Palo Alto
Leela Mental Health

Notice of Privacy Practices

Effective Date: April 2, 2026 · Supersedes all prior versions
Leela Mental Health, Family Therapy Corporation · 220 California Avenue, Suite 105, Palo Alto, CA 94306
Federal Reference
This Notice is issued pursuant to the HIPAA Privacy Rule (45 CFR Parts 160 and 164) and the HITECH Act.
HHS.gov — Notice of Privacy Practices: hhs.gov/hipaa/for-individuals/notice-privacy-practices
HHS.gov — File a HIPAA Complaint: hhs.gov/hipaa/filing-a-complaint

1. Who We Are & Our Duties

Leela Mental Health, Family Therapy Corporation, doing business as Leela Mental Health (“Leela Mental Health”), is a licensed outpatient mental health practice. Services are provided by Moitreyee Chowdhury, LMFT (#121934, expires September 30, 2026) and LPCC (#9238, expires February 28, 2027), who serves as this practice’s Privacy Officer. These identifiers and expiration dates are provided pursuant to California Business and Professions Code §4980.32 (SB 1024, effective July 1, 2025).
We are a covered entity under HIPAA. We are required by law to:

  • Maintain the privacy and security of your Protected Health Information (PHI)
  • Provide you with this Notice before or at your first date of service
  • Abide by the terms of this Notice while it is in effect
  • Notify you promptly in the event of a breach of your unsecured PHI

We will not use or share your PHI in any way not described in this Notice without your written authorization, except as required by law.

2. Psychotherapy Notes vs. Medical Records

Federal law draws a critical distinction between two categories of clinical information. Understanding this distinction affects your rights and the circumstances under which your information may be released.
Medical Records (General Health Information)
Your general health record includes: diagnoses, treatment plans, progress notes, session dates and times, medication records, billing records, and clinical outcome measures. This information may be used and disclosed for treatment, payment, and healthcare operations as described in this Notice.
Psychotherapy Notes (Separately Protected)
Psychotherapy notes — as defined in 45 CFR §164.501 — document the contents of a counseling session: your specific disclosures, the therapist’s observations, clinical impressions, and analyses. They are held to a higher standard of protection and maintained separately in your file.
Separate Written Authorization Required
We will not release your psychotherapy notes without a separate, explicit written authorization — even if you have signed a general release for your medical records, and even for insurance billing purposes. A release of “medical records” does not include psychotherapy notes unless the authorization specifically names them.
Under 45 CFR §164.508(a)(2), we may use or disclose your psychotherapy notes without separate authorization only in the following circumstances:

  • For our own use in treating you.
  • For training or supervising mental health practitioners to help them improve their skills in group, joint, family, or individual counseling or therapy.
  • To defend ourselves in legal proceedings you initiate against us.
  • For use by the Secretary of Health and Human Services to investigate our compliance with HIPAA.
  • As required by law, and the use or disclosure is limited to what that law requires.
  • For certain health oversight activities pertaining to the originator of the psychotherapy notes.
  • To a coroner performing duties authorized by law.
  • To avert a serious and imminent threat to the health or safety of you or another person.

3. How We May Use and Disclose Your Health Information

The following uses and disclosures of your general health information (not psychotherapy notes) do not require your written authorization:
For Treatment
We may use and share your PHI to provide, coordinate, or manage your mental health care, including sharing relevant information with other providers involved in your care. Our preference is to obtain your written authorization before coordinating with other providers, though this is not legally required in all circumstances.
For Payment
We may use and disclose your PHI to bill and collect payment — including submitting claims to your health plan or insurance carrier. Insurance carriers may request clinical records as a condition of reimbursement. Psychotherapy notes are not included in insurance disclosures and require a separate authorization.
For Healthcare Operations
We may use your PHI for internal quality improvement, practice administration, compliance with applicable laws, and for obtaining legal advice. We may also discuss your clinical care with professional colleagues outside the practice for consultation and supervision purposes, using only the minimum necessary information. We will not use more identifying information than is necessary for the consultation.
Appointment Reminders and Treatment Information
We may use and disclose your PHI to contact you with appointment reminders, and to tell you about treatment options or other health care services or benefits we offer.
As Required by Law — Mandatory Disclosures

