Loading
This notice describes how MentraNote handles Protected Health Information (PHI) as a HIPAA Business Associate, including your rights, our obligations, and Business Associate Agreement summary.
THIS NOTICE DESCRIBES HOW MENTRANOTE HANDLES PROTECTED HEALTH INFORMATION IN ITS CAPACITY AS A HIPAA BUSINESS ASSOCIATE. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices ("Notice" or "NPP") is provided by MentraNote Inc. ("MentraNote") to describe how we may use and disclose Protected Health Information (PHI) received from or created on behalf of Covered Entities (our Subscriber clinicians and healthcare organizations) in the course of providing our electronic health record (EHR) platform services.
This Notice is distinct from your healthcare provider's own Notice of Privacy Practices. If you are a patient or client seeking information about how your therapist or mental health provider handles your records, please contact your provider directly. MentraNote processes patient PHI only as a Business Associate acting on behalf of your provider.
Under HIPAA, entities that handle PHI on behalf of healthcare providers are classified as either "Covered Entities" (the providers themselves) or "Business Associates" (vendors and service providers that receive or process PHI on behalf of Covered Entities). MentraNote serves as a Business Associate under HIPAA.
Licensed therapists and healthcare organizations who create, collect, and maintain patient health records and are directly responsible to patients under HIPAA.
MentraNote processes PHI on behalf of Covered Entities to deliver our EHR platform services, under a signed Business Associate Agreement (BAA).
As a Business Associate, MentraNote is directly subject to certain HIPAA regulations under the HITECH Act (Pub. L. 111-5), including the Security Rule, the Breach Notification Rule, and certain provisions of the Privacy Rule.
Protected Health Information (PHI) is any individually identifiable health information that: (a) relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare; (b) identifies or reasonably could identify the individual; and (c) is created, received, maintained, or transmitted by a Covered Entity or Business Associate.
PHI processed on the MentraNote Platform may include, without limitation:
MentraNote does not independently collect PHI directly from patients. All PHI on the Platform is entered, uploaded, or generated by Subscriber clinicians in connection with their clinical practice.
As a Business Associate, MentraNote may use or disclose PHI only as authorized in the BAA with the Covered Entity and as permitted or required by HIPAA. Specifically, MentraNote may use and disclose PHI for the following purposes:
MentraNote uses PHI as necessary to provide the EHR platform services to Covered Entities, including hosting, storing, displaying, processing, and transmitting clinical records and related data as directed by the Covered Entity (your therapist or organization).
MentraNote may use PHI in a limited and de-identified manner for the proper management and administration of the Platform, including: troubleshooting technical issues, security monitoring, system performance optimization, and quality assurance activities, all subject to strict access controls and the minimum necessary principle.
MentraNote may disclose PHI when required to do so by applicable federal, state, or local law, including in response to a valid court order, subpoena, or government agency request, and as required to report breaches to HHS under the Breach Notification Rule.
MentraNote may use PHI in its own legal defense in proceedings in which the Covered Entity is also a party, or to obtain legal or financial services, provided that MentraNote first obtains reasonable assurances that the PHI will be held confidential and used or disclosed only for the purpose of the legal activity.
MentraNote may aggregate de-identified health information (from which all 18 HIPAA Safe Harbor identifiers have been removed per 45 C.F.R. § 164.514(b)) for the purpose of analyzing the health care operations of the Covered Entities. De-identified data is never re-identified and is used solely for aggregate analytics and Platform improvement.
MentraNote will not disclose PHI to any third party except:
MentraNote does not disclose PHI to advertisers, data brokers, marketers, or any entity for commercial purposes not directly related to the provision of our services.
MentraNote will not use or disclose PHI in any manner that is not permitted by the BAA or HIPAA, including:
MentraNote has implemented comprehensive administrative, physical, and technical safeguards to protect PHI in accordance with 45 C.F.R. Part 164, Subpart C (the HIPAA Security Rule):
MentraNote may engage subcontractors to assist in providing the Platform. To the extent any subcontractor creates, receives, maintains, or transmits PHI on behalf of MentraNote, MentraNote ensures that each such subcontractor enters into a Business Associate subcontractor agreement that imposes the same requirements on the subcontractor as HIPAA imposes on MentraNote as a Business Associate.
Current subcontractors with access to PHI include: Amazon Web Services (AWS) for hosting and storage. Third-party AI providers (OpenAI, Groq) receive only de-identified content after PHI sanitization and are subject to data processing agreements that prohibit training on the data.
MentraNote is responsible for ensuring its subcontractors maintain appropriate HIPAA compliance. A complete list of subcontractors is available upon request at compliance@mentranote.com.
