Soma Roots Therapy Privacy Policy 

Click here for a PDF version

Last Updated: February 28, 2026 

Welcome to Soma Roots Therapy. Your privacy matters to us—not just because the law says so (though it does), but because trust is the foundation of good therapy. This Privacy Policy explains how we collect, use, protect, and respect your personal information and protected health information (PHI) when you visit our website, contact us, or receive clinical services from us. 

By using our website or engaging in services with Soma Roots Therapy, you acknowledge that you've read and understood this Privacy Policy. If something doesn't make sense or feels unclear, please ask—we're happy to explain. 

1. Who We Are and What This Policy Covers 

Soma Roots Therapy is a mental health practice located in Camas, WA, providing psychotherapy and related behavioral health services to clients in multiple states. 

This Privacy Policy applies to: 

  • Information collected through our website and online forms  

  • Information you provide by phone, email, text (SMS), or other electronic communication  

  • Information created or received in connection with your care and treatment as a client 

We are a covered entity under: 

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)  

  • Applicable state privacy laws  

  • The Oregon Consumer Privacy Act (OCPA), as applicable  

  • Other applicable federal and state privacy and security regulations 

Where state law offers greater privacy protections than federal law, we follow the more protective standard. 

2. Types of Information We Collect 

We collect information in three main categories: 

A. Personally Identifiable Information (PII) 

Information you voluntarily provide, such as: 

  • Name, mailing address, phone number, and email address  

  • Demographic details (for example, age range, pronouns, preferred language) when you choose to share them  

  • Insurance information, if applicable  

  • Emergency contact information 

B. Protected Health Information (PHI) 

Information related to your mental and physical health, including: 

  • Information about your symptoms, history, diagnoses, and treatment plans  

  • Session notes, clinical assessments, and treatment progress  

  • Billing and payment information tied to your care  

  • Communications with other healthcare providers involved in your care (with your authorization)  

  • Referral information and coordination of care documentation 

C. Website Usage and Technical Data 

Information automatically collected when you visit our website, which may include: 

  • IP address, browser type, device identifiers, and operating system  

  • Pages visited, date and time of visits, and referral URLs  

  • Cookies or similar technologies (see Section 10 for more details) 

How we collect information: 

  • Directly from you during intake, sessions, or through forms and communications  

  • From your authorized representative (such as a parent, guardian, or legal representative)  

  • From other healthcare providers, insurers, or health information exchanges involved in your care, as permitted by law and with appropriate authorization 

3. How We Use Your Information 

A. Uses of PHI for Treatment, Payment, and Health Care Operations 

We may use and disclose your PHI as permitted or required by HIPAA and state law for the following purposes: 

Treatment 

  • To provide, coordinate, or manage your mental health care and related services  

  • To consult with or refer to other healthcare providers involved in your care (with your authorization)  

  • To provide clinical supervision and quality assurance within our practice 

Payment 

  • To bill and collect payment from you, your insurance company, or other responsible parties  

  • To obtain prior authorizations, verify coverage, or respond to insurer requests as allowed by law  

  • To process claims and handle billing inquiries 

Health Care Operations 

  • For practice management, quality assessment, supervision, and training  

  • For auditing, compliance, and licensing activities  

  • For business planning and development  

  • To improve our services and client outcomes 

B. Other Uses and Disclosures Permitted or Required by Law 

We may also use or disclose your information without your written authorization when permitted or required by law, including: 

  • To avert a serious and imminent threat to your health or safety or the health or safety of others, consistent with professional judgment and applicable law  

  • To comply with mandatory reporting obligations, such as suspected child, elder, or dependent adult abuse or neglect  

  • For public health activities, health oversight, or as required by court order, warrant, subpoena, or other lawful process  

  • To coroners, medical examiners, or funeral directors as necessary for them to carry out their duties  

  • For workers' compensation or similar programs, as authorized by and to the extent necessary to comply with applicable law  

  • As otherwise required by federal or state law, including applicable mental health and substance use confidentiality rules 

Important: Where state law or other federal regulations (such as 42 C.F.R. Part 2 for certain substance use disorder services) are more protective of your privacy, we will follow the more protective requirement. 

