PRIVACY POLICY

Resilient Roots, PLLC


Effective Date: February 17, 2026

Last Updated: February 17, 2026


------------------------------------------------------------------------


INTRODUCTION


Welcome to Resilient Roots, PLLC ("Resilient Roots," "we," "our," or "us"). We are committed to protecting your privacy and safeguarding any personal or health-related information you share with us. This Privacy Policy explains how we collect, use, store, share, and protect your information when you visit our website (www.resilientroots-pllc.com), use our services, or communicate with us in any way.


Resilient Roots is a virtual psychotherapy and clinical services practice founded and operated by Tricia McCloskey, LCSW, M-CASAC, MCPC. We provide services across multiple states, including New York, New Jersey, Florida, Maine, Indiana, Idaho, Vermont, Texas, South Carolina, West Virginia, Delaware, Utah, and Ohio. Because we serve clients across multiple jurisdictions, this policy is designed to comply with applicable federal and state privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), New York State privacy and health information laws, and other applicable state regulations.


Please read this policy carefully. By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy. If you have questions, please contact us using the information provided at the end of this document.


------------------------------------------------------------------------


1. INFORMATION WE COLLECT


We collect the following categories of personal information depending on the nature of your interaction with our practice:


(a) Personal Identifying Information

- Full name

- Email address

- Phone number

- Mailing address

- Date of birth

- Emergency contact information


(b) Health and Clinical Information

- Mental health history and diagnoses

- Treatment notes, session records, and progress documentation

- Substance use and addiction history

- Medication information

- Information related to Ketamine-Assisted Psychotherapy (KAP) eligibility and treatment

- Immigration evaluation records and psychosocial assessments

- Impaired driving screening and assessment results

- Emotional Support Animal (ESA) evaluation documentation

- Information disclosed during traditional psychotherapy, sylvotherapy, or life coaching sessions

- Clinical consultation and mentorship records


(c) Insurance and Payment Information

- Health insurance provider name and policy details

- Billing address

- Credit card, debit card, or other payment method information

- Superbill and claims information


(d) Technical and Website Usage Data

- IP address

- Browser type and version

- Device information

- Pages visited and time spent on our website

- Referring website or search terms

- Cookie and tracking data (see Section 9 for details)


(e) Communication Records

- Emails, phone call logs, and voicemail content

- Messages submitted through our website contact form

- Appointment scheduling information through TherapyPortal

- Consultation request details, including type of service requested, state of residence, insurance type, and reason for contacting the practice


------------------------------------------------------------------------


2. HOW WE COLLECT YOUR INFORMATION


We collect personal information through the following methods:


- Website Contact Forms: When you submit a consultation request or inquiry through our website, you provide your name, email, phone number, type of service sought, state, insurance type, and a description of your reason for reaching out.


- Appointment Scheduling Platform: We use TherapyPortal (therapyportal.com) for scheduling appointments. When you book a free 20-minute consultation or any appointment, TherapyPortal collects relevant scheduling and contact information.


- Direct Communication: Information shared via phone calls to (516) 404-9884, emails to connect@resilientroots-pllc.com, or through secure telehealth video sessions.


- Intake and Consent Forms: Clinical intake paperwork, informed consent documents, and assessment forms completed before or during the course of treatment.


- Electronic Medical Records (EMR): Clinical records are maintained through HIPAA-compliant electronic medical records systems.


- Secure Telehealth Platforms: Sessions are conducted via HIPAA-compliant video conferencing platforms that may collect technical connection data.


- Insurance and Billing Interactions: Information exchanged with insurance companies for claims processing, pre-authorization, or superbill generation.


- Cookies and Website Analytics: Our website uses cookies and analytics tools to understand site usage and improve your experience (see Section 9).


------------------------------------------------------------------------


3. WHY WE COLLECT YOUR INFORMATION (PURPOSES)


We collect and use your information for the following purposes:


- Providing Clinical Services: To deliver traditional psychotherapy, Ketamine-Assisted Psychotherapy, immigration evaluations, impaired driving screenings and assessments, Emotional Support Animal evaluations, sylvotherapy, professional life coaching, and clinical consultation or mentorship services.


- Appointment Scheduling and Management: To schedule, confirm, reschedule, or cancel appointments and consultations.


- Communication: To respond to your inquiries, send appointment reminders, provide follow-up care information, and share relevant resources.


- Billing and Payment Processing: To process payments, submit insurance claims, generate superbills, and manage accounts receivable.


