Skip to main content

Important information about SimplePractice’s new terms and policies update

Important information about SimplePractice’s new terms and policies update

On August 2nd, 2023, we informed our customers about an update to our Terms of Service and Privacy Policy. To provide additional transparency regarding these changes, we've created this guide to answer the top questions our community has asked about this update. As of August 29th, 2023, this guide has been updated to include additional information on opting out of arbitration, PHI and PII retention, and a clarification on Section 9.2 of the Terms of Service.

Below, we'll cover:

Note: SimplePractice does not sell Personal Health Information (PHI) or Personal Identifiable Information (PII), or provide AI with access to your data. We comply with HIPAA regulations, HITRUST, and data privacy laws.

Important: This guide is solely for informational purposes. This is not legal advice or an interpretation of any terms or agreements between customers and SimplePractice. You should fully read the terms and policies to adequately and accurately understand all terms to which you are bound. If you have any questions, please contact your local legal counsel.


Why is SimplePractice updating the terms and policies?

We haven’t updated our terms since March 16th, 2021. A lot has changed since then:

  • New data privacy laws have gone into effect which require us to obtain your explicit consent to our terms and policies in order for you to use SimplePractice.
  • New products and features have launched which require their own terms and conditions.
  • We have brought on new vendors and third parties to provide you with the services and software you need to run your practice.
  • The use of aggregated data (fully anonymized and non-identifiable, in accordance with HIPAA) enables us to enhance our products and provide our audience with resources, webinars, and articles that illuminate what is happening in the industry.
  • These updates do not impact our compliance with HITRUST or HIPAA.

Key changes to terms and policies

You can read the full Terms of Service here. Below, you can read highlights of key changes:

  • Enhanced data privacy rights based on new state privacy laws.
  • Establishing that customers are over 18 years of age.
  • Confirming customers have an established presence in the US and its territories or Canada. We are designed to be HIPAA compliant according to US law, so responsibility for laws outside of the US falls on the account holder.
    • “Established presence” refers to business operations occurring within the US or Canada. This may be demonstrated by your business address, license, NPI, or other factors.
  • Enabling SimplePractice to use aggregated data (entirely anonymous, non-identifiable, and in accordance with HIPAA) in order to:
    • Create and improve products and features in service of our customers, whether developed by SimplePractice or while working with vendors or third parties (ex: Stripe, Wiley).
    • Understand high-level industry trends in aggregate (ex: SimplePractice saw a 40% increase in telehealth usage), which are used to create resources like webinars, white papers, and educational content for our customers.

What we don’t do with your data:

  • We do not sell your or your client’s Protected Health Information (PHI) or Personally Identifiable Information (PII)
  • We do not access PHI outside of HIPAA guidelines
  • We do not keep PHI after termination of customers’ accounts after day 65
    • Note: We do keep PHI after termination of your account for up to 64 days pursuant to Section 24.1 which allows you to export your data
  • We do not provide AI with access to your data
  • We do not record telehealth sessions

Additional FAQs


Does AI have access to my data?

No, SimplePractice does not provide AI with access to your data. Should this change at any time in the future, you will be made aware with future terms of service updates and notifications.


Will SimplePractice sell my data or my clients’ data?

We do not sell any Protected Health Information (PHI) or Personally Identifiable Information (PII) to third parties. We do work with some third parties to provide you with the services and software you need to run your practice. However, rest assured we have a Business Associate Agreement (BAA) with all third-party organizations we work with who have access to client Protected Health Information (PHI), which ensures our compliance with HIPAA.

We only work with organizations and vendors that have experience and expertise in handling highly sensitive information, such as Protected Health Information (PHI).

SimplePractice is HIPAA compliant and continues to protect the security of your clients’ records in accordance with HIPAA regulations. Additionally, SimplePractice has yet again achieved HITRUST CSF® Certification based on an audit performed by a third-party. The scope of the audit includes the entire SimplePractice web platform. The HITRUST framework is the gold standard of security certifications in the healthcare industry.


Who are your third-party organizations or affiliates?

