Privacy Policy & Notice of Privacy Practices

Effective Date: October 14, 2025

1. Introduction

Welcome to Holley Psychological Services, PLLC.

We respect your privacy and are committed to protecting the confidentiality and security of your personal and health information.

This notice explains how we collect, use, disclose, and safeguard information through our website, contact forms, and therapy services, and describes your rights regarding your protected health information (PHI).

We comply with:

  • The Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 & 164

  • New York State Mental Hygiene Law §§ 33.13 & 18 (confidentiality and access to records)

  • NYS Education Department Regulations (8 NYCRR § 29.2) (record-keeping requirements)

  • Other applicable federal and state laws

  • Squarespace’s standard hosting and cookie practices

2. Information We Collect

a) Website & Cookies

Our site is hosted by Squarespace, which automatically collects limited technical data

(browser type, device, IP address, pages visited) via cookies and similar tools.

These cookies help the website function properly and maintain security.

We do not use cookies for advertising or sell any personal data.

Data collected by Squarespace is handled under its own privacy policy and is never linked to

therapy or health records.

Note: Squarespace is not a HIPAA-compliant service. This website is for informational purposes only and should not be used to transmit sensitive health information.

b) Contact Forms & Email Communications

If you submit a contact form, you may provide your name, email address, phone number, and any message you choose to share.

This information is sent to a HIPAA-compliant email account and used only to respond to your inquiry.

c) Protected Health Information (PHI)

If you become a client, we collect PHI necessary to provide treatment—such as history, diagnosis, treatment plans, progress notes, and billing information.

3. How We Use Your Information

  • To respond to inquiries and schedule appointments

  • To provide psychotherapy and mental health treatment

  • For payment and billing purposes

  • For health-care operations (e.g., case management, quality assurance, record keeping)

  • To maintain and secure our website (via Squarespace analytics)

4. Disclosure and Sharing of Information

  • With Your Consent: Any disclosure beyond treatment, payment, or health-care operations requires your written authorization.

  • As Required by Law: Information may be disclosed to comply with laws related to child or elder abuse, risk of harm to self or others, court orders, public-health reporting, or New York Mental Hygiene Law.

  • Business Associates: Third-party vendors (such as billing or secure email services) access PHI only under Business Associate Agreements requiring HIPAA compliance.

5. Data Security

We use administrative, technical, and physical safeguards to protect your information, including:

  • Encrypted, HIPAA-compliant email

  • Password-protected and encrypted devices

  • Limited access to records only for authorized purposes

6. Your Rights Regarding Your Health Information

Under HIPAA and New York law, you have the right to:

  • Inspect and Copy your PHI

  • Request Amendments to correct or complete information

  • Request Restrictions on certain uses or disclosures

  • Receive Confidential Communications at alternative locations or methods

  • Request an Accounting of Disclosures of your PHI

  • Obtain a Paper Copy of this Notice

Right to Deletion (Personal Information, not PHI)

You may request deletion of personal information we hold that is unrelated to treatment

records (e.g., website form data or cookie logs).

Upon a verifiable request, we will:

1. Delete your personal information from our records; and

2. Direct service providers (such as Squarespace) to delete it from theirs.

Please note: As a licensed psychologist in New York, I am legally required to retain treatment records for at least seven years after the last date of service,

or until one year after a minor client reaches age 21 — whichever is longer. Therefore, PHI and treatment records cannot always be deleted upon request.

Deletion requests may also be declined if the information is needed to:

  • Detect or prevent security incidents, fraud, or illegal activity

  • Debug or repair website functionality

  • Comply with legal obligations

  • Protect PHI under HIPAA and New York confidentiality laws

Outside these exceptions, we will honor deletion requests for non-essential personal data.

7. Contact Form & Email Disclaimer

The contact form is for general inquiries only and does not establish a therapist–client relationship.

Please avoid sharing detailed clinical information through email or the form. While emails are encrypted, no electronic communication is 100% secure.

If you are in crisis, call 911 or go to the nearest emergency department.

8. Retention of Records

  • Treatment records are maintained for the minimum period required by New York law and HIPAA — at least seven years after the last date of service (or until one year after a minor client reaches age 21, whichever is longer).

  • Contact-form submissions and non-clinical communications are kept only as needed and then securely deleted.

9. Breach Notification Plan

In accordance with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414) and New York’s SHIELD Act (N.Y. Gen. Bus. Law § 899-bb):

  • Risk Assessment: Any suspected incident will be evaluated to determine if PHI was compromised.

  • Notification Timeline: Affected individuals will be notified without unreasonable delay and no later than 60 days after discovery.

  • Method: Notices will be sent by mail (or email if agreed in advance). If contact information is insufficient, a substitute notice (e.g., website posting or media announcement) may be used.

  • Content: Notices will include what happened, types of PHI involved, steps to protect yourself, our response, and contact information.

  • Regulator Notification: HHS and local media will be notified if a breach affects 500 or more individuals. For fewer than 500, HHS notification will occur annually.

  • Business Associates: All vendors are contractually required to report breaches promptly.

10. Changes to This Policy

We may revise this policy at any time. Updates will be posted on this website with a new effective date.

11. Miscellaneous

All uses and disclosures of PHI follow the HIPAA minimum necessary rule. If any portion of

this policy is invalidated, the remaining sections will continue to apply.

12. Contact Information

For questions, requests, or concerns about your privacy rights:

Caitlin Holley, Ph.D.

Holley Psychological Services, PLLC

Email: drcaitlinholley@gmail.com