Addressing concerns around SimplePractice's terms and conditions

In light of the recent updates to SimplePractice's terms of service, we've explained specific terms to offer healthcare providers a clearer understanding and confidence in their agreements.

Note: This article is not legal advice, and we recommend you reach out to SimplePractice if discuss any concerns with their terms of service and privacy policies.

How does SimplePractice handle its customer's data?

What information do they collect?

Based on their Customer Privacy policy, which applies to the therapists who use SimplePractice, this is the information they may collect: 

1. Identifiers and contact information

• Name
• Email address
• Mailing address
• Phone numbers
• Government-issued IDs (such as driver's licenses)
• IP addresses
• Usernames and passwords

2. Professional and employment-related information

• Business name
• License information
• Calendar and scheduling information
• Other business-related information

3. Billing information

• Credit or debit card numbers
• Tax IDs
• Insurance information for payments from clients

4. Audio, electronic, and visual information

• Photograph or image
• Voice and similar information
• Video content (with consent) for optional customer testimonials and identity verification

5. Internet, device, and electronic network activity information

• Browsing history
• Search history
• Interactions with SimplePractice's services and advertisements

6. Commercial information

• Products and services purchased from SimplePractice

7. Profile information and inferences

• Preferences and characteristics inferred from collected personal information

8. Sensitive personal information

• Account login information
• Credit or debit card number
• Social security number 
• Race or ethnic origin
• Sexual orientation and preferences 
• Religious or philosophical beliefs 

How is it used?

The way the data listed above is shared is described further under Section 4 of the Customer privacy policy. The circumstances under which sharing occurs are: 

1. Sharing with permission

• Personal information may be shared publicly with user permission (e.g., posting reviews).

2. Sharing with service providers

• Personal information may be shared with service providers for hosting, marketing, communication, advising, and payment processing.
• Continuing Education (CE) Marketplace data may be shared with service providers for course completion certificates.

3. Sharing with referral program participants

• Name and facts of joining services may be shared with referring individuals.
• Sharing with parent and affiliate companies for analytics and internal business purposes.

4. Legal and compliance obligations

• Personal information may be shared to comply with legal processes, subpoenas, court orders, or government investigations.

5. Protection of rights and safety

• Personal information may be shared with law enforcement agencies to protect rights and safety, investigate fraud, or respond to government requests.

6. Consent

• Personal information may be shared with third parties if the user has given consent.

7. Corporate transactions

• Personal information may be shared or transferred in corporate transactions like bankruptcy, merger, acquisition, reorganization, or sale.

See also: Understanding SimplePractice's terms of service

How does SimplePractice handle customers' clients' data?

What information do they collect?

The Clients Privacy Policy, which applies to the clients of SimplePractice customers, outlines the forms of data that may be collected, shared, and stored. 

This includes:

1. Identifiers and contact information

• Name, email address, mailing address, phone number, and IP address.
• Collected directly from clients or indirectly from their providers.

2. Billing information

• Insurance information, invoices, name, email address, mailing address, phone number, provider information, date of services, and services received.
• This information is stored for processing payments and client billing management.

3. Audio, electronic, and visual information

• Photographs or images, voice recordings, and similar data.
• Processed for Telehealth services and file attachments within the Client Portal.

4. Internet and device activity information

• Browsing history, search history, device and connectivity data, navigation, and interactions within the Services.
• Collected in anonymized format for business analytics and service improvement.

5. Profile information and inferences

• Derived from collected personal information.
• Used to understand client patterns, preferences and tailor communications.

6. Appointment Information

• Date, time, and location of appointments with providers.
• Stored for client and provider appointment management.

7. Sensitive personal information

• Sensitive data collected on behalf of providers, including race, sexual orientation, health status, identification details, and secure messages.
• This information is stored for client care, service provision, identity verification, payment processing, and secure communication.

8. Information from authentication services

• Data is obtained from third-party authentication services (e.g., Google) when clients connect to the Services. The term "services" refers to the offerings, features, and functionalities provided by SimplePractice to its clients through its platform.
• It may include name, email address, or other data based on third-party policies and privacy settings.
• Used to provide access to the Client Portal and other Services.

How is it used?

1. To providers/customers

• Share personal information with providers/customers to provide Services and facilitate agreements

2. To service providers

• Share personal information with service providers for various services (with appropriate contracts)

3. Parent and affiliate companies

• Share personal information with parent and affiliate companies for analytics and internal business purposes

4. Legal and safety compliance

• Share personal information in response to legal processes, investigations, or government requests
• Share personal information to protect rights, safety, and investigate fraud

5. Consent

• Share personal information with third parties if consent is given by the client

6. Corporate transactions

• Share or transfer personal information in corporate transactions like bankruptcy, merger, acquisition, reorganization, or sale

Recent changes made to the terms of service

Two notable clauses have been introduced in SimplePractice's updated Terms of Service as of the 2nd of August, 2023. 

