New independent study shows Lyra is the only mental health solution to deliver proven savings to employers.
Learn more

HIPAA Notice


Effective date: March 3, 2020.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides standards for how medical information should be used and disclosed by healthcare providers, health plans, and other covered entities. Lyra Clinical Associates P.C. (“LCA”) is a health care provider that both directly delivers health care services through its personnel as well as contracts with licensed providers to deliver health care services. We provide each of our users with this information and ask each of our users to acknowledge receipt of our HIPAA Notice of Privacy Practices for LCA, which discloses our practices for personal information gathering and dissemination. Please note that by registering on the website (the “Site”) or by using the services provided by LCA, together with any independent contracted affiliates (together “LCA”, “we”, “our” or “us”), you accept the practices described in this Notice of Privacy Practices. If you do not agree to this Notice, please do not use the Site or Lyra’s services. IF YOU ARE UNDER 13 YEARS OF AGE OR RESIDE OUTSIDE OF THE UNITED STATES, PLEASE DO NOT USE OR ACCESS OUR SITE.

What information do we collect from users and how is it used?

Registration. Before using some of our services, we need you to register with the Site and provide your name, email address, a password, and other personal details. We request this information for identification purposes, to communicate with you, and to improve the functioning of certain services. By providing us with your email address, you consent to receiving information from us through the email you provide us, including protected health information which is private to you and protected by HIPAA. For more information on the information we collect, you can also review our Terms of Use (, Privacy Policy (, and Consent to Use Personal Email ( You may also be asked to complete other forms (e.g. intake forms, informed consent, etc.) depending on the services you choose.

Forms. To fully use our offerings, you may need to fill out forms that ask for or contain personal information such as your name, contact information, health, and other personal information. By providing us with your mobile phone number, you consent to receiving information from us by text or voicemail, including in the case of voicemail, protected health information.

Medical Records. In order for us to get you the best care, we may ask you to provide us with your medical records, for which we will obtain a signed authorization from you. We may also ask you for a description of symptoms, a medical history, lifestyle descriptions and information on the progress of your treatment from your provider either over the phone, by email, or through our Site. In addition, if you see a provider that is employed by LCA, we will maintain a medical record that contains the details of the care you receive from LCA.

Correspondence. If you correspond with us via email or text, we may gather in a file specific to you the information that you submit.

Recordings. If you contact our care team by videoconference, phone or by email, we may record and retain copies of the interaction for, among other things, ongoing quality assurance, training, and development of our services. If you access any apps or other services we offer, we may record your interactions with our software or our providers. We will inform you if we are recording your interactions with our care team or providers and, if you do not wish to be recorded, you can let the care team or provider know at that time. We may retain some information from the interactions in a fully de-identified and anonymized format for longer than 2 weeks for ongoing quality assurance, training, and development of our services.

Outcomes. We may periodically send you surveys to collect your feedback on the outcomes of your therapy. Understanding outcomes is central to our mission of providing effective, evidence-based care, and data can help inform Lyra’s approach to treatment and assessment of progress. In addition, LCA uses aggregated, de-identified outcomes data to provide our customers with insight into how their employees are coping better with stressors and functioning at a higher level. We anonymize and convert individual outcome scores into improvement levels, and then aggregate those in reporting across an entire population.

We will store the above described categories of information for as long as needed to provide our services, and as required to comply with our legal obligations (including those under HIPAA), resolve potential or actual disputes, improve the quality of our services, or enforce our agreements.

In addition, your provider may capture independent clinical and psychotherapy notes, which would be subject to his or her separate HIPAA privacy practices.

How does LCA use and disclose protected health information about you that we collect?

LCA will collect protected health information (“PHI”), which includes but may not be limited to your name, age, gender, contact information, problems you are seeking help for, and progress and outcomes of your treatment, from you and will use or share it for the following purposes:

Treatment. We can use your PHI and share it with other professionals or programs that are treating you, such as when you are referred to another mental health professional for further treatment. By using our services, you hereby explicitly consent to the sharing of information like your name, age, gender, problems you are seeking help for, including alcohol and substance use, care preferences, health plan coverage, and progress of your treatment with current and potential therapists to promote good outcomes.

Run our Organization. We can use and share your PHI to support our business operations, that is to run our organization, improve our offerings to clients, improve your care and the coordination of your care, and contact you when necessary, such as using your PHI to manage your treatment and services. We may also use de-identified information that we retain for these purposes.

