Notice of Privacy Practices

Who we are

The Bowerbirds provides back-office operations — billing, scheduling, intake forms, client communications, and a partner portal — to solo therapy practices. We are not your treating provider. Under HIPAA, we operate as a business associate of the therapist’s covered-entity practice. Each partner therapist signs a Business Associate Agreement (“BAA”) with us that defines exactly how we may use and disclose their clients’ PHI.

What we mean by PHI

Protected health information includes any individually identifiable health information your therapist records and shares with us in order for us to deliver back-office services — for example, your appointment times, session notes, intake responses, insurance details, treatment-related communications, copay amounts, and uploaded documents.

How we use and disclose PHI

We use PHI only as permitted under HIPAA and only as instructed by the therapist’s practice. Typical permitted uses include:

• Treatment operations the therapist asked us to support: scheduling appointments, sending appointment reminders, billing insurance, processing copays, surfacing client communications.
• Our own internal operations: securely operating the portal, maintaining the audit log, training authorised support staff, defending the integrity of the system.
• Required by law: where we are compelled to disclose PHI by subpoena, court order, or other lawful process.

We do not:

• Sell PHI.
• Use PHI for marketing or analytics.
• Share PHI with third parties beyond the vendors required to operate the service (Supabase, Cloudflare, Stripe, Resend, Google when a partner connects it), each of which is governed by its own BAA or equivalent contractual protection.
• Disclose PHI to law enforcement absent valid legal process.

Your rights

Under HIPAA you have several rights regarding your PHI. Because we operate as a business associate rather than your covered-entity provider, the practical place to exercise these rights is with your therapist. We will support every legitimate request your therapist forwards to us.

• Right to access — copy of your PHI we hold on the therapist’s behalf.
• Right to amend — request corrections to inaccurate or incomplete PHI.
• Right to accounting of disclosures — list of certain disclosures we’ve made.
• Right to request restrictions — limit how PHI is used or disclosed.
• Right to confidential communications — be contacted at a specific address or phone number.
• Right to a paper copy of this notice — we will mail you one on request.
• Right to file a complaint — with your therapist, with us, or with the U.S. Department of Health and Human Services Office for Civil Rights.

How we protect PHI

• All PHI is encrypted in transit (TLS 1.2+) and at rest.
• Access requires authenticated sign-in; partner sessions auto-time-out after 20 minutes of inactivity.
• Every PHI read or write is recorded in our audit log per §164.312(b).
• Database row-level security restricts access to each partner’s own clients.
• We retain PHI for at least six years as required by HIPAA, and only longer where licensing or legal obligations require it.

Breach notification

If we become aware of any acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, we will promptly notify the affected partner therapist’s practice in writing. The therapist is then responsible — with our cooperation — for any notifications required to be made to affected clients and to regulators.

Changes to this Notice

We may revise this Notice. The current version always lives at this URL. Material changes will be communicated to partner therapists, who will in turn communicate them to affected clients per their own Notices.

Contact

The Bowerbirds · hello@the-bowerbirds.com · (951) 223-5782

To file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights: www.hhs.gov/hipaa/filing-a-complaint.