MentraNote maintains a formal Breach Notification Policy consistent with 45 C.F.R. § 164.410 and the HITECH Act. In the event of a breach of unsecured PHI:
Breach determination: MentraNote applies a four-factor risk assessment test (per 45 C.F.R. § 164.402) to determine whether an impermissible use or disclosure constitutes a reportable breach, including the nature of the PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent to which risk has been mitigated.
MentraNote is committed to the HIPAA Minimum Necessary Standard (45 C.F.R. § 164.502(b)). This means that MentraNote employees and systems access only the minimum amount of PHI necessary to perform a specific function. Specifically:
Note for patients/clients: Your HIPAA rights with respect to your health records are primarily exercisable against your healthcare provider (the Covered Entity), not against MentraNote. Please contact your therapist or healthcare organization to exercise the rights described below. MentraNote will cooperate with Covered Entities in fulfilling patient rights requests.
Under HIPAA, individuals have the following rights with respect to their PHI:
Individuals have the right to inspect and receive a copy of their PHI maintained in a Covered Entity's designated record set, including medical records and billing records used to make decisions about the individual. Covered Entities are required to respond to access requests within 30 days (or 60 days with written extension). MentraNote enables Covered Entities to generate data exports to fulfill patient access requests.
Individuals have the right to request amendment of PHI they believe is inaccurate or incomplete. The Covered Entity may deny the request under certain circumstances (e.g., if the records were not created by the Covered Entity, or the records are accurate and complete). MentraNote supports amendment of records through the Platform's editing and documentation features.
Individuals have the right to receive an accounting of certain disclosures of their PHI made by the Covered Entity (and its Business Associates) for purposes other than treatment, payment, healthcare operations, or certain other specified purposes. MentraNote maintains audit logs that support Covered Entity accounting of disclosures upon request.
Individuals have the right to request restrictions on the Covered Entity's use or disclosure of PHI for treatment, payment, or healthcare operations. The Covered Entity is not required to agree to the restriction (except for certain disclosures to health plans when the individual has paid out-of-pocket in full).
Individuals have the right to request that the Covered Entity communicate with them about PHI by alternative means or at alternative locations (e.g., only by mail, or only to a specific address). Covered Entities must accommodate reasonable requests.
Individuals have the right to be notified, without unreasonable delay and within 60 days of discovery, if there is a breach of their unsecured PHI. Notification must be provided by the Covered Entity and must include specific details about the breach and protective actions.
Subscriber clinicians and organizations using the MentraNote Platform as a Covered Entity under HIPAA are independently responsible for:
MentraNote executes a Business Associate Agreement (BAA) with all paid Subscribers (Basic, Pro, and Premium plans) as required by HIPAA, 45 C.F.R. § 164.502(e). The BAA governs MentraNote's handling of PHI on behalf of the Covered Entity. Below is a plain-language summary of the key provisions of our standard BAA.
To request a copy of the full BAA, contact compliance@mentranote.com. Subscribers on paid plans who have not yet received a countersigned BAA should contact us to initiate the process.
If you believe that your privacy rights under HIPAA have been violated in connection with MentraNote's handling of PHI, you have the right to file a complaint without retaliation.
Submit complaints to MentraNote's Privacy/Compliance Officer at:
Privacy/Compliance Officer
Email: compliance@mentranote.com
MentraNote will acknowledge all privacy complaints within 5 business days and investigate and respond within 30 days of receipt.
You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which is responsible for enforcing HIPAA's Privacy and Security Rules:
Complaints to HHS OCR must be filed within 180 days of when you knew or should have known of the alleged violation (this may be extended for good cause). MentraNote will not retaliate against any individual for filing a good-faith complaint.
MentraNote strictly prohibits retaliation of any kind against any individual who exercises their HIPAA rights, files a complaint, or participates in any investigation or proceeding related to HIPAA compliance. Any retaliation by MentraNote employees or agents will be subject to disciplinary action up to and including termination.
MentraNote maintains all HIPAA-related policies, procedures, and documentation for a minimum of 6 years from the date of creation or the date when the policy or procedure was last in effect, whichever is later, as required by 45 C.F.R. § 164.530(j). This includes:
Clinical data (PHI) uploaded by Subscribers is retained per the terms of the BAA and is available for export for 30 days following account closure, after which it is permanently deleted within an additional 30 days.
MentraNote reserves the right to change the terms of this Notice at any time, and to make new provisions effective for all PHI maintained by MentraNote, including PHI created or received prior to the effective date of the revised Notice. When this Notice is revised, MentraNote will:
For HIPAA compliance questions, BAA requests, PHI-related complaints, or any other matter covered by this Notice:
MentraNote Inc. — HIPAA Privacy and Compliance
Compliance Email: compliance@mentranote.com
Legal: legal@mentranote.com
General Support: support@mentranote.com
For urgent security concerns or breach reports, email compliance@mentranote.com with the subject line "SECURITY INCIDENT." We aim to acknowledge all HIPAA-related communications within 2 business days and resolve within 30 days.