Privacy & HIPAA Notice

How we protect your information.

This is our Notice of Privacy Practices, required by HIPAA. We've written it in plain English because medical privacy shouldn't require a translator.

Effective May 1, 2026 · Last updated May 20, 2026

This Notice describes how protected health information (PHI) about you may be used and disclosed by Flow Therapy, and how you can access it. Please review it carefully. Required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

— 01Scope and definitions

"Flow Therapy" means Katie Thornton, LCSW, doing business as Flow Therapy, located in Houston, TX, and any clinicians she supervises or contracts with. "PHI" means any individually identifiable health information, including session notes, diagnoses, treatment plans, billing records, and contact details.

This Notice applies to flowtherapy.com, any forms submitted through it, and all clinical communications.

— 02What we collect

From the website

  • Contact form submissions — name, email, phone, message content
  • Basic analytics — IP address, browser type, pages visited (aggregated and anonymized)

From clinical care

  • Intake forms, insurance information, diagnostic information, session notes
  • Communications with you (email, phone, text, secure messaging)
  • Payment information (processed by third-party PCI-compliant providers, not stored on our servers)

— 03How we use your information

We use PHI for treatment, payment, and healthcare operations as defined by HIPAA. This includes:

  • Treatment — providing therapy, coordinating with your medical providers (with your written consent), referrals
  • Payment — billing insurance, processing payments, verifying eligibility
  • Operations — quality improvement, training, credentialing, compliance audits, business management

— 04When we share information

We will not share your PHI without your written authorization, except as required or permitted by law. Specifically, we may share PHI:

  • With insurance companies for billing (when you use insurance)
  • With business associates under HIPAA-compliant agreements (e.g., EHR vendors, billing services)
  • To prevent serious harm to you or others (duty to warn/protect)
  • To report suspected child, elder, or dependent adult abuse
  • In response to a court order or subpoena (we will notify you when legally permitted)
  • To public health authorities for required reporting
— What we don't do

We do not sell your information. We do not share PHI with advertisers, data brokers, or marketers. We do not use your PHI for marketing without your express written consent.

— 05Your HIPAA rights

Under HIPAA, you have the right to:

Access your records
Request copies of your PHI. We respond within 30 days. A reasonable cost-based fee may apply for copying.
Amend incorrect information
Request corrections to your records. We may deny under certain circumstances, in which case you may submit a statement of disagreement.
Accounting of disclosures
Request a list of disclosures made for purposes other than treatment, payment, or operations.
Restrict disclosures
Request limits on how we use or share your PHI. We will consider your request but are not always required to agree.
Confidential communication
Request that we contact you only at specific addresses or phone numbers.
Paper copy
Receive a paper copy of this Notice at any time, even if you've accepted it electronically.
File a complaint
File a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate.

— 06Security

We maintain administrative, physical, and technical safeguards required by HIPAA. This includes encrypted EHR systems, secure messaging, locked physical records, business associate agreements with all vendors who access PHI, and breach notification procedures.

If a breach of unsecured PHI occurs, we will notify affected individuals within 60 days as required by law.

— 07Cookies and tracking

flowtherapy.com uses minimal cookies — only essential ones for site function. We do not use third-party advertising cookies, tracking pixels, or behavioral analytics. We may use a privacy-respecting analytics provider to count visits (no personal identifiers). You can disable cookies in your browser without losing site functionality.

— 08Changes and contact

We may update this Notice. The effective date appears at the top. Material changes will be posted prominently on flowtherapy.com.

To exercise any HIPAA right, file a complaint, or ask questions about this Notice:

Katie Thornton, LCSW · Privacy Officer
Email: privacy@flowtherapy.com
Mail: Flow Therapy, Houston, TX

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr.