emails.

HIPAA allows or requires certain uses and disclosures of PHI without written authorization.

Samata Health may use or disclose your PHI when permitted or required for:

We may disclose information for certain public health activities, including reporting disease, injury, abuse, neglect, domestic violence, adverse events, or serious threats to health or safety.

We may disclose information when federal, state, or local law requires it.

We may disclose information to health oversight agencies for audits, investigations, inspections, licensing, or compliance reviews.

We may disclose information in response to a court order, administrative order, subpoena, discovery request, or lawful process when applicable legal requirements are met.

We may disclose information for certain law enforcement purposes as permitted by law.

We may disclose information to help prevent or reduce a serious and imminent threat to your health, your safety, or the health or safety of another person.

We may disclose information as authorized by workers’ compensation or similar laws.

We may disclose information when needed for legally authorized duties.

We may disclose information for certain specialized government functions, including military, national security, protective services, or correctional institution purposes, where applicable.

We may use or disclose PHI for research when permitted by HIPAA, with appropriate authorization, review, waiver, or privacy safeguards.

Samata Health will request your written authorization before using or disclosing PHI for certain purposes.

These may include:

You may revoke an authorization in writing at any time. Revocation applies going forward. It does not affect actions already taken based on your authorization.

Psychotherapy notes receive special protection under HIPAA. These are notes recorded by a mental health professional documenting or analyzing the contents of a private counseling session and kept separate from the medical record.

Samata Health will obtain your written authorization before using or disclosing psychotherapy notes, except where HIPAA permits limited uses, such as certain treatment, training, defense, oversight, legal, or safety purposes.

Therapists may maintain their own records under their own professional and legal obligations.

Certain substance use disorder treatment records may receive additional protection under 42 CFR Part 2, where applicable. HHS and SAMHSA finalized updates to Part 2 rules to better align certain confidentiality requirements with HIPAA. Where Part 2 applies, Samata Health will handle covered substance use disorder records according to those additional protections. In general, Part 2 may require written consent before certain disclosures of substance use disorder records, with limited exceptions such as medical emergencies, audits, evaluations, research, public health, or court orders that meet specific requirements.

If you authorize use or disclosure of Part 2 information, you may revoke that consent in writing, except where action has already been taken based on the consent.

Where applicable law requires, Samata Health will follow special protections for PHI potentially related to reproductive health care.

For certain requests involving health oversight, judicial or administrative proceedings, law enforcement, or certain death investigations, regulated entities may need to obtain a signed attestation that the requested use or disclosure is permitted and is not for a prohibited purpose. HHS describes these attestation requirements in its reproductive health care privacy guidance. Samata Health will follow applicable federal and state requirements for reproductive health care privacy.

Samata Health may create and use information that has been de-identified or aggregated in accordance with applicable law.

This information may be used to:

De-identified and aggregated information does not identify you.

You have rights regarding your PHI. Some rights may be subject to legal limitations, verification, professional obligations, or record retention requirements.

You may request access to inspect or receive a copy of your health information.

We will respond within the timeframe required by law. We may charge a reasonable, cost-based fee where permitted.

You may request that we correct health information you believe is inaccurate or incomplete.

We may deny the request in certain circumstances. We will explain the reason in writing where required.

You may ask us to contact you in a specific way or at a specific location.

We will accommodate reasonable requests.

You may ask us to limit how we use or disclose certain health information.

We will review your request. HIPAA does not require us to agree to every restriction, though certain restrictions may apply where required by law.

You may request a list of certain disclosures of your PHI made during a legally defined period.

This accounting may exclude disclosures for treatment, payment, health care operations, and other disclosures excluded by law.

You may request a paper or electronic copy of this Notice at any time.

You may designate another person to act on your behalf if permitted by law.

We may require documentation before recognizing that person as your personal representative.

You may file a complaint if you believe your privacy rights have been violated.

You may contact Samata Health using the information at the end of this Notice. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

Samata Health will not retaliate against you for filing a complaint.

Samata Health is required by law to:

HIPAA requires covered entities to maintain privacy of PHI, provide a notice of legal duties and privacy practices, and notify affected individuals following certain breaches.

Samata Health uses administrative, technical, and physical safeguards designed to protect PHI.

Safeguards may include:

No digital system can guarantee perfect security. Samata Health maintains safeguards designed to reduce risk and protect sensitive information.

Samata Health services are generally intended for adults. Where services are available to minors, access, consent, confidentiality, and parental or guardian rights may vary based on state law, service type, and clinical context.

If a parent, guardian, or personal representative has legal authority to access a minor’s information, Samata Health will follow applicable law. Certain information may remain confidential from a parent or guardian where state or federal law allows or requires confidentiality.

Therapists available through Samata Health may be independent licensed professionals or part of separate professional practices. Therapists may maintain clinical records, treatment notes, informed consent forms, privacy notices, and professional obligations separate from Samata Health. If a therapist’s privacy practices apply to your care, the therapist or practice may provide a separate Notice of Privacy Practices.

This Notice focuses on PHI and HIPAA-related privacy practices.

Samata Health’s Privacy Policy may describe additional privacy practices relating to website activity, marketing, cookies, analytics, non-health personal information, and other platform data. Where HIPAA applies to PHI, this Notice governs Samata Health’s use and disclosure of PHI.

Samata Health may update this Notice from time to time.

We may apply changes to PHI we already maintain, as well as PHI received after the updated Notice takes effect, where permitted by law. The current version will be posted on Samata Health’s website or made available through the platform.

For questions about this Notice, privacy rights, complaints, or requests involving your PHI, contact:

Samata Health Privacy Office Email: privacy@samatahealth.com Phone: (US)(779) 204-1885 Mailing Address: Samata Health Inc., 2501 Chatham Rd Suite N, Springfield, IL 62704, United States

You may also contact the U.S. Department of Health and Human Services Office for Civil Rights to file a complaint.