- Legal and Regulatory Compliance: To comply with applicable federal and state laws, including HIPAA, New York State Office of Mental Health (OMH) regulations, Office of Addiction Services and Supports (OASAS) requirements, Department of Motor Vehicles (DMV) requirements for impaired driving evaluations, and state licensing board mandates.


- Treatment Planning and Quality Improvement: To develop and adjust treatment plans, track measurable outcomes, and improve the quality of clinical services.


- Coordination of Care: When authorized by you, to coordinate with other healthcare providers, attorneys (such as immigration attorneys), or other professionals involved in your care.


- Website Improvement and Analytics: To analyze website traffic and usage patterns in order to improve user experience and content.


- Marketing and Outreach: With your consent where required, to share information about services, blog content, or practice updates. We will never sell your personal information to third parties for their marketing purposes.


------------------------------------------------------------------------


4. WHO WE SHARE YOUR INFORMATION WITH


We may share your information with the following categories of third parties, and only to the extent necessary to fulfill the purposes described in this policy:


(a) Insurance Companies

When you use insurance benefits, we share necessary clinical and billing information with your insurance provider (such as Aetna, Cigna, Anthem, Optum, United Healthcare Oxford, Carelon Behavioral Health, UMR, Oscar, Empire BlueCross BlueShield, Evernorth, BlueCross BlueShield, 1199 SEIU, Medicare, NYSHIP, or Northwell Direct) for claims processing and payment.


(b) Electronic Medical Records and Practice Management Platforms

We use HIPAA-compliant EMR and practice management systems to store and manage your clinical records securely.


(c) Appointment Scheduling Platform

TherapyPortal is used for appointment booking and management. TherapyPortal processes scheduling-related data in accordance with its own privacy practices.


(d) Payment Processors

Third-party payment processors handle credit card and electronic payment transactions. These processors are required to maintain the security and confidentiality of your financial data.


(e) Telehealth Platforms

We conduct virtual sessions through HIPAA-compliant telehealth platforms. These platforms may process limited technical and session data necessary to deliver secure video sessions.


(f) Website Hosting and Analytics Providers

Our website is hosted by a third-party platform provider that may use cookies and analytics tools to help us understand website traffic and improve user experience.


(g) Accessibility Technology Provider

We use the Accessibility Widget by UserWay to enhance the accessibility of our website (see Section 10 for details). UserWay does not collect personal information from users interacting with the widget.


(h) Legal and Regulatory Authorities

We may disclose your information when required to do so by law, subpoena, court order, or regulatory investigation. This may include disclosures to state licensing boards, OASAS, the DMV, child protective services, adult protective services, or law enforcement when mandated by law (for example, mandated reporting of suspected child abuse or neglect, or duty-to-warn obligations).


(i) Attorneys and Legal Representatives

For immigration evaluations, we may share evaluation reports and supporting clinical documentation with your immigration attorney or legal representative with your written authorization.


(j) Other Healthcare Providers

With your written consent, we may share relevant clinical information with other healthcare providers involved in your treatment or care coordination.


We do not sell, rent, or trade your personal information to any third party for marketing or commercial purposes.


------------------------------------------------------------------------


5. HOW WE USE YOUR DATA


We use your data in the following ways:


- To provide, manage, and improve the clinical services described above.

- To personalize treatment plans using evidence-based and trauma-informed approaches.

- To track treatment progress using measure-based outcomes.

- To process payments, verify insurance coverage, and manage billing.

- To communicate with you about your care, appointments, and practice updates.

- To comply with all applicable federal and state laws, licensing requirements, and professional ethical standards.

- To analyze and improve our website's functionality, content, and user experience.

- To respond to legal obligations, including mandated reporting, court orders, and regulatory requests.

- To provide documentation required for immigration proceedings, impaired driving compliance, or ESA housing accommodations when applicable.


------------------------------------------------------------------------


6. HOW LONG WE RETAIN YOUR DATA


We retain your personal and clinical information in accordance with applicable federal and state laws and professional standards:


- Clinical and Health Records: In accordance with New York State law and professional guidelines, clinical records for adult clients are retained for a minimum of six (6) years following the last date of service, or longer as required by applicable state law in the jurisdiction where services were provided. Records related to minor clients are retained for at least six (6) years after the client reaches the age of 18, or longer as required by law.


- OASAS and Impaired Driving Records: Records related to impaired driving screenings and assessments are retained in compliance with OASAS regulations and DMV requirements, typically for a minimum of six (6) years.


- Immigration Evaluation Records: Evaluation reports and supporting clinical documentation are retained for a minimum of seven (7) years or as required by applicable regulations.


- Billing and Financial Records: Payment records, insurance claims, and superbills are retained for a minimum of seven (7) years for tax and audit compliance purposes.


