Introduction

Welcome to Play Heals Teletherapy, the private teletherapy practice owned and operated by me, Lucia Cortes, LCSW, in Pennsylvania. As a licensed clinical social worker and a sole practitioner, I understand the immense importance of privacy, confidentiality, and trust in the therapeutic relationship—values that remain at the core of my practice. This Privacy Policy outlines, in clear and accessible language, how I collect, use, protect, and share your information—online and during the course of care. My aim is to help you, as a client or parent, understand both your rights and my responsibilities under applicable federal and state laws, notably the Health Insurance Portability and Accountability Act (HIPAA), Pennsylvania telehealth statutes, and prevailing ethical guidelines for social work and mental health care.

Your privacy, autonomy, and family’s trust are not just legal concerns—they are foundational to my professional and ethical commitment. If you have any questions about anything described in this Policy, please reach out to me directly. I am here to help you feel informed, empowered, and secure throughout your journey with Play Heals Teletherapy.

My Commitment to Your Privacy

I recognize that health information about you and your family is deeply personal. As your therapist, I am entrusted with sensitive data, perspectives, and stories that deserve careful stewardship. Here is my promise:

• I will keep your Protected Health Information (PHI) confidential, except as described in this notice or as required or permitted by law.

• I will inform you about your rights regarding your information.

• I will be transparent about how your data is collected, used, stored, and shared, especially as it relates to telehealth technologies and third-party service providers.

• I will update this Policy as needed and make any new version easily accessible. The current version will always be posted on my website and provided upon request.

What Information I Collect and Why

To provide effective therapy and operate my teletherapy services, I collect and securely store certain personal and health-related information when you use my website, schedule an appointment, or participate in therapy.

Information You Provide Directly

• Contact details: Name, address, phone number, email, and emergency contacts

• Demographic information: Age, date of birth, gender, and family situation (if relevant)

• Health and therapy information: Presenting concerns, mental health and medical history, prior treatments, medication, and insurance information (if/when applicable)

• Forms and communications: Completed intake forms, consents, assessments, therapy notes, emails, and messages sent via the website or secure platforms

Information Collected Automatically

• Website analytics: Like most websites, I (or third-party providers, such as Google Analytics) may collect technical details when you visit my site, including your IP address, browser type, the pages you visit, session duration, and device identifiers. These are used to improve site usability and security—not to identify you as an individual.

• Cookies and similar technologies: My website may use cookies or similar tools to allow for secure logins, personalize your experience, or gather anonymized data for site performance.

Important: No information submitted via my public website (such as through general contact forms) should be considered fully secure. Please use approved, secure portals for submitting sensitive information.

Why I Collect Your Information

• To provide safe, ethical, and effective therapy

• To meet legal, ethical, and insurance standards

• To communicate with you about your care, appointments, and practice updates

• To bill for services (if applicable), manage records, and comply with regulatory requirements

• To improve my website, ensure security, and respond to inquiries

I keep your information to the minimum necessary for these purposes and always act in your best interest.

Use and Disclosure of Your Information

I will only use or disclose your PHI as allowed by law and as necessary for your care, payment, or health care operations, as outlined below. I will always ask for your explicit consent before using or sharing your information for purposes not described here.

Permitted Uses and Disclosures

• Treatment: To assess your needs and provide therapy, I use your information to document progress and guide care. I may consult with other health professionals involved in your care—but only with your authorization, unless there is an emergency or required by law.

• Payment: If your therapy is reimbursed by insurance or other payers, I may use your information to process payment, verify eligibility, or address questions from your insurance plan.

• Health care operations: I may use limited information for administrative purposes, such as practice management, quality improvement, or to comply with audits. These uses are limited and strictly controlled.

Required or Permitted Disclosures by Law

• To you and your personal representatives. You have the right to access, inspect, and obtain copies of your PHI.

• For public health or legal requirements. In rare cases, I may be required to disclose your information when mandated by law, such as reporting suspected child abuse, preventing a serious threat to health or safety, or responding to court orders or subpoenas.