Third parties are vendors that SimplePractice works with (ex: Stripe, Wiley) that provide additional services for our customers. Affiliates refer to groups such as our parent organization, EngageSmart. These above organizations must adhere to our high standards of data privacy and security compliance, including HIPAA for those accessing applicable data.


Can I use SimplePractice if I work outside of the US?

We are designed to be HIPAA compliant according to US law, so responsibility for laws outside of the US falls on the account holder.


Can I opt out of the arbitration clause?

As outlined in Section 26 of our Terms of Service, you can opt out of arbitration by providing notice to SimplePractice at 2834 Colorado Avenue, Santa Monica, CA 90404. The arbitration will be administered by the American Arbitration Association (“AAA”) under its Consumer Arbitration Rules, as amended by this Agreement.


How long does SimplePractice retain PII and PHI?

As stated in Section V(C) of the BAA, [U]pon termination of this BAA for any reason, Business Associate shall return or destroy all PHI that Business Associate still maintains in any form.

We also note in Section 7 of the Privacy Policy that [w]e will retain your Personal Information for as long as your Account is active, as needed to provide you Services, and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Section 24.1 of the Terms of Service includes additional information, stating that all User Data in Your Account will be accessible to you no more than sixty-four (64) days after termination or expiration of this Agreement. This time frame is also applicable to trial accounts. The Account Owner is responsible for exporting all Account data and ensuring the secure preservation of PHI for Your Clients pursuant to federal and state law, and ethical requirements. During the time frame beginning on termination or expiration of this Agreement, Your access to the Services will be limited to downloading Your User Data.

This means that we will only retain PHI and your identifiable User Data for as long as you have an account with SimplePractice, and for no more than 64 days thereafter per Section 24.1 of our Terms of Service. PHI is only retained for up to 64 days after termination to give you ample time to export any needed data. We will also only retain your Personal Information for the reasons described in Section 7 of our Privacy Policy.


How is User Data defined in the Terms of Service?

Per our Terms of Service, “User Data’ means any data or images (i) that You or Your Clients upload, stream or submit to or through the Services, or (ii) generated or collected on Your behalf from the Services or third parties, including but not limited to Protected Health Information as that term is defined above, video, image and sound data, Transaction Data, Practice Information, and Your Listing Information.

User Data includes PHI, PII, and non-identifiable data from you and your clients. We’re committed to the security and privacy of User Data in compliance with HIPAA regulations, as reiterated in Section 10 of the Terms of Service: “We will make no use of PHI that is not permitted by this Agreement, the BAA, or that is prohibited by applicable law, including but not limited to HIPAA.

For purposes of this guide:

  • “De-identified, anonymous, or non-identifiable data” means data from which all individual identifiers have been removed, including data that is de-identified as defined by HIPAA and data that has been rendered completely anonymous as to the User. This data will not be re-identified.
  • “Protected Health Information (PHI)” means any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

What data rights are being granted to SimplePractice in Section 9.2 of the Terms of Service?

Per Section 9.2 of the Terms of Service, by using the services and submitting User Data, “You hereby automatically at such time grant SimplePractice (and its affiliates) a non-exclusive, worldwide, royalty-free, fully paid-up, perpetual, irrevocable, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, perform and display such User Data (including User Data that is created, collected or generated by the Services or SimplePractice using the User Data Users submit), for the purposes of providing you the Services and further developing, improving, and marketing SimplePractice’s products and services (including the Services).

Important: SimplePractice does not sell non-identifiable User Data, and we have no intention of doing so. Should this change in the future, we’ll let our customers know.

You are granting SimplePractice use rights, in the form of a license, within very specific constraints, as described in this section. You and your clients continue to own the data; we do not take ownership. 

We can only share, analyze, and use the User Data in order to provide services, to improve and develop our services, and to market our services to you. This is done pursuant to the BAA entered into between you and SimplePractice, which requires SimplePractice to adhere to HIPAA at all times. 

To learn how to manage your marketing communication preferences, see Section 5 of our Privacy Policy.

Note: As a reminder, we share, analyze, and use User Data in compliance with HIPAA regulations, applicable privacy laws, and/or HITRUST requirements.