We are required to disclose your PHI without your authorization when:

  • There is suspected child abuse, elder abuse, or dependent adult abuse (mandatory reporting under California law)
  • There is a serious or imminent threat to the health or safety of you or an identifiable third party (California Evidence Code §1024; Tarasoff v. Regents of University of California (1976) 17 Cal.3d 425; California Business and Professions Code §4980.59 (LMFT duty to warn/protect); California Business and Professions Code §4999.45 (LPCC duty to warn/protect))
  • Required by a valid court order. Note: subpoenas (as distinct from court orders) require review before compliance — contact our Privacy Officer before assuming a subpoena requires disclosure.
  • Required by law enforcement under specific, legally defined conditions
  • Required for public health activities (e.g., communicable disease reporting)
  • Required for workers’ compensation proceedings; our preference is to obtain your authorization before doing so
  • Required for oversight by a health regulatory agency (e.g., California Board of Behavioral Sciences)
  • Required by a coroner or medical examiner performing authorized duties
  • Required for research purposes approved by an Institutional Review Board (IRB) under applicable law
  • Required for specialized government functions, including ensuring the proper execution of military missions; protecting the President of the United States; conducting intelligence or counter-intelligence operations; or ensuring the safety of persons within correctional institutions

4. Disclosures You May Object To

We may share your PHI with a family member, friend, or other person involved in your care or payment — unless you object in whole or in part. You may object at any time by notifying us in writing. In an emergency, we may obtain your opportunity to object retroactively.

5. Uses Requiring Your Written Authorization

Any use or disclosure of your PHI not described in this Notice requires your explicit written authorization. This includes, but is not limited to:

  • Psychotherapy Notes: Any disclosure of your psychotherapy notes (see Section 2), other than the eight exceptions listed above.
  • Marketing: We will not use or disclose your PHI for marketing purposes without your written authorization.
  • Sale of PHI: We will not sell your PHI in any regular course of business. Any sale of PHI requires your written authorization.

You may revoke any authorization at any time by providing written notice of revocation. Revocation does not affect disclosures already made in reliance on that authorization prior to revocation.

6. Your Right to Restrict Disclosures to Your Insurer

HITECH Act — Absolute Right (45 CFR §164.522(a)(1)(vi))
If you pay in full, out-of-pocket for a specific service and request that we not share information about that service with your health plan or insurer, we are required by federal law to honor that request.

This right applies only to the specific service(s) for which you pay in full privately. It does not extend to other services billed to insurance, and it does not override legally mandated disclosures. To invoke this right, submit your request to our Privacy Officer in writing before or at the time of the service. We will confirm receipt and document the restriction in your file.

7. California AB 1184 — Right to Confidential Communications

California AB 1184 (Chapter 190, Statutes of 2021; California Civil Code §56.107 and California Insurance Code §791.29; operative July 1, 2022) protects individuals receiving sensitive health care services who may be enrolled on another person’s insurance policy.
Who This Applies To
This right applies to you if:

  • You are a minor who has the legal right to consent to your own mental health treatment under California Health & Safety Code §124260; or
  • You are an adult whose health care services are covered under another person’s insurance policy (e.g., a spouse’s, domestic partner’s, or parent’s plan) and you wish to keep your care confidential from the policyholder
Your Right
Under AB 1184, your health plan or insurer is prohibited from requiring you to obtain the policyholder’s authorization to receive or submit claims for sensitive services, and must direct communications about your care to your designated contact instead of the policyholder. Communications that may be redirected include: Explanation of Benefits notices, billing statements, appointment reminders, and any written, oral, or electronic communication containing your protected health information.
How to Invoke This Right — Two Steps

Step 1 — Notify us:Submit a written request to our Privacy Officer before or at the start of services, specifying: (1) the type of communication to be redirected, and (2) the address or contact method to use. We will direct all communications within our control to your designated contact and will not condition treatment on your exercise or non-exercise of this right.