- Website and Analytics Data: Non-identifiable website usage data is retained for as long as necessary to analyze trends and improve the website, and may be deleted or anonymized periodically.


- Communication Records: Emails, contact form submissions, and other correspondence are retained as long as necessary for the purpose for which they were collected and in compliance with applicable retention requirements.


When records are no longer required to be retained, they are securely destroyed. Electronic records are permanently deleted using secure data destruction methods, and any paper records (if applicable) are shredded.


------------------------------------------------------------------------


7. HOW WE PROTECT YOUR INFORMATION


We take the security of your information seriously and implement the following safeguards:


- Encryption: All data transmitted through our website, telehealth platforms, and EMR systems is encrypted using industry-standard encryption protocols (such as SSL/TLS).


- HIPAA-Compliant Platforms: We use HIPAA-compliant telehealth, EMR, and scheduling platforms that maintain Business Associate Agreements (BAAs) with our practice.


- Access Controls: Access to client records is restricted to authorized personnel only. Electronic systems require secure login credentials, and access is limited on a need-to-know basis.


- Secure Storage: Client records are stored in secure, password-protected electronic systems with appropriate backup procedures.


- Professional Training: Practice personnel are trained in HIPAA compliance, privacy practices, and data security protocols.


- Device Security: All devices used to access client records are protected with passwords, encryption, automatic screen lock features, and up-to-date security software.


- Secure Communication: We encourage clients to communicate through secure channels. Please be aware that standard email and text messaging may not be fully secure, and clients who choose to communicate via these methods do so with an understanding of the associated risks.


In the Event of a Data Breach:


In the unlikely event of a breach of unsecured Protected Health Information (PHI), Resilient Roots will comply with all applicable breach notification requirements under HIPAA and state law. This includes:


- Notifying affected individuals in writing without unreasonable delay, and no later than 60 days from the date the breach is discovered.

- Providing a description of the breach, the types of information involved, steps individuals can take to protect themselves, and what the practice is doing to investigate and mitigate the breach.

- Notifying the U.S. Department of Health and Human Services (HHS) as required.

- If the breach affects 500 or more individuals, notifying prominent media outlets in the affected area as required by HIPAA.

- Notifying the New York State Attorney General and other applicable state regulators as required by state breach notification laws.


------------------------------------------------------------------------


8. YOUR RIGHTS


As a client of Resilient Roots, you have the following rights regarding your personal and health information:


- Right to Access: You have the right to request access to your clinical records and personal information. Requests should be submitted in writing to connect@resilientroots-pllc.com or by calling (516) 404-9884.


- Right to Amend: You have the right to request corrections or amendments to your health records if you believe any information is inaccurate or incomplete. We will respond to amendment requests within 60 days. We may deny an amendment request under certain circumstances as permitted by HIPAA, and if so, we will provide you with a written explanation.


- Right to Restrict: You have the right to request restrictions on how your health information is used or disclosed. While we will consider all reasonable requests, we are not required to agree to all restrictions, except in cases where you have paid for services out of pocket in full and request that information not be shared with your insurance provider.


- Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures of your PHI that we have made, excluding disclosures for treatment, payment, and healthcare operations, and certain other exceptions permitted under HIPAA.


- Right to Request Confidential Communications: You have the right to request that we communicate with you in a specific way or at a specific location. For example, you may request that we contact you only by email or at a specific phone number.


- Right to a Copy of This Privacy Policy: You have the right to obtain a copy of this Privacy Policy at any time by requesting one from our office or downloading it from our website.


- Right to Revoke Authorization: If you have provided written authorization for us to use or disclose your information for purposes beyond treatment, payment, and healthcare operations, you have the right to revoke that authorization in writing at any time. Revocation does not apply to information already used or disclosed based on the original authorization.


- Right to File a Complaint: If you believe your privacy rights have been violated, you have the right to file a complaint with our practice and/or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.


To exercise any of these rights, please contact:


Resilient Roots, PLLC

Tricia McCloskey, LCSW, M-CASAC, MCPC (Privacy Officer)

Email: connect@resilientroots-pllc.com

Phone: (516) 404-9884


------------------------------------------------------------------------


9. COOKIES AND TRACKING TECHNOLOGIES


Our website (www.resilientroots-pllc.com) uses cookies and similar tracking technologies to improve your browsing experience and help us understand how visitors use our site.


What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help the site remember your preferences and understand how you interact with the content.


Types of Cookies We May Use:


- Essential Cookies: These are necessary for the website to function properly, including navigation, form submissions, and security features.