C. Uses and Disclosures Requiring Your Authorization 

In all other situations not described above, we will ask for your written authorization before using or disclosing your PHI. These include, for example: 

  • Most uses and disclosures of psychotherapy notes (our private process notes, maintained separately from your clinical record)  

  • Release of information to family members, friends, or others not involved in your care (unless you've given us prior authorization or in emergency situations)  

  • Marketing purposes (though we will never use your PHI for marketing)  

  • Sale of PHI (we will never sell your PHI for any reason) 

You may revoke your authorization in writing at any time, except to the extent we have already relied on it. 

4. Your Rights Regarding Your Health Information 

You have several important rights with respect to your PHI, subject to certain legal limits. 

Right to Access and Obtain Copies 

You may request to inspect or obtain a copy of your clinical record and billing information in a designated record set. We may charge a reasonable, cost-based fee as permitted by law (typically covering copying, postage, and preparation time). 

Right to Request Amendments 

If you believe information in your record is inaccurate or incomplete, you may request an amendment. We may deny your request in certain circumstances and will provide a written explanation if we do. 

Right to an Accounting of Disclosures 

You may request a list (accounting) of certain disclosures of your PHI made during a specified period, excluding those for treatment, payment, and health care operations and certain other exceptions. 

Right to Request Restrictions 

You may ask us to limit how we use or disclose your PHI for treatment, payment, or health care operations, or how we disclose information to family members or others involved in your care. We are not required to agree to all requested restrictions, but if we do agree, we will abide by the restriction except in emergencies or as required by law. 

Special rule: If you pay for a service out-of-pocket in full and request that we not disclose information about that service to your health plan, we will honor that request unless we are otherwise required by law to make the disclosure. 

Right to Request Confidential Communications 

You may request that we communicate with you by alternative means or at alternative locations (for example, using a specific phone number, mailing address, or email). We will accommodate reasonable requests. 

Right to a Paper or Electronic Copy of This Notice 

You have the right to obtain a paper or electronic copy of this Privacy Policy and our HIPAA Notice of Privacy Practices upon request. 

Right to Be Notified of a Breach 

If there is a breach of your unsecured protected health information, we will notify you in accordance with applicable federal and state law. 

To exercise any of these rights, please submit a written request to the privacy contact listed in Section 14. 

5. How We Protect Your Information 

We take the security of your information seriously and maintain administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, disclosure, alteration, or destruction. 

Our safeguards include: 

  • Secure electronic health record systems with role-based access controls and multi-factor authentication  

  • Encryption for data in transit and at rest, where feasible  

  • Regular security risk assessments and updates  

  • Policies and training for staff regarding privacy, security, and confidentiality  

  • Business Associate Agreements with vendors who have access to PHI  

  • Secure disposal of records and devices containing PHI  

  • Physical security measures for our office locations 

Important limitation: Despite our best efforts, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of information transmitted to or from our website or through email or text. If you have concerns about the security of a particular communication method, please discuss alternative options with your clinician. 

6. Breach Notification 

If there is a breach of unsecured protected health information that affects you, we will notify you in accordance with applicable federal and state law. Where a breach impacts a certain number of residents within a state, we may also be required to notify the State Attorney General and/or other regulators, and in some cases, the media. 

7. Email, Texting, Telehealth, and Electronic Communications 

A. General Electronic Communications 

When you contact us by phone, email, text message (SMS), or website form, we use that information only to: 

  • Respond to your inquiry  

  • Schedule services and send appointment reminders  

  • Manage your care and provide clinical services  

  • Handle billing, insurance, or administrative matters 

We will never sell or trade your contact information. 