Step 2 — Notify your insurer: The primary obligation under AB 1184 falls on your health plan or insurer, not solely on us as your provider. We will cooperate fully, but we strongly encourage you to also submit a confidential communications request directly to your insurer (via their member services line or website). Without that request, your insurer may still send EOBs and billing documents to the policyholder’s address on file — which is outside our control.

8. Electronic Communications — Google Voice, SMS & Email

We use Google Voice as our primary phone system for incoming call routing and general administrative communications. All appointment reminders are sent through our secure Simple Practice client portal. We will communicate with you by standard text/SMS message only when you have initiated contact via SMS and have consented to receiving responses by that channel. Standard SMS is used solely for brief, non-clinical administrative replies in response to patient-initiated messages; clinical information is communicated through Simple Practice.

Security Disclosure — Unencrypted Communications

Standard SMS text messages are not encrypted in transit and do not meet HIPAA’s technical security standards for the transmission of Protected Health Information. Messages sent or received via standard texting may theoretically be intercepted or accessed by unauthorized third parties.

We will not send clinical content, session notes, diagnoses, or detailed health information via unencrypted text message. If you request or agree to receive administrative communications from us via text, your acknowledgment of this risk and consent to this channel will be documented in your intake paperwork through Simple Practice — not through this Notice. If you prefer encrypted communication only, please notify us in writing and we will arrange secure messaging through the Simple Practice client portal.

Email
We use Google Workspace (Gmail, Calendar, Drive) for email, scheduling, and document management under a HIPAA Business Associate Agreement with Google. Standard email is not end-to-end encrypted. We will not send sensitive clinical content by email without your documented prior consent. Consent to email communication is captured in your intake paperwork.

9. Practice Management Platform — Simple Practice

We use Simple Practice as our electronic health record (EHR) and client portal. Simple Practice operates under a HIPAA Business Associate Agreement and provides HIPAA-compliant secure messaging, intake documentation, appointment scheduling, telehealth video, and billing management. For any communication involving your clinical records or sensitive health information, please use the Simple Practice client portal.

10. Telehealth Services & Backup Platform

Leela Mental Health provides telehealth services to clients located in California via Simple Practice’s built-in HIPAA-compliant video platform, which operates under a Business Associate Agreement. The full protections of this Notice apply to all telehealth sessions. You are responsible for ensuring your own privacy on your end of the session. We do not record telehealth sessions without your separate written authorization.

Backup Platform

In the event of technical difficulty with Simple Practice’s video platform, sessions may be conducted via Google Meet through our existing Google Workspace account. Google Meet is covered under our existing Business Associate Agreement with Google (Google Workspace BAA). The same HIPAA protections described in this Notice apply to sessions conducted via Google Meet. You will be notified by phone or secure message of any platform change at or before the time of the session.

Important — No Free or Personal Accounts
HIPAA telehealth compliance requires that the provider’s video platform be covered by a signed Business Associate Agreement. Google Meet is HIPAA-compliant only when accessed through a paid Google Workspace account with a BAA in place — which is how our practice operates. Free personal Google accounts, FaceTime, standard Skype, or standard Zoom (without a healthcare BAA) do not meet HIPAA requirements and will not be used as backup platforms.

