Privacy and HIPAA on Monkey Mind
What HIPAA is, how Monkey Mind protects your health information, what your rights are, and who to contact with concerns.
Privacy and HIPAA on Monkey Mind
Monkey Mind handles sensitive mental-health information. This article explains how we protect that information, what your rights are as a user, and what you should know before using the platform.
What is HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act) is the US law that governs how health information is stored, transmitted, and accessed. It was written for traditional healthcare providers, but it applies to any platform — including Monkey Mind — that stores or moves information that identifies a person and is related to their physical or mental health. This kind of information is called Protected Health Information, or PHI.
Examples of PHI on Monkey Mind:
- Your name and contact details tied to your mental-health provider relationship
- Your session history (dates, provider, session type)
- Messages you exchange with your provider
- Any clinical notes your provider writes
- The goals and tags your provider attaches to your profile
What we do to protect your information
1. Encryption in transit and at rest
- Every connection to Monkey Mind uses TLS (HTTPS). Information traveling between your device and our servers is encrypted and cannot be read by a bystander on your network.
- Message content stored in our database is additionally encrypted at rest with a key held separately from the database. Even a direct database compromise would not expose message bodies in plaintext.
2. Access controls on every table
Every table that contains PHI has row-level security enforced at the database layer — not just in our application code. A user querying the database can only see rows they are specifically authorized to see:
- Clients see their own bookings, their own messages, their own consents.
- Providers see only the clients who have booked with them.
- Organization admins see aggregate data about their members (session dates, provider names) but never clinical content (notes, messages).
- Platform admins can see data for support and audit purposes, and every admin access is logged.
3. Audit trail
Everything that touches PHI — every login, every record view, every edit — is written to an audit log. The audit log:
- Captures who did what, when, and from which IP address.
- Is retained for at least 7 years (HIPAA requires 6; many state mental-health laws require 7).
- Is never deleted, even when a user deletes their account.
4. Multi-factor authentication for privileged accounts
Everyone with access to admin tools or clinical content is required to set up two-factor authentication. A stolen password alone is not enough to get into a sensitive account. See the Two-factor authentication (MFA) article for details.
5. Minimum necessary
We only collect what we need to operate the platform. We don't ask for health history, diagnoses, or therapy content — that conversation happens directly between you and your provider, inside their session notes, which are visible only to them and you.
6. No advertising or data sales
Monkey Mind does not sell, share, or otherwise monetize your personal information or PHI. We don't run ads, and we don't partner with data brokers. Your information is used to run the platform and for nothing else.
What information we store vs. what we don't
| Do we have it? | Type of information |
|---|---|
| Yes | Your account (email, name, timezone, phone if you add it) |
| Yes | Bookings (who, when, duration, price) |
| Yes | Messages between you and your provider (encrypted at rest) |
| Yes | Clinical notes a provider writes about you (visible only to them and you) |
| Yes | Signed legal consents with timestamp and IP |
| No | Your diagnosis |
| No | Your medications |
| No | Video/audio recordings of sessions (we don't record) |
| No | Third-party data about you (e.g., insurance claims) |
Your rights
Under HIPAA (and similar state/federal laws), you have specific rights. On Monkey Mind you can:
See and download your information
Contact support to request an export of your data. We return a machine-readable bundle of everything you have on the platform — account info, bookings, messages, consents, and any clinical notes that belong to you.
Correct information that's wrong
For account information (name, email, phone, timezone), update it yourself in Settings → Profile. For clinical or booking content, message your provider or contact support.
Delete your account
You can request full deletion of your account. Account data and messages visible to you are removed or anonymized. Audit-trail entries are retained per legal requirements (we cannot legally delete these, but they do not identify you to other users once you're deleted).
Review your consents
See Settings → Consents for every legal document that applies to your account, which version you last signed, and when.
Know when a policy changes
If we update a material policy — the Privacy Policy, the HIPAA Notice of Privacy Practices, the Terms — you'll be prompted to review and re-sign on your next login. Small edits (typos, clarifications) don't trigger a re-sign.
How providers handle your session information
Your provider's notes about you are stored in Monkey Mind but visible only to them and to you. Other providers cannot see them, and organization admins cannot see them. Your provider is a HIPAA "covered entity" in their own right — their own professional obligations apply to how they write, share, and retain clinical notes.
If you switch providers, your old provider's notes stay with them (as required by clinical records retention laws). Your new provider starts a fresh profile — they don't get a copy of the old notes automatically. If you want records transferred, that request goes through your old provider directly.
Data breach notification
If we ever detect a breach that affects PHI, we'll notify you and the relevant authorities within the timeframes HIPAA requires (generally: affected individuals within 60 days, HHS within 60 days, media notice if a breach affects more than 500 residents of a state). Monkey Mind has never had a reportable breach.
Who to contact
- Privacy questions — contact support (there's a "Contact Support" button on the help center and at the bottom of the chat with our help assistant).
- Data export or deletion requests — contact support.
- Suspected breach or compromised account — contact support immediately, and change your password.
- Formal HIPAA complaint — you have the right to file a complaint with the US Department of Health and Human Services (HHS) Office for Civil Rights. We cannot retaliate against you for filing.
Related articles
- Two-factor authentication (MFA) — how to protect your account with a second factor.
- Consent documents and how signing works — the specific legal documents that apply to your account.
- Account settings — where to change your profile, password, and preferences.