Important security notice: Email, text, and standard web forms may not be fully secure. We encourage you to share only the minimum information needed to contact you or request an appointment. Please do not use these methods for emergencies or to send highly sensitive clinical details. If you prefer, you may contact us by phone or discuss secure communication options with your clinician. 

B. SMS/Text Messaging and 10DLC Compliance 

We may use text messaging (SMS) to communicate with you about appointment reminders, administrative notices, and care coordination. 

By voluntarily providing your mobile phone number and selecting communication by text, you consent to receive SMS messages from Soma Roots Therapy related to your care, such as: 

  • Appointment confirmations, reminders, and schedule changes  

  • Requests to contact our office  

  • Administrative or billing notices  

  • Brief clinical check-ins as agreed with your clinician 

10DLC Compliance: Soma Roots Therapy complies with 10-Digit Long Code (10DLC) requirements, which means we have registered our business with mobile carriers to ensure legitimate, non-spam text messaging. This registration process requires us to: 

  • Maintain clear descriptions of how we use SMS messaging  

  • Obtain and document your consent before sending you text messages  

  • Provide easy opt-out mechanisms  

  • Follow carrier guidelines for message frequency and content 

Your consent and control: 

  • Message and data rates may apply based on your mobile carrier plan  

  • Message frequency may vary depending on your care needs  

  • Participation in SMS messaging is optional and is not required to receive services  

  • You can opt out of SMS messages at any time by replying STOP to any message we send or by contacting our office  

  • Reply HELP for basic information about our text messages  

  • After you opt out, you may still receive necessary phone calls, postal mail, or secure electronic communications as appropriate 

You may request alternative communication methods as described in Section 4. 

C. Telehealth Services 

We provide telehealth services using HIPAA-compliant platforms (such as Zoom for Healthcare or other approved secure video platforms). We will inform you of any telehealth-specific privacy and security measures before your first telehealth session. 

By initiating electronic communication, you may be consenting to receive responses through the same channel, unless you request otherwise. 

8. Third-Party Service Providers and Business Associates 

We may engage third-party vendors to perform services on our behalf, such as: 

  • Electronic health record (EHR) providers  

  • Billing and insurance claims services  

  • Secure messaging and telehealth platforms  

  • Website hosting and analytics providers  

  • IT support and security services  

  • Practice management software 

Where these vendors have access to PHI, we enter into Business Associate Agreements requiring them to safeguard your information in accordance with HIPAA and applicable state law. 

We do not sell your information to third-party vendors. We only share information as necessary to provide services, comply with legal obligations, or with your explicit authorization. No mobile information will be shared with third parties/affiliates for marketing/promotion purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.  

9. Consultation Within Soma Roots Therapy 

Soma Roots Therapy is a group practice. Your clinician may consult with other clinicians within our practice for purposes of: 

  • Clinical supervision and quality assurance  

  • Case consultation and peer support  

  • Coverage during absences or emergencies  

  • Training and professional development 

Such consultations remain confidential within Soma Roots Therapy and are conducted in accordance with professional standards and applicable law. If you have concerns about internal consultation, please discuss them with your clinician. 

10. Website, Cookies, and Analytics 

Our website may use cookies, pixels, or similar technologies to: 

  • Understand how visitors use the site  

  • Improve website performance and user experience  

  • Remember certain preferences or form entries  

  • Provide basic analytics about site traffic 

You can control or disable cookies through your browser settings; however, some website features may not function properly if cookies are disabled. 

We do not knowingly use our website to collect or disclose PHI for marketing purposes. Website analytics are used solely for improving user experience and site functionality. 

11. Children’s Privacy 

Our services are intended primarily for adults and, where appropriate, minors receiving mental health treatment with proper consent under state law. 

We do not knowingly collect personal information online from children under the age of 13 (or 14 in the state of Oregon) without appropriate parental or guardian consent. If you believe we have collected information from a child under 13 (or 14 in the state of Oregon) without proper consent, please contact us immediately so that we can take appropriate steps. 

For minors aged 13–17: Oregon and Washington law provide certain privacy rights to minors receiving mental health treatment. We will discuss confidentiality and parental involvement with minors and their families as appropriate during the informed consent process. 

12. Oregon and Washington State-Specific Privacy Rights 

Oregon Consumer Privacy Act (OCPA) 

Under the Oregon Consumer Privacy Act, which took effect July 1, 2024 (with additional provisions effective January 1, 2026), Oregon residents have certain rights regarding their personal data, including: 

  • Right to know what personal data is being collected  

  • Right to access personal data we maintain about you  

  • Right to correct inaccurate personal data  

  • Right to delete personal data under certain circumstances  

  • Right to opt out of the sale of personal data (we do not sell personal data)  

  • Right to opt out of targeted advertising (we do not engage in targeted advertising)  

  • Right to data portability in certain circumstances 

Special protections for minors: We do not sell personal data of consumers under 16 years of age (or any age). 

**Precise geolocation ** We do not sell precise geolocation data (data that shows, within a 1,750-foot radius, where a person or their device is or has been). 

Note: Health information covered by HIPAA is generally exempt from OCPA. However, we are committed to transparency and will honor reasonable privacy requests consistent with both HIPAA and OCPA where applicable. 

Washington State Privacy Rights 

Washington consumers have privacy rights under various state laws, including protections for health information, biometric data, and communications privacy. We comply with all applicable Washington state privacy requirements. 

Civil Commitment and Involuntary Treatment 

Oregon and Washington law provide specific procedures and protections related to civil commitment and involuntary mental health treatment. If circumstances arise where civil commitment proceedings may be initiated, we will follow all applicable legal requirements and inform you of your rights. 

13. Changes to This Privacy Policy 

We reserve the right to change this Privacy Policy and our HIPAA Notice of Privacy Practices at any time, as permitted by law. When we make material changes, we will: 

  • Update the “Last Updated” date at the top of this page  

  • Post the revised policy on our website  

  • Where required by law, provide you with a revised notice at your next appointment or by other appropriate means (such as email or postal mail) 

The revised policy will apply to all information we maintain, including information created or received before the changes were made. 

14. Contact Information and How to File a Complaint 

We restrict access to your information to staff and service providers who need it to support your care and practice operations, and we require them to follow privacy and confidentiality standards. 

For questions, concerns, or to exercise your privacy rights, contact: 

Soma Roots Therapy 
327 NE 5th Ave, Suite B 
Camas, WA 98607 
(360) 218-5040 
info@somarootstherapy.com 
www.somarootstherapy.com  

If you believe your privacy rights have been violated, you have the right to file a complaint with: 

Soma Roots Therapy directly (using the contact information above) 

U.S. Department of Health and Human Services, Office for Civil Rights 
https://www.hhs.gov/ocr/complaints/index.html 
Phone: 1-800-368-1019 
TDD: 1-800-537-7697  

Oregon Attorney General’s Office (for OCPA-related complaints) 
https://www.doj.state.or.us/consumer-protection/ 
(971) 673-1880  

Washington State Attorney General’s Office 
https://www.atg.wa.gov/file-complaint 
1-800-551-4636  

We will not retaliate against you in any way for filing a complaint. Your decision to file a complaint will not affect your care or services. 

15. Effective Date and Acknowledgment 

This Privacy Policy is effective as of February 28, 2026

By using our website, contacting us, or receiving services from Soma Roots Therapy, you acknowledge that you have read, understood, and agreed to this Privacy Policy. 

Questions? We’re here to help. If anything in this policy is unclear, or if you’d like to discuss your privacy rights or our practices in more detail, please don’t hesitate to reach out. Privacy isn’t just about compliance—it’s about trust, and we take that seriously. 

Thank you for trusting Soma Roots Therapy with your care.