HIPAA Notice of Privacy Practices
This notice describes how Protected Health Information (PHI) about therapy clients may be used and disclosed through Clearbook, and how to protect that information.
Effective date: July 1, 2026
Important: Roles Under HIPAA
The therapist (licensed mental health professional) is the Covered Entity under HIPAA. Clearbook is a Business Associate— a technology vendor that processes PHI on the therapist's behalf. Clients should direct privacy questions to their therapist, not to Clearbook directly.
1. What Is Protected Health Information (PHI)?
PHI is individually identifiable health information — including a client's name, contact details, appointment history, and any notes that link a person to their mental health care. Under HIPAA, PHI is entitled to heightened privacy protection.
2. What Information Clearbook Handles
Through the Clearbook platform, therapists may process the following types of PHI on behalf of their clients:
- Client names, email addresses, and phone numbers (provided when booking)
- Appointment dates, times, and types (e.g., initial consultation, follow-up)
- Optional intake notes provided by clients during the booking process
- Payment records related to therapy sessions
Clearbook is designed for scheduling and practice management. It is not intended to be used as a clinical record system. Therapists should maintain clinical notes, diagnoses, and treatment plans in a separate, HIPAA-compliant EHR system.
3. How PHI May Be Used and Disclosed
As a Business Associate, Clearbook uses PHI only as directed by the therapist and as permitted by the BAA and applicable law:
Permitted uses:
- Providing the Clearbook scheduling and practice management service to the therapist
- Sending appointment confirmation and reminder communications to clients (via Twilio SMS and Resend email) on the therapist's behalf
- Processing payments through Stripe for therapy sessions
- Performing system operations, backups, and security monitoring necessary to maintain the service
Required disclosures:
- As required by law (e.g., court orders, valid legal process)
- To the U.S. Department of Health and Human Services (HHS) for compliance oversight
What we will NOT do:
- Sell PHI to any third party
- Use PHI for marketing or advertising purposes
- Use PHI to train AI or machine learning models
- Disclose PHI to any party not described in this notice or the BAA without explicit authorization
4. Safeguards We Maintain
Clearbook implements HIPAA-required technical, physical, and administrative safeguards:
- Encryption in transit: All data is transmitted over TLS 1.2 or higher
- Encryption at rest: Database storage is encrypted (AES-256) via Supabase
- Access controls: Row-level security ensures therapists can only access their own clients' data; employees have no routine access to PHI
- Audit logging: Database operations are logged to detect unauthorized access
- Minimum necessary: We access PHI only to the extent required to provide the service
- Subcontractor oversight: All subcontractors (Supabase, Stripe, Twilio, Resend, Vercel) are bound by contractual data protection obligations
5. Business Associate Agreement (BAA)
HIPAA requires that Covered Entities have a signed BAA in place with any Business Associate that handles PHI. Clearbook will execute a BAA with any therapist account upon request.
To request a BAA, email getclearbook@gmail.com with the subject line "BAA Request." We will respond within 5 business days.
6. Breach Notification
In the event of a breach of unsecured PHI, Clearbook will notify affected therapists without unreasonable delay and no later than 60 days after discovery, as required by the HIPAA Breach Notification Rule. The notice will include the nature of the breach, the types of PHI involved, steps taken to mitigate harm, and recommended steps for therapists and their clients.
7. Therapist Responsibilities
Therapists using Clearbook remain independently responsible for their HIPAA compliance, including:
- Providing clients with a Notice of Privacy Practices as required by HIPAA
- Obtaining valid authorizations where required for uses not described in this notice
- Ensuring that how they configure Clearbook (e.g., types of intake questions, data collected) complies with the minimum-necessary standard
- Training workforce members on privacy policies
- Promptly notifying Clearbook of any suspected security incident involving client data (email getclearbook@gmail.com)
8. Clients' Right to Access Their Information
Under HIPAA, clients have the right to access PHI held by their therapist (the Covered Entity). Because Clearbook is a Business Associate, client access requests should be directed to the therapist. Therapists must respond to such requests in accordance with HIPAA's access rules.
If a client needs help identifying which therapist to contact, they may email getclearbook@gmail.com and we will assist in directing their request appropriately.
9. Retention and Deletion
Clearbook retains PHI for the duration of the therapist's account and for up to 7 years after account closure, consistent with common healthcare record-retention standards. Therapists may request deletion of specific records, subject to applicable legal retention requirements.
10. Changes to This Notice
We may update this HIPAA Notice of Privacy Practices. Material changes will be communicated by email. The current version is always available at useclearbook.app/hipaa.
11. Contact
HIPAA questions, BAA requests, or suspected incidents: email getclearbook@gmail.com.