Privacy Policy
How CARMAhealth collects, uses, and protects your personal and health information.
Effective Date: June 22, 2026
CARMAhealth ("we," "us," or "our") is committed to protecting the privacy and security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website, use our patient portal, or receive care at any of our locations in Texas, Florida, or through our telehealth services in Virginia.
This policy supplements, but does not replace, the Notice of Privacy Practices (NPP) that we provide to patients regarding the use and disclosure of Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
Information We Collect
Personal Information. When you interact with our website, schedule an appointment, or register as a patient, we may collect your name, date of birth, mailing address, email address, phone number, and insurance details.
Protected Health Information (PHI). When you receive care from CARMAhealth, we collect health-related information necessary for diagnosis, treatment, and payment. This includes medical history, treatment records, prescriptions, lab results, and billing records.
Substance Use Disorder (SUD) Records. In accordance with 42 CFR Part 2, records related to substance use disorder treatment receive additional federal protections. These records may not be used to initiate or substantiate criminal charges or to conduct any investigation of a patient without a court order or patient consent.
Website Usage Information. With your consent, we collect non-identifiable technical data such as browser type, device type, pages visited, and referring URLs to understand how our website is used. We do not load any analytics or third-party tracking technologies until you opt in. See Cookies and Analytics under Website and Digital Privacy below for details and for how to change your choice.
How We Use Your Information
We use your information for the following purposes:
Treatment. To provide, coordinate, and manage your healthcare, including psychiatric evaluations, medication management, TMS therapy, ketamine-assisted psychotherapy, and telehealth services.
Payment. To bill and collect payment for services rendered, including verifying insurance coverage and processing claims. Payment data is processed through a secure external gateway and is not stored on CARMAhealth servers.
Healthcare Operations. To support quality improvement, staff training, compliance auditing, and business management activities necessary to run our practice.
As Required by Law. To comply with federal and state laws, respond to court orders, and cooperate with law enforcement when legally required.
How We Protect Your Information
CARMAhealth implements administrative, physical, and technical safeguards to protect your information, including:
- Encryption of data in transit using SSL/TLS technology
- Access controls limiting staff access to information on a need-to-know basis
- Secure electronic health record systems through our patient portal
- Regular security assessments and vulnerability scanning
- Staff training on HIPAA compliance and information security
Disclosure of Your Information
We do not sell, trade, or rent your personal information or PHI to third parties. We may share your information in the following circumstances:
- With your consent. When you provide written authorization for us to share your information with a specific person or organization.
- For treatment, payment, and operations. With other healthcare providers involved in your care, insurance companies for claims processing, and business associates who perform services on our behalf under binding confidentiality agreements.
- As required by law. To comply with federal, state, or local laws, including mandatory reporting obligations.
- Public health activities. To public health authorities for disease prevention, injury reporting, or FDA-regulated product safety.
- Health oversight. To health oversight agencies for audits, investigations, and licensure activities authorized by law.
Substance Use Disorder Records
Federal law under 42 CFR Part 2 provides heightened protections for records related to substance use disorder diagnosis, referral, or treatment. As of February 16, 2026, the updated Part 2 Final Rule aligns these protections more closely with HIPAA while preserving critical safeguards:
- A single patient consent may authorize future uses and disclosures for treatment, payment, and healthcare operations.
- SUD records may not be used in criminal, civil, administrative, or legislative proceedings without patient consent or a court order.
- Patients have the right to an accounting of disclosures and may request restrictions on certain disclosures of their SUD records.
- Breaches of SUD records are subject to the same notification requirements as HIPAA breaches.
Your Rights
Under HIPAA and applicable state law, you have the following rights regarding your health information:
- Access. You may request copies of your medical records and health information.
- Amendment. You may request corrections to your health information if you believe it is inaccurate or incomplete.
- Accounting of Disclosures. You may request a list of certain disclosures we have made of your health information.
- Restrictions. You may request restrictions on how we use or disclose your health information for treatment, payment, or operations.
- Confidential Communications. You may request that we communicate with you about health matters through a specific method or at a specific location.
- Breach Notification. You will be notified if a breach of your unsecured PHI occurs, as required by federal and state law.
State-Specific Provisions
Texas. The Texas Medical Records Privacy Act (Chapter 181, Texas Health and Safety Code) provides additional protections for health information in Texas. Covered entities must notify patients of electronic disclosures of their PHI and obtain authorization for electronic disclosures not otherwise permitted under the Act. Texas law requires that patients be notified of a data breach within 60 days. The Texas Attorney General may impose civil penalties of up to $250,000 per violation.
Florida. The Florida Information Protection Act and Florida Statute 456.057 provide protections for medical records maintained by Florida healthcare providers. Florida law requires that all patient information stored offsite, whether in physical or virtual environments, be physically maintained within the continental United States, its territories, or Canada. Breaches must be reported to the Florida Attorney General within 30 days.
Virginia. CARMAhealth provides telehealth services to patients in Virginia. Virginia's Consumer Data Protection Act and applicable healthcare privacy laws apply to information collected from Virginia residents.
Telehealth Services
CARMAhealth offers telehealth services via secure, HIPAA-compliant video technology through our patient portal. The same privacy protections that apply to in-person visits apply to telehealth encounters. All telehealth sessions are conducted over encrypted connections, and recordings are not made without your express consent.
Website and Digital Privacy
Cookies and Analytics. Our website uses cookies and similar technologies for two limited purposes: to measure website traffic and to display interactive location maps. We use these on an opt-in basis. When you first visit, a consent banner appears, and no analytics or mapping technologies load until you select "Accept." If you select "Decline," or take no action, none of these technologies are loaded and no data is sent to the providers below.
When you opt in, we use the following services:
- Google Analytics. We use Google Analytics 4 to understand how visitors use our website, such as which pages are viewed and how visitors arrive. IP addresses are anonymized. Google's handling of this data is governed by the Google Privacy Policy and its policy on how Google uses information from sites that use its services.
- Mapbox. Our location pages can display an interactive map powered by Mapbox. Until you opt in, these pages show a static map image and contact no third party. Mapbox's handling of data is governed by the Mapbox Privacy Policy.
Changing Your Choice. Your selection is stored on your own device and is not shared with us or any third party. You can change it at any time by selecting "Your Privacy Choices" in the website footer, which reopens the consent banner. You may also clear your browser's site data to reset your choice.
Because nothing loads until you affirmatively opt in, visitors who take no action, including those whose browsers send a Do Not Track or Global Privacy Control signal, are not subject to analytics or third-party mapping technologies.
Third-Party Links. Our website may contain links to external websites operated by other organizations. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.
Children's Privacy. Our website is not directed at children under 13, and we do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).
Online Payments. Bill payments submitted through our website are processed by a secure external payment gateway. CARMAhealth does not store credit card numbers or financial account information on its servers.
Data Breach Response
In the event of a breach involving your unsecured PHI, CARMAhealth will notify you without unreasonable delay in accordance with the HIPAA Breach Notification Rule and applicable state breach notification laws. Notification will include a description of the breach, the types of information involved, steps you can take to protect yourself, and what CARMAhealth is doing to investigate and mitigate the breach.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will post the updated policy on this page with a revised effective date.
Contact Us
If you have questions about this Privacy Policy, wish to exercise your rights regarding your health information, or need to file a privacy complaint, please contact us:
CARMAhealth Privacy Office
630 West 34th Street, Suite 301
Austin, TX 78705
Phone: (512) 212-4670
Email: info@carmahealth.com
You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated. CARMAhealth will not retaliate against you for filing a complaint.