- Analytics Cookies: We may use third-party analytics tools (such as Google Analytics or similar services provided through our website hosting platform) to collect anonymized data about how visitors use our site. This includes pages visited, time spent on pages, referring sources, and general geographic location. This data helps us improve the content and functionality of our website.


- Third-Party Cookies: Some features on our website, such as embedded scheduling tools (TherapyPortal) or social media links, may place their own cookies on your device. These cookies are subject to the privacy policies of the respective third-party providers.


Managing Cookies:

You can manage or disable cookies through your web browser settings. Most browsers allow you to block all cookies, accept all cookies, or notify you when a cookie is being set. Please note that disabling cookies may affect the functionality of some parts of our website.


We Do Not:

- Use cookies to collect Protected Health Information (PHI).

- Use targeted advertising cookies or sell cookie data to third parties.

- Track your activity across other websites for advertising purposes.


------------------------------------------------------------------------


10. WEBSITE ACCESSIBILITY (USERWAY)


Resilient Roots is committed to ensuring that our website is accessible to all visitors, including individuals with disabilities. To support this commitment, we use the Accessibility Widget by UserWay.


What UserWay Provides:

The UserWay Accessibility Widget enhances the browsing experience for users with diverse needs by providing a range of customizable accessibility features, including:


- Screen reader compatibility and optimization

- Keyboard navigation support

- Text size adjustment and resizing

- Color contrast adjustments (including high contrast, dark contrast, and light contrast modes)

- Highlight links for easier identification

- Text spacing adjustment for improved readability

- Pause or stop animations

- Cursor enlargement options

- Reading guide or reading mask tools

- Dyslexia-friendly font options

- Tooltip display on hover

- Page structure and heading navigation


The UserWay widget appears as an accessibility icon on our website. Clicking it opens a menu of accessibility features that you can customize to suit your needs. You may reset your accessibility preferences at any time.


UserWay and Your Privacy:

UserWay is designed as a privacy-by-design service. The UserWay Accessibility Widget does not collect any personal information from users interacting with the widget. No personally identifiable information is gathered, stored, or shared through the use of the accessibility features. For more information about UserWay's privacy practices, you may visit UserWay's privacy page at https://userway.org/privacy/.


Compliance:

The UserWay widget supports compliance with the Americans with Disabilities Act (ADA), Section 508 of the Rehabilitation Act, and Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards. If you experience any accessibility issues on our website, please contact us at connect@resilientroots-pllc.com or (516) 404-9884 so we can address the issue promptly.


------------------------------------------------------------------------


11. NOTICE OF PRIVACY PRACTICES (HIPAA)


This section serves as our Notice of Privacy Practices as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act.


THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.


Our Legal Duty:

We are required by law to maintain the privacy of your Protected Health Information (PHI), provide you with notice of our legal duties and privacy practices with respect to PHI, and follow the terms of the notice that is currently in effect.


How We May Use and Disclose Your Protected Health Information:


(a) For Treatment: We may use or disclose your PHI to provide, manage, or coordinate your mental health care. For example, we may share information with another healthcare provider involved in your treatment with your authorization.


(b) For Payment: We may use or disclose your PHI for billing and payment purposes, including submitting claims to your insurance company, verifying coverage, or collecting amounts owed.


(c) For Healthcare Operations: We may use or disclose your PHI for activities related to the operation of our practice, including quality improvement, training, compliance, and administrative functions.


(d) As Required by Law: We may disclose your PHI when required to do so by federal, state, or local law, including mandated reporting obligations (such as suspected child abuse or neglect, elder abuse, or threats of harm to self or others).


(e) Public Health and Safety: We may disclose your PHI to public health authorities for purposes such as preventing or controlling disease, injury, or disability, or to appropriate authorities when there is a serious threat to health or safety.


(f) Judicial and Administrative Proceedings: We may disclose your PHI in response to a court order, subpoena, or other lawful process.


(g) Law Enforcement: We may disclose your PHI to law enforcement officials under certain limited circumstances as permitted or required by law.


(h) Workers' Compensation: We may disclose your PHI as authorized by and to the extent necessary to comply with laws relating to workers' compensation programs.


(i) Specialized Government Functions: We may disclose your PHI for military, national security, or intelligence purposes when required by law.


Uses and Disclosures Requiring Your Written Authorization:

Other uses and disclosures of your PHI not described above will be made only with your written authorization. This includes, but is not limited to:

- Marketing communications (we do not use your PHI for marketing without your authorization)

- Sale of your PHI (we never sell your PHI)

- Psychotherapy notes (special protections apply under HIPAA; psychotherapy notes will not be disclosed without your specific written authorization except where required by law)


You may revoke any written authorization at any time by submitting a written request to our office. Revocation will not affect any disclosures already made in reliance on the prior authorization.