• For therapist safety and security. If a situation arises where disclosure is necessary to protect you or someone else from imminent harm, I may share minimally necessary information with appropriate persons or authorities.

• With your written authorization. Any other use or sharing not described in this notice will require your explicit written authorization.

Uses and Disclosures for Minors and Parents

• For children under the age of majority, parents or guardians may have access to certain therapy records and information as allowed by Pennsylvania law and HIPAA. There are specific exceptions if the minor has consented to their own mental health care under Pennsylvania statutes, or if disclosure would jeopardize the minor’s safety or wellbeing.

• I will explain these scenarios and your rights clearly at the start of care.

Uses and Disclosures Requiring Authorization

• Psychotherapy notes: Special rules apply to “psychotherapy notes,” which are my private reflections recorded separately from your main medical record. In nearly all cases, I must have your written permission to share psychotherapy notes, even with other providers, unless required by law or in a rare emergency.

• Marketing, research, or fundraising: I do not sell your information, use it for marketing, or participate in research without your explicit consent.

Communication With Family Members and Third Parties

I understand that families, parents, and other loved ones often play vital roles in healing and support. I will always seek to include family members or others in your care only with your permission, or where authorized by law. For children and teens, I will explain when and how confidential information may (or may not) be shared with parents/legal guardians, following HIPAA, state law, and my professional ethical code.

If you wish to include family members, teachers, or other professionals in your therapy process, I will discuss the process for sharing information, obtain your written consent, and ensure everyone understands the boundaries and limits of confidentiality.

In certain very limited circumstances, such as when there is a threat of imminent harm, I may share necessary information with family members or authorities to protect your safety or the safety of others—as required or permitted by law.

Your Rights Under HIPAA and Pennsylvania Law

As my client (or the parent/guardian of a minor client), you have important rights to safeguard your health information, as outlined under the HIPAA Privacy Rule and relevant state laws. I am committed to supporting and honoring these rights in my practice.

Right to Access and Amend Your Information

You have the right to:

• View or receive a copy of your therapy records. This includes the right to electronic or paper copies, usually within 30 days of your written request, unless restricted by law (e.g., psychotherapy notes or legal proceedings).

• Request corrections. If you believe your health record is incorrect or incomplete, you may request an amendment or correction.

Right to Request Restrictions

You may request limits on how your information is used or shared, such as restricting information sent to insurance companies or family members. While I will accommodate reasonable requests, I may not be able to comply with all requests if they would interfere with your care or legal obligations.

Right to Confidential Communications

You can ask that I contact you in specific ways (such as only by phone, email, or through a secure portal) or at certain locations to better protect your privacy. I will make every effort to honor your preferences.

Right to an Accounting of Disclosures

You may request a list of times I have shared your health information with others for reasons other than treatment, payment, or health care operations, going back up to six years.

Right to Revoke Consent or Authorizations

If you have signed a release of information or authorized a specific disclosure, you may revoke your consent at any time in writing, except for actions already taken based on your prior permission.

Right to Be Notified of a Breach

If your unsecured PHI is ever improperly disclosed or accessed in a way that presents a risk to your privacy or security, I will notify you promptly as required by the HIPAA Breach Notification Rule.

Privacy and Security in Telehealth

As a teletherapy provider in Pennsylvania, I am committed to offering high-quality treatment while upholding rigorous privacy and security standards, both federally and at the state level.

Secure Telehealth Platforms

I conduct remote sessions using HIPAA-compliant platforms with built-in encryption, such as Zoom for Healthcare, Doxy.me, or SimplePractice, which are designed for clinical care and ensure your information is both private and secure.

• Encryption: All communications for telehealth (video, audio, and messaging) are encrypted end-to-end according to HIPAA and NIST standards, meaning your session cannot be overheard or accessed by unauthorized individuals.