Billing and Payment. We may use and share your PHI to confirm eligibility for services and to ensure proper payment to providers. For example, we may request your information from your health plan or employer in order to confirm eligibility for services.

Other Uses. We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: “Your Rights Under HIPAA”. The following are ways we may share your information:

  • Help with public health and safety issues: We can share health information about you for certain situations such as reporting suspected abuse, neglect, or domestic violence; preventing or reducing a serious threat to anyone’s health or safety; reporting adverse reactions to medications; preventing disease; and helping with product recalls.
  • Do research: We can use or share your information for health research, provided that your employer has allowed us to use information for this purpose.
  • Comply with the law: We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
  • Respond to organ and tissue donation requests: We can share health information about you with organ procurement organizations.
  • Work with a medical examiner or funeral director: We can share health information with a coroner, medical examiner, or funeral director when an individual dies.
  • Address workers’ compensation, law enforcement, and other government requests: We can use or share health information about you for workers’ compensation claims; for law enforcement purposes or with a law enforcement official; with health oversight agencies for activities authorized by law; for special government functions such as military, national security, and presidential protective services.
  • Respond to lawsuits and legal actions: We can share health information about you in response to a court or administrative order, or in response to a subpoena.

You have both the right and the choice to tell us to share your PHI with your family, close friends, or others involved in your care; share your PHI in a disaster relief situation; and whether to contact you for fundraising efforts. If you are not able to tell us your preference, we may go ahead and share your information if we believe it is in your best interest.

We will never share your PHI, unless you give us written permission to, for marketing purposes, for sale of your information, and for any sharing of psychotherapy notes. You may revoke or restrict the authorization to disclose your PHI for these purposes at any time.

Lyra reserves the right to release collected information to law enforcement or other government officials, as we, in our sole and absolute discretion, deem necessary or appropriate.

What are your rights regarding your protected health information?

You have certain rights regarding protected health information that we maintain about you, including rights to:

  • Get an electronic or paper copy of your medical record. You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. To request a copy of your records, select “Access” on our HIPAA Rights Form here. We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
  • Ask us to correct your medical and other records. You can ask us to correct health or other information about you that you think is incorrect or incomplete. To request that we correct your records, select “Amendment” on our HIPAA Rights Form here. We may say “no” to your request, but we’ll tell you why in writing within 60 days.
  • Request confidential communications. You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. We will say, “yes” to all reasonable requests. To request confidential communications, select “Restrictions/Confidential Communications” on our HIPAA Rights Form here.
  • Ask us to limit what we use or share. You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care. To request restrictions, select “Restrictions/Confidential Communications” on our HIPAA Rights Form here.
  • Get a list of those with whom we’ve shared information. You can ask for a list (accounting) of the times we’ve shared your health information for 6 years prior to the date you ask, who we shared it with, and why. We will include all disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months. To request an accounting, select “Accounting of Disclosures” on our HIPAA Rights Form here.
  • Get a copy of this privacy notice. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.
  • Choose someone to act for you. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.
  • File a complaint if you feel your rights are violated. You can complain if you feel we have violated your rights by selecting “Complaint” on our HIPAA Rights Form here. You can also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting “What to Expect”. We will not retaliate against you for filing a complaint.

What are LCA’s responsibilities with my information?

We are required by federal law (HIPAA) and state law (e.g. CMIA in California) to maintain the privacy and security of your protected health information. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your protected health information. We must follow the duties and privacy practices described in this notice and give you a copy of it. We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind. For more information see: “Notice of Privacy Practices”.

In some circumstances, our customers who sponsor the services offered by LCA may have requested further limitations on our use and disclosure of PHI than those scenarios described in this Notice. To the extent there are any inconsistencies between this Notice and the terms of any agreements we have entered into with our customers or any applicable employer-sponsored group health plan privacy policy, the terms of those documents will control.

How will I know about changes in the Notice of Privacy Practices?

LCA reserves the right to update this Notice of Privacy Practices from time to time. Please visit this page periodically so that you will be apprised of any changes. The policies indicated in this Notice will remain effective, even if you are no longer using our Site or services.

At times, LCA may work with a third party contracted provider to deliver services to you. To the extent that there is a conflict between LCA’s Notice of Privacy Practices and that of a third party contracted provider regarding how your PHI will handled, the Notice of Privacy Practices that is more restrictive regarding the use, access and disclosure of your PHI will apply.

How to contact us?

If you have questions, or need to reach us for any other reason, you may contact the Chief Privacy Officer at 270 E. Lane, Burlingame, CA 94010; (800) 505-5972 or at [email protected].