11. Your Rights Regarding Your Health Information

To exercise any of the following rights, submit a written request to our Privacy Officer using the contact information in Section 19. We will acknowledge receipt and respond within the timeframes stated below.
Right to Request Restrictions on Uses and Disclosures
You may ask us not to use or disclose certain PHI for treatment, payment, or healthcare operations. We are not required to agree to every request. However, if you pay in full out-of-pocket and request we not share that service with your health plan, we must agree (see Section 6). Submit restriction requests in writing; we will confirm in writing whether we can comply.
Right to Access and Obtain Copies of Your Records
You may inspect and receive a copy (paper or electronic) of your general medical record and billing information. Under California Health & Safety Code §123110, you have the right to inspect records within 5 working days of your oral or written request, and to receive copies within 15 days of your request. The fee for paper copies may not exceed $0.25 per page plus reasonable clerical costs (Cal. Health & Safety Code §123110(b)). Note: psychotherapy notes (Section 2) are not included in a standard records request. Under California Evidence Code §1023, access to psychotherapy notes specifically may be provided in the form of a summary if the treating therapist determines that direct inspection would have a substantial adverse effect on the patient; in that case, you will be offered a written summary and may designate another treating provider to receive the full notes. We will respond to all records requests within the California statutory timeframes above.
Right to Amend Your Records
If you believe your PHI is inaccurate or incomplete, you may request an amendment. We will respond within 60 days and will explain the reason if we deny the request.
Right to an Accounting of Disclosures
You may request a list of instances in which we disclosed your PHI for purposes other than treatment, payment, or healthcare operations, going back up to six years. We will respond within 60 days of your written request. The first request in a 12-month period is provided at no charge; additional requests in the same period may incur a reasonable fee.
Right to Choose How We Contact You
You may request that we contact you in a specific way or at a specific address. We will honor all reasonable requests without requiring a reason (see also AB 1184, Section 7).
Right to a Paper or Electronic Copy of This Notice
You may request a copy of this Notice at any time, in paper or electronic form, even if you previously agreed to receive it electronically.
Right to File a Complaint — No Retaliation
If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the U.S. Department of Health & Human Services (see Section 19). We will not retaliate against you in any way for filing a complaint.
Right to Designate a Personal Representative

If someone has legal authority to act on your behalf — such as a parent of a minor client, a legal guardian, or an individual holding a valid healthcare power of attorney — that person may exercise your privacy rights and make choices about your health information. We will verify that authority before taking any action. (45 CFR §164.502(g))

12. Reproductive Health Care — California Protections

The State of California provides strong, sovereign protections for your reproductive health information grounded in California Assembly Bill 352 (effective January 1, 2024) and the California Confidentiality of Medical Information Act (CMIA), California Civil Code §56 et seq., as amended. These protections apply independently of any federal rule.
Note: Certain federal HIPAA reproductive health provisions (formerly cited at 45 CFR §164.502(a)(5)(iii)) were subject to federal judicial challenge as of the date of this Notice. The California state protections below are fully enforceable regardless of the status of any federal rule.
California AB 352 — Prohibited Disclosures
Under California AB 352 and the CMIA, we are prohibited from disclosing your medical information — including information relating to reproductive health care and gender-affirming care — in response to out-of-state subpoenas, law enforcement requests, or other demands based on laws criminalizing reproductive health care that is lawful in California. We shall not:
  • Disclose any medical information to assist an investigation or prosecution targeting any person for seeking, obtaining, providing, or facilitating reproductive health care lawful in California
  • Comply with any out-of-state order requiring disclosure of such information without first consulting with our legal counsel
  • Release information relating to gender-affirming care to any entity seeking to take adverse action based on the provision or receipt of such care

These prohibitions apply even when a request is presented as a lawful order from a governmental authority of another state. We will not disclose such information without first obtaining legal advice and, where required, a California court order authorizing disclosure.

13. When We Require a Legal Review Before Disclosing Your PHI

Effective February 16, 2026, we require legal review before responding to certain categories of PHI disclosure requests, to ensure compliance with California AB 352, the CMIA, and any applicable federal requirements. Before we disclose PHI in response to any of the following, we will conduct internal review and, where required by California or federal law, obtain a written attestation or court authorization:
  • Health oversight activities
  • Judicial and administrative proceedings, including subpoenas
  • Law enforcement requests
  • Disclosures about decedents to coroners, medical examiners, or funeral directors

We will refuse to disclose PHI if legal review raises concerns about the request’s validity, scope, or compliance with California law. Contact our Privacy Officer (Section 19) with any questions.

14. Substance Use Disorder Records — Additional Protections

Applicability
This section applies only if your care includes treatment for substance use disorder (SUD). If it does not, this section does not affect your records.
Records relating to SUD treatment are subject to federal protections under 42 CFR Part 2 (as amended by the 2024 CARES Act Final Rule, compliance date February 16, 2026). The following disclosures are mandated by 42 CFR §2.22:
Prohibition on Use in Legal Proceedings
Records of your SUD treatment — and any testimony relaying the content of such records — may not be used or disclosed in any civil, criminal, administrative, or legislative proceeding against you, except: (a) with your specific written consent, or (b) pursuant to a court order meeting the requirements of 42 CFR Part 2 Subpart E. This protection is intended to ensure that seeking treatment does not make you more legally vulnerable than someone who does not seek help.
Single TPO Consent
Under the 2026 alignment, you may sign a single written consent authorizing all future uses and disclosures of your SUD records for treatment, payment, and healthcare operations (TPO). You have the right to revoke this consent at any time in writing, except to the extent that action has already been taken in reliance on it.
SUD Counseling Notes (Separately Protected)
The 2026 amendments created “SUD Counseling Notes” — analogous to psychotherapy notes under HIPAA. These document the content of individual counseling sessions and are maintained separately from your general SUD record. They require a separate, stand-alone authorization for disclosure and are not covered by a general TPO consent.
Redisclosure Notice
Any disclosure of your SUD records made pursuant to a TPO consent must be accompanied by the following notice to the recipient: “42 CFR Part 2 prohibits unauthorized use or disclosure of these records.” This requirement prevents onward disclosure by the recipient without proper authorization.

15. Record Retention

We retain adult client records for a minimum of seven (7) years from the date therapy is terminated, in compliance with California Business and Professions Code §4980.49 (LMFT) and §4999.75 (LPCC), enacted by SB 578 (Stats. 2014, Ch. 312), effective January 1, 2015.

For clients who were minors at the time of treatment, records are retained for a minimum of seven (7) years from the date the client reaches 18 years of age — meaning at least until age 25 if therapy concluded before the client turned 18. For clients whose treatment continued into adulthood, the adult seven-year rule applies from the date of last service. (BPC §4980.49 and §4999.75.)

16. Breach Notification

If Leela Mental Health discovers that your unsecured Protected Health Information has been subject to a breach, we are required by federal law (45 CFR §164.400–414) and California law (California Health & Safety Code §1280.15) to notify you without unreasonable delay, and no later than 60 calendar days after we discover the breach.

The notification will include: a description of what happened and the date; the types of PHI involved; steps you can take to protect yourself; what we are doing to investigate and prevent recurrence; and contact information for questions (45 CFR §164.404(c)). Notification will be sent by first-class mail to your address on file, or by email if you have agreed to electronic notices.

If a breach affects 500 or more individuals, we are required to also notify the U.S. Department of Health and Human Services and may be required to notify prominent media in California. All breaches, regardless of size, are reported to HHS as required. If you have questions about a potential breach of your health information, contact our Privacy Officer (see Section 19).

17. Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes we make will apply to all Protected Health Information we maintain, including information created or received before the change. The revised Notice will be posted on our website and will be available in paper form upon request at our office. The effective date on the Notice will be updated to reflect any revisions.

18. How to File a Complaint

If you believe we have violated your privacy rights, you may file a complaint with our Privacy Officer (see Section 19) or directly with the U.S. Department of Health and Human Services Office for Civil Rights:

We will not retaliate against you in any way for filing a complaint with us or with the federal government.

19. Contact Our Privacy Officer

To exercise your rights, request records, submit a restriction request, invoke your AB 1184 confidential communications right, or ask any questions about this Notice:

Moitreyee Chowdhury, LMFT (#121934, exp. 09/30/2026) | LPCC (#9238, exp. 02/28/2027) — Privacy Officer

Practice                     Leela Mental Health, Family Therapy Corporation, dba Leela Mental Health
Location                    Palo Alto, CA 94306
Email                          information@leelamentalhealth.com
Secure messaging       Simple Practice client portal (preferred for health information)