Section 9.2 goes on to note that "the results generated from use for purposes other than providing the Services are not identifiable with the Organization or any natural person.

This means that if we use User Data for any other purpose (outside of providing our services), we can only use User Data that is completely de-identified, and thus non-identifiable. This will be done in accordance with HIPAA regulations, applicable privacy laws, and HITRUST requirements.

Note: We do not and never will sell any identifiable User Data. This includes PHI and PII. Should we decide to sell non-identifiable User Data in the future, we’ll let our customers know. We will not use or sell User Data in any way that would not comply with HIPAA regulations, applicable privacy laws, or HITRUST requirements.

Section 9.2 also states that the “foregoing rights and licenses will be exercised in accordance with the SimplePractice Privacy Policies referenced in Section 10 below.

SimplePractice will follow our Privacy Policy when we use any User Data that involves personal information. We only collect and process personal information as outlined in Section 2 of our Privacy Policy for the purposes outlined in Sections 2 and 3. We will also comply with data privacy laws with respect to your personal information, as outlined in Section 8 of our Privacy Policy.

Note: We do not sell PHI or PII. We can only share, analyze, and use the identifiable User Data in order to provide services, to improve and develop our services, and to market our services to you. As outlined in our Privacy Policywe do not sell any identifiable User Data. This includes PHI and PII. Currently, we do not sell non-identifiable User Data. We will not use or sell User Data in any way that would not comply with HIPAA regulations, applicable privacy laws, or HITRUST requirements.

By agreeing to the Terms of Service, “[y]ou agree that the license includes the right to copy, analyze and use any User Data as SimplePractice may deem necessary or desirable for purposes of debugging, testing, or providing support or development services in connection with the Services and future improvements to the Services.

This means that you permit SimplePractice to use User Data to test and fix issues or bugs in our services or product, to enhance and develop our services or product, and to provide support. This enables us to adequately and effectively provide our services to you.

Per Section 9.2, “The license granted in this Section is referred to as the ‘Service Data License.’ You also acknowledge that the Service Data License granted to SimplePractice with respect to User Data will survive the expiration or termination of Your Account.

This means that you agree that we can continue using the non-identifiable User Data after account termination. Per Section 24.1, if your account is terminated, we delete identifiable User Data and are no longer providing a service to you. Therefore, this section only permits us to use non-identifiable User Data after account termination.

Note: We do not currently sell non-identifiable User Data. Should this change in the future, we’ll let our customers know. If we de-identify PHI, we will do so in accordance with HIPAA regulations (removing all 18 identifiers; things like names, telephone numbers, fax numbers, social security numbers, etc.).

Additionally, Section 9.2 states, “Notwithstanding the foregoing license, the license granted to SimplePractice to use User Data that includes content that You provide for purposes of Your Professional Website is set forth in Section 17.2 (Professional Website Service) below.

Important: SimplePractice does not use or sell customer website templates or content, and we have no intention of doing so. Should this change in the future, we’ll let our customers know. SimplePractice is not using custom templates and/or forms without the customers’ awareness and willing participation. For any custom templates and/or forms offered through our service and created by a customer, we have entered into compensation agreements with them. We are also not selling customer custom templates. Should this change in the future, we’ll let our customers know.

While you retain ownership rights of the content you upload to your Professional Website, SimplePractice is able to use the content to develop, improve, and market our products and services. For example, this content may be used to improve our Professional Website offerings based on how the product has been used by customers past and present. You can refer to Section 17 for rights related to the Professional Website service.

For further clarification, we do not currently copy, create, or sell original and/or derivative works with respect to templates you may create while using our services. We have, however, created templates based on feedback from customers in order to enhance your experience while using our services. 

Lastly, Section 9.2 states that “[y]ou further irrevocably waive any “moral rights” or other rights with respect to attribution of authorship or integrity of materials regarding User Data that You may have under any applicable law under any legal theory.

This means that you will not sue SimplePractice claiming that we have no right to use the User Data as stated in this Terms of Service.

Thank you for being a part of the SimplePractice community. 

Still have questions?

Get more help