• Business Associate Agreements: I maintain written agreements with technology providers (platforms and electronic records vendors) who may process or transmit PHI on my behalf, holding them to strict privacy and security standards as required under HIPAA.

Telehealth Consent

During intake, I will explain and document your informed consent for telehealth services. Consent includes an explanation of potential risks (such as technological interruptions), alternative options, and the steps I take to protect your privacy. For clients accessing therapy in Pennsylvania, I abide by all state Board guidelines and best practices—to ensure telehealth care is delivered with the same standards as in-person sessions.

Data Security and Safeguards

I implement multiple layers of safeguards to ensure your information remains private, confidential, and secure, whether stored electronically or on paper.

• Access controls: I am the only person with access to your full PHI, including therapy records and session notes. Access to electronic files is protected by strong passwords and, where possible, multi-factor authentication.

• Encryption: All electronic health records, emails (to the extent possible), and telehealth communications are encrypted using industry standards. I use platforms that meet or exceed HIPAA’s encryption requirements for data both in transit and at rest (e.g., AES-256 encryption).

• Physical safeguards: Any paper files are kept in locked storage when not in use. Sensitive documents are never left unsecured.

• Device and platform security: Laptops and mobile devices used for practice operations have strong, regularly updated security software. I never access or store client PHI on public or shared devices.

• Backup and recovery: Data is routinely backed up on secure, encrypted servers to prevent loss in case of hardware failure or disaster.

When using third-party vendors (e.g., for scheduling, billing, video conferencing), I verify their compliance with HIPAA and Pennsylvania law, limit the information shared, and ensure Business Associate Agreements are in place as required.

Privacy of Psychotherapy Notes

Psychotherapy notes require special protection under the HIPAA Privacy Rule. These are my personal records documenting my impressions and analysis of your therapy sessions and are stored separately from your “designated record set” (the standard medical/clinical record). Psychotherapy notes are not shared with anyone—including other health care providers or family members—without your explicit, written authorization, except in limited situations required by law (such as imminent risk or court order).

Routine releases of PHI (for coordination of care or insurance) do not include psychotherapy notes. If there is ever a need or request to disclose these notes, I will discuss this thoroughly with you beforehand.

Data Retention and Disposal

How Long I Retain Records

Your health and therapy records are kept for at least six years from the date of your last session, in line with HIPAA requirements and most insurance standards. However, Pennsylvania law and licensing standards may require retaining mental health records for a specific, and sometimes longer, period—especially for children and adolescents.

• For minors: In Pennsylvania, mental health records for children are typically retained until they reach the age of majority (18 years) plus a set retention period, usually at least seven years after the final session or at least until the client reaches age 21, whichever is longer, to comply with best practices and legal guidance.

• I keep your records only as long as necessary to fulfill legal, insurance, or professional obligations and to ensure continuity of care.

Secure Disposal

When records are no longer needed, I destroy them in a manner compliant with HIPAA standards for “secure disposal.” For paper materials, this means shredding; for electronic data, this involves secure deletion and overwriting so data cannot be reconstructed or restored.

If you have questions about how your data is stored or when it will be deleted, please ask—I will be happy to provide this information.

Website Analytics, Cookies, and Tracking

Like most modern websites, Play Heals Teletherapy may use basic analytics tools (such as Google Analytics) to track anonymous visitor data purely to improve site functionality, monitor traffic, and enhance security. Here’s what you need to know:

• What’s collected: Analytics tools collect information such as your device type, browser, general location (e.g., city-level), time spent on pages, and referral source—but not your name, clinical information, or other identifying health details.

• Cookies: A “cookie” is a small text file stored on your device. This may help keep you logged in or remember site preferences. You may disable cookies through your browser settings, but some site features may be limited.

• No tracking for advertising: I do not use cookies for ad targeting or marketing, nor do I sell your browsing data.

• Third-party privacy: Providers like Google Analytics are contractually required not to identify you and are governed by their own privacy policies. I limit their access to only the data necessary for the function they provide.

