GRIT THERAPY, PLLC
100 N HOWARD ST #4719 Spokane, WA 99201
(253) 785-2681
Consumer Health Data Privacy Policy
Notice Required by Washington State Law
The Washington My Health My Data Act (RCW 19.373)
THIS CONSUMER HEALTH DATA PRIVACY POLICY IS PROVIDED IN ACCORDANCE WITH THE WASHINGTON MY HEALTH MY DATA ACT (RCW 19.373). IT APPLIES TO WASHINGTON RESIDENTS WHOSE CONSUMER HEALTH DATA GRIT THERAPY, PLLC COLLECTS, USES, AND SHARES. THIS POLICY IS SEPARATE FROM AND IN ADDITION TO OUR HIPAA NOTICE OF PRIVACY PRACTICES.
GRIT THERAPY, PLLC (“WE,” “OUR,” OR “US”) IS COMMITTED TO PROTECTING YOUR PRIVACY AND MAINTAINING THE CONFIDENTIALITY OF YOUR PERSONAL AND HEALTH INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.
EFFECTIVE DATE OF THIS NOTICE
This notice went into effect on 5 APRIL 2025
I. CATEGORIES OF CONSUMER HEALTH DATA WE COLLECT
We may collect the following categories of Consumer Health Data:
1. Mental & Behavioral Health Information
● Mental health symptoms, diagnoses, and treatment history
● Therapy session content, progress notes, and treatment plans
● Trauma history and psychosocial assessments
● Crisis-related information and safety planning
2. Personal Health Information
● Past, present, and future mental and behavioral health status
● Medications (if disclosed)
● Functional impairments and wellness goals
3. Identity & Demographic Information (when voluntarily disclosed)
● Gender identity and expression
● Military affiliation (e.g., service member, veteran, spouse)
● Experiences related to trauma, identity, or systemic stressors
4. Digital & Service Use Data
● Appointment scheduling and participation in telehealth
● Secure messages, emails, and communications
● Information submitted through intake forms and client portals
5. Location & Contact Data
● Contact information (name, phone, email, address)
● Limited location data inferred through service use (e.g., telehealth participation)
II. PURPOSES FOR COLLECTING CONSUMER HEALTH DATA
We collect Consumer Health Data only as necessary to:
1. Provide Clinical Services
● Conduct assessments and deliver therapy
● Develop and implement treatment plans
● Provide crisis support and safety planning
2. Practice Operations
● Schedule and manage appointments
● Maintain clinical documentation
● Process payments (private pay only)
● Comply with legal, ethical, and licensing requirements
3. Communication
● Provide secure client communication
● Send appointment reminders and updates
● Share resources relevant to your care
We do not collect or use Consumer Health Data for advertising or data monetization.
III. SOURCES OF CONSUMER HEALTH DATA
We collect data from:
1. Directly from you
● Information shared during intake or on intake and assessment forms
● Data and information shared during sessions (telehealth)
● Communications through secure messaging, email, and text messaging
● Information provided during phone consultations
2. Authorized third parties
● Health care providers, including previous providers, referral information from other providers, and medical records relevant to your mental health care (with your consent)
● Information provided by family members or partners (with your consent)
● Collateral information for the purpose of treatment (when authorized)
3. Technology platforms used to access and deliver care
● Data and information collected through our HIPAA-compliant EHR and telehealth platform
● Website usage information when you research our services
● Online scheduling and appointment management systems
IV. CATEGORIES OF CONSUMER HEALTH DATA WE SHARE
We share Consumer Health Data only when necessary and limited to:
1. Clinical & Legal Requirements
● Mandatory reporting (e.g., abuse, harm to self/others)
● Court orders or legal obligations
2. Care Coordination (with consent)
● Other healthcare providers involved in your care
3. Emergency Situations
● When necessary to prevent serious harm
We do not sell Consumer Health Data under any circumstances.
V. THIRD PARTIES AND SERVICE PROVIDERS
We use HIPAA-compliant, privacy-focused platforms to support care delivery. These may include:
1. Practice Management & EHR
● SimplePractice (scheduling, documentation, client portal, telehealth)
2. Secure Communication
● Spruce Health (HIPAA-compliant messaging, phone, and communication)
3. Payment Processing
● Secure third-party payment processors integrated with EHR systems
4. Other Potential Services
● Email or administrative tools used in a HIPAA-compliant manner
● Secure data storage and backup systems
These providers are contractually required to safeguard your information and may only use it to provide services on our behalf.
VI. YOUR RIGHTS UNDER WASHINGTON STATE LAW
You have the right to:
● Confirm whether we collect or share your Consumer Health Data
● Access your data
● Request deletion (subject to legal/clinical record requirements)
○ Deletion. Upon your request for deletion:
■ Data will be deleted from active systems
■ Third parties will be notified
■ Backup deletion may take up to 6 months
Some records may be retained if legally required.
● Withdraw consent for collection or sharing
● Receive a list of third parties with whom data has been shared
● Appeal a denied request
● Be free from discrimination for exercising your rights
VII. CONSENT
1. Collection Consent
● We obtain your affirmative, opt-in consent before collecting Consumer Health Data.
2. Sharing Consent
● We obtain separate consent before sharing your data unless legally required.
3. Withdrawal
● You may withdraw consent at any time. This does not affect data already lawfully collected.
VIII. HOW TO EXERCISE YOUR RIGHTS
1. For questions about this Privacy Policy or to exercise your rights, contact:
GRIT Therapy, PLLC
Kyia Costanzo, LSWAIC
Email: Kyia@thegrittherapist.com
Phone: (253) 785-2681
Mailing Address: PO Box 307, Gig Harbor, WA 98335
● To process your request, please provide:
○ Your full name and contact information (we may request additional identity verification before processing your request)
○ Type of request (access, deletion, withdrawal, etc.)
○ Specific data and/or time period
● Response Timeline:
○ Initial response within 45 days of receiving your request
○ Possible extension of an additional 45 days, depending on request complexity. You will be notified before the extension period begins.
2. For complaints. If you believe your rights under the Washington My Health My Data Act have been violated, you may file a complaint with:
Washington State Attorney General Consumer Protection Division
Address: 800 5th Avenue, Suite 2000, Seattle, WA 98104
Phone: 1-800-551-4636 Website: www.atg.wa.gov
You will not be retaliated against for filing a complaint.
IX. DATA SECURITY PRACTICES
We implement strong safeguards, including
1. Retention
● We retain records in accordance with Washington State law and professional standards.
2. Administrative
● Limited access based on role
● Ongoing privacy and security training
● Written policies and procedures
3. Technical
● Encryption in transit and at rest
● Secure, HIPAA-compliant platforms
● Multi-factor authentication
4. Physical
● Secure storage of any physical records
● Controlled device access
● Secure disposal practices
X. GEOFENCING
In accordance with Washington State restrictions on geofencing:
● We do not use geofencing near healthcare facilities
● We do not track individuals seeking care based on location
● We do not send location-based advertising
XI. UPDATES TO THIS POLICY
We may update this Policy periodically. Updates will be posted to our website with a revised effective date. Notable changes may require new consent for continued data collection. Changes to this policy do not diminish your rights under Washington State law.
XIII. RELATIONSHIP TO OTHER POLICIES
This Policy supplements:
● HIPAA Notice of Privacy Practices
● Website Privacy Policy
● Informed Consent Documents
When policies differ, the most protective standard applies.
This policy complies with the Washington My Health My Data Act (RCW 19.373), effective April 5, 2026.