The user data license

The first clause, under section 9.2 of the Terms of Service, "By uploading or submitting any User Data to or through the Services, and permitting other Users (including, without limitation, Clients) to upload any User Data into the Services, You hereby automatically at such time grant SimplePractice (and its affiliates) a non-exclusive, worldwide, royalty-free, fully paid-up, perpetual, irrevocable, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, perform and display such User Data"  

This license allows Simplepractice to use, reproduce, share, and create works from the user data or display the data collected. The license covers User Data submitted by users as well as data created, collected, or generated by the services or SimplePractice using the submitted User Data. 

This means that the data collected from both the Customer and the Client listed above is subject to the license. The rights and licenses granted under the Service Data License will continue to apply even after the expiration or termination of the user's account. 

As a user, you also irrevocably waive any "moral rights" or other rights related to attribution of authorship or integrity of materials concerning User Data. 

In essence, this may remove certain rights you might otherwise have in connection with your submitted User Data.

Notice of arbitration agreement and class action waiver

The second clause is a waiver relating to class actions and arbitration, which states: "NOTICE OF ARBITRATION AGREEMENT AND CLASS ACTION WAIVER: THIS AGREEMENT INCLUDES A BINDING ARBITRATION CLAUSE (UNLESS YOU OPT OUT) AND A CLASS ACTION WAIVER, SET FORTH BELOW, WHICH AFFECT YOUR RIGHTS ABOUT RESOLVING ANY DISPUTE WITH US. PLEASE READ THESE REQUIREMENTS CAREFULLY."

"Binding arbitration" means that if there's a disagreement, you agree to settle it through arbitration instead of going to court. An arbitrator will make a decision that both sides have to follow. This may, however, limit your litigation options in relation to SimplePractice. As a user, you do have the option of opting out of the Arbitration waiver. 

The "Class action waiver" means you can't be part of a group lawsuit against SimplePractice. You have to handle claims individually.

If SimplePractice can now report legal violations, could documenting a client's illegal behavior be reported?

The closest section relating to reporting illegal behavior that we found was SimplePractice's Data Privacy provisions, which state that: "In the event that We receive a subpoena, court order, or other legal request compelling the disclosure of any of Your Clients' User Data (including PHI) or any of Your data or information or any User Data."

Clients' documented illegal behavior could be shared if SimplePractice receives a legal request such as a subpoena or court order demanding the disclosure of User Data belonging to clients, including Personal Health Information (PHI) or any data or information belonging to the user, SimplePractice will inform the user about the existence of this legal request before sharing the requested information. 

This notification will occur unless a court orders SimplePractice not to do so, law enforcement requests they do not share this information, or SimplePractice's legal advisors determine that prior notification is not necessary or would violate applicable laws.

Is this standard "legalese" for EHR systems, or is SimplePractice taking things to a new level?

EHR services such as Theranest offer similar provisions relating to User Data Licensing. Theranests Terms of Service include: "Users hereby automatically grant TheraNest a non-exclusive, worldwide, royalty-free, sub-licensable, and transferable license to use, reproduce, distribute, prepare derivative works of, and display the User Data solely for the purposes of providing the Services. Users agree that the license includes the right to copy, analyze and use any User Data as Company may deem necessary, or desirable, for purposes of debugging, testing, or providing support or development services in connection with the Services and future improvements to the Services."

Linus Health offers similar licensing provisions within its updated terms of service: "Linus Health is granted: a perpetual, irrevocable, non-exclusive, worldwide, royalty-free, fully paid up, sublicensable right and license to use the Personal Data solely in an aggregated, de-identified and/or anonymized format such that Customer and Participants are not identifiable."

Corrie Health's terms of service include: 'You retain all ownership rights in your User Content but you are required to grant the following rights to the Product and to users of the Service as set forth more fully under the "License Grant" and "Intellectual Property" provisions below When you upload or post User Content to the Product or the Service, you grant to the Product a worldwide, non-exclusive, royalty-free, transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform that Content in connection with the provision of the Service; and you grant to each user of the Service, a worldwide, non-exclusive, royalty-free license to access your User Content through the Service and to use, reproduce, distribute, prepare derivative works of, display and perform such Content to the extent permitted by the Service.'

See also: A software guide for new therapy practices

What does this mean for SimplePractice customers?

For SimplePractice customers, the sharing of data follows industry-standard practices for EHR systems and online service agreements. While certain elements, such as sharing data with Service Providers, collaborating with parent and affiliate companies, and responding to legal requests, are consistent with common practices, some notable aspects set SimplePractice apart.

One specific difference is the inclusion of a class action waiver in the updated terms of service. This might be stricter compared to other platforms. Users are told about this waiver and can choose to opt out of the arbitration waiver, but they can't avoid the class action waiver. This might stand out as it limits users from participating in class action lawsuits against SimplePractice.

Furthermore, the User Data's extensive license granted to SimplePractice for the use of User Data submitted to the services, although found in other EHR services like Theranese and Corrie Health, still means that data can be shared more extensively. The license extends beyond the user's account termination and includes the right to use User Data for support and improvements. Users waive certain rights related to their User Data under this license, which requires careful consideration when considering whether to accept the condition. 

Please remember we aren't legal experts. For a more thorough understanding of how these terms might affect you as a SimplePractice customer or potential customer, consulting a legal professional is necessary.

See also: HIPAA Compliant Email: The Definitive Guide