• Opt-out: Many browsers and privacy plugins allow you to control or block analytics tracking. You may also visit Google’s privacy settings to opt out of Analytics data collection.

If you prefer not to have data about your website visit included in analytics, please let me know, and I can further explain your options.

Third-Party Services and Business Associates

To provide secure teletherapy, appointment scheduling, electronic health record keeping, or billing, I may use third-party vendors (e.g., SimplePractice, Google Workspace, Zoom for Healthcare, Doxy.me, payment processors). These companies may have access to some PHI or personally identifying information purely for the purpose of supporting my practice, but only under stringent conditions.

• Business Associate Agreements (BAAs): I enter into BAAs with each vendor handling PHI, requiring them to maintain strict confidentiality, security, and compliance with HIPAA and applicable state law.

• Scope of access: Vendors only have access to what is strictly necessary for the services they provide. They are prohibited from using or disclosing your data for other purposes.

• Vendor selection: I carefully choose vendors who meet or exceed industry standards for privacy and security and routinely review their compliance and reputation.

For any questions about particular vendors or their privacy practices, please ask and I will supply further details.

Privacy for Minors and Parental Consent

Privacy for children and minors in therapy is handled with special care and in alignment with both HIPAA and Pennsylvania law.

• Parental access: In most cases, parents or legal guardians have the right to access their child’s mental health records. However, there are important exceptions, especially for older children and adolescents:

  • In Pennsylvania, minors ages 14 and up may in certain cases consent to their own mental health treatment and control access to their records, unless specific exceptions apply (such as risk of harm, legal proceedings, or court orders).

  • I will explain these rights and processes to both minors and parents clearly and review them regularly over the course of treatment.

• Sensitive conversations: If I believe sharing certain information with a parent or guardian would jeopardize a minor’s safety or therapeutic progress, I may restrict access to those records, as allowed by law. This is always a careful, case-by-case consideration.

Your questions about consent, confidentiality, and access rights will always be respected and answered in plain language.

Your Right to File a Complaint

If you believe your privacy rights have been violated, you have the right to:

• Contact me directly: Please feel free to share your concerns so I can address them promptly and fully.

• File a complaint with federal regulators: You may also contact the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), if you feel your rights under HIPAA have not been respected.

Complaints may cover privacy breaches, improper disclosures, denial of your records, or other privacy-related concerns. Filing a complaint will not affect your care or relationship with my practice.

Changes to This Policy

As mental health care laws, technology, and best practices evolve, I may update this Privacy Policy to ensure ongoing transparency, compliance, and quality of care. If significant changes are made, I will clearly notify clients by posting the revised policy on my website and, where appropriate, providing notice directly.

You may request a printed or digital copy of the current Privacy Policy at any time. Your continued use of Play Heals Teletherapy services signifies acceptance of the latest posted version.

How to Contact Me

For all privacy-related questions, requests to exercise your privacy rights, or concerns about this Policy, please contact me directly:

Lucia Cortes, LCSW, LLC
DBA Play Heals Teletherapy
2020 Lawfer Ave
Allentown, PA 18104
Phone: (484) 515-9848
Email: Lucia@lc-playhealsteletherapy.com

I am honored to be your therapist and trusted with your family’s care. Your privacy is always my priority—in every session, interaction, and record.

Last updated: September 5, 2025

Additional Notes and Disclaimers

• This Privacy Policy is designed to be clear and accessible for families and parents, as well as individuals of all ages. If you have questions about clinical terms or legal concepts within this document, please ask me for clarification.

• While I strive to meet or exceed all applicable federal and state requirements, this Policy is not a substitute for legal advice. For detailed questions about your individual situation or complex legal rights, you may wish to consult an attorney or privacy advocate.

Thank you for your trust in Play Heals Teletherapy. I look forward to supporting your journey towards health, healing, and wholeness.

                                                                 -- Lucia Cortes, LCSW