For more information or to file a complaint about privacy practices, you may contact:


U.S. Department of Health and Human Services

Office for Civil Rights

Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

Phone: 1-877-696-6775


------------------------------------------------------------------------


12. STATE-SPECIFIC PRIVACY NOTICES


Because Resilient Roots provides services across multiple states, the following additional provisions may apply depending on your state of residence:


New York: The New York State Information Security Breach and Notification Act requires notification to affected individuals and the New York Attorney General in the event of a data breach involving private information. Our practice complies with all applicable New York State privacy and health information laws.


New Jersey: Under the New Jersey Identity Theft Prevention Act, we will notify New Jersey residents of any data breach involving their personal information as required by law.


Florida: Florida's Information Protection Act requires timely notification of data breaches to affected individuals and the Florida Department of Legal Affairs.


Texas: The Texas Medical Records Privacy Act provides additional protections for health information. We comply with all applicable Texas privacy requirements.


Other States: We comply with the privacy and data breach notification laws of all states in which we are licensed and provide services, including Maine, Indiana, Idaho, Vermont, South Carolina, West Virginia, Delaware, Utah, and Ohio.


If you have questions about how the laws in your specific state apply to your information, please contact us.


------------------------------------------------------------------------


13. SOCIAL MEDIA AND EXTERNAL LINKS


Our website may contain links to external websites, resources, social media platforms, or third-party tools. These external sites operate under their own privacy policies, and Resilient Roots is not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third-party websites you visit.


Regarding social media:

- We do not provide clinical advice, therapy, or counseling through social media platforms.

- We will not acknowledge or confirm that you are a client through any public social media interaction.

- We recommend that clients do not contact us through social media for privacy reasons.

- Any interaction you initiate with our practice on social media is at your own risk regarding confidentiality.


------------------------------------------------------------------------


14. MINORS


Resilient Roots' services are designed for adults. We do not knowingly collect personal information from individuals under the age of 18 without appropriate parental or guardian consent as required by law. If we discover that we have inadvertently collected personal information from a minor without proper consent, we will take steps to delete that information promptly.


------------------------------------------------------------------------


15. TELEHEALTH AND VIRTUAL SERVICES DISCLAIMER


All services offered by Resilient Roots are provided virtually through secure, HIPAA-compliant platforms. By participating in telehealth services, you acknowledge and understand that:


- Virtual sessions involve the use of electronic communications, including video conferencing, which carry inherent risks related to technology, including potential disruptions or unauthorized access despite our best security efforts.

- You are responsible for ensuring that you are in a private, safe, and confidential location during your sessions.

- Telehealth services may not be appropriate for all clinical situations. If an in-person level of care is needed, we will provide appropriate referrals.

- The practice complies with all applicable state telehealth laws and regulations in the states where services are provided.


------------------------------------------------------------------------


16. CONTACT INFORMATION FOR PRIVACY CONCERNS


If you have any questions, concerns, or requests related to this Privacy Policy, your personal information, or your privacy rights, please contact:


Resilient Roots, PLLC

Attn: Tricia McCloskey, LCSW, M-CASAC, MCPC (Privacy Officer)

Email: connect@resilientroots-pllc.com

Phone: (516) 404-9884

Website: www.resilientroots-pllc.com


To file a HIPAA complaint with the federal government:


U.S. Department of Health and Human Services

Office for Civil Rights

Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

Toll-Free: 1-877-696-6775


------------------------------------------------------------------------


17. UPDATES TO THIS PRIVACY POLICY


We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or regulatory guidance. When we make changes:


- The updated policy will be posted on our website at www.resilientroots-pllc.com with a revised "Last Updated" date.

- For material changes that significantly affect how we handle your personal or health information, we will make reasonable efforts to notify you directly (such as via email or a notice on our website) before the changes take effect.

- We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

- Your continued use of our website or services after any changes to this policy constitutes your acknowledgment of the updated terms.


------------------------------------------------------------------------


18. CONSENT


By using our website, submitting information through our contact forms, scheduling appointments, or engaging in any of our services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. Where required by law, we will obtain your specific written consent before using or disclosing your information for purposes not covered by this policy.


------------------------------------------------------------------------


This Privacy Policy is effective as of February 17, 2026.


Resilient Roots, PLLC

Tricia McCloskey, LCSW, M-CASAC, MCPC

connect@resilientroots-pllc.com

(516) 404-9884

www.resilientroots-pllc.com