SimplePractice Terms and Conditions Changes - What EVERY Therapist (or Client) Should Know
Updated 8/30/23 10:39am PT
Have you heard the rumors, curses, muttering, and outrage regarding the terms and conditions changes from SimplePractice? This is an emerging issue that people are up in arms about — and we want to do our best to share what’s happening, what we know, what we don’t know, and steps we recommend YOU should take whether you use SimplePractice or not.
Free Panel Discussion with Mental Health Attorney, Person-Centered Tech, and Business Coach
8/18/23 Update: We’ve pulled together a free panel that includes a therapist attorney, Person Centered Tech, and zynnyme to dive into what to look for in understanding terms of service for SimplePractice, Zoom, or any other service you use.
Below see the panel discussion that was done August 24, 2023 talking about what to do with changes in terms across the board as professionals. We discuss problematic language, green flags, and ways you can advocate for the profession. Click here to get links to the training and all resources discussed.
What attendees said after watching the panel:
““so helpful to hear from those who can understand the legal stuff”
”We don’t need to panic, but I know what to look more closely into and what questions to ask as I make decisions going forward about where to spend my money”
“The green flags were great, and guidance on how to ask questions and make informed decisions”
”I feel more educated”
“I feel a sense of community!”
”I feel like I got more clarity legal vs ethical risk as well as what questions to ask as we look to transition and how to reduce the anxiety of my team”
”That we’re all learning together - I feel less pressure to be the expert and more motivated to work together to understand these changes.””
What does AI think about SimplePractice terms and conditions?
8/23/23 Update: What do they consider Deidentified PHI?
Thank you all for sharing your concerns and your interactions with SimplePractice support. Here’s just one part of one email between a SimplePractice user and support about clarification of the terms of service. This is where I found the information about initials being a gray area, and where they clarify their current processes and what they currently know about what they do with deidentified PHI.
Resource referenced: https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
A review of the SimplePractice terms timeline:
August 2nd: SimplePractice rolled out new Terms and Conditions, Privacy Policy, and BAA and began notifying customers via email and pop-up. From SimplePractice informing customers that they had to accept the new terms by August 16th or be locked out of their accounts.
August 3rd: SimplePractice posts this information in their SimplePractice Community Facebook group.
August 7th: zynnyme (Miranda) does a deep dive review into what’s known with the changes and finds some languaging that raises some significant concern — will copy and paste those sections below.
August 7th: zynnyme (Miranda) reached out to our contact at SimplePractice to get clarification. They were coming back from a conference and weren’t aware of the changes and suggested possibly speaking August 8th.
August 8th: zynnyme (Miranda) reached out to CAMFT legal counsel to get support (they are open Tuesday through Thursday as of this post) in interpreting the updated SimplePractice terms of service. They report they’re reaching out to SimplePractice for clarification and plan to discuss at the afternoon meeting.
August 8th: This morning, very early, SimplePractice provided this. They’re clear that their FAQs are not to be considered a legal interpretation. So, it’s left us waiting for attorneys to give us an interpretation of what the terms actually mean in reality. We’ve since responded to ask clarifying questions and get more information.
August 9th: New client portal terms of service and privacy policy must be approved by clients to continue using portal. Therapists have not been made privy to what these policies are to date (August 8th). Updated: SimplePractice reported that are postponing the rollout of new client portal terms and conditions and did not provide a new date for this rollout.
August 14th: SimplePractice customers received an update via email that included “After listening to our customers' feedback, we’ve decided to extend the acceptance date to September 1st, 2023 (responses due by 11:59 pm 8/31) to give additional time to review the updated terms and policies.”
August 16th (has been extended to September 1st): Terms and Conditions must be approved by customers to prevent account lockout.
August 23rd: Received email from CAMFT affinity partners advertising SimplePractice. Did legal consult with CAMFT attorney who reported that SimplePractice clarified they follow HIPAA and that was sufficient for their comfort. When I read back Section 9.2, he reported if I had questions to talk to SimplePractice. He said this is what most EHRs are moving towards and this is becoming standard internet practice.
August 30th: We are getting screenshots of emails going out to therapists who’ve said they won’t sign terms of services. They say “as explicit consent is required to continue using SimplePractice, your account will be locked on September 6, 2023.
What are the changes to the SimplePractice terms of service?
Below is what was sent out by SimplePractice to its users:
Starting on August 2nd, we notified every customer of our new terms and policies.
Due to recent case law and changes in state privacy laws, we’re now required to obtain your explicit consent to these new terms and policies for you to continue using SimplePractice. You can view our updated Terms of Services here.
To accept the terms and policies, please sign in, review the updated documents, and click Accept updates.
To prevent account lockout, these updates must be accepted by all team members in the account by August 16th.
We’re also updating our Client Portal Terms of Service and Client Portal Privacy Policy. Clients will be notified of this via the Client Portal, and will be asked to accept these updates on August 9th, to continue using the Client Portal.
Note: All updates to our terms and policies are HIPAA compliant.
Thank you for being part of the SimplePractice Community!
"Although we don’t have an abridged list of the exact changes, the Terms of Service were changed to reflect updated permissions with respect to user data. The Privacy Policy was updated to reflect the expanding state privacy law landscape and inform you of your rights with respect to those privacy laws. You’re welcome to read the updated Terms of Service (https://www.simplepractice.com/terms/), Privacy Policy (https://www.simplepractice.com/privacy/), and BAA (https://www.simplepractice.com/baa/).
- Riley"
The attached PDF includes a summary of the more impactful changes to the Terms of Service. Please note that this is not an exhaustive list of all changes, legal advice, or an interpretation of any terms. We strongly encourage you to read the Terms of Service (simplepractice.com/terms) in full to make an informed decision about whether to continue using SimplePractice.
You can access the previously mentioned document here: https://drive.google.com/.../17y-c9ROcl0NRO6saZqQ7RS.../view. - Riley
“To prevent account lockout, these updates must be accepted by all team members in the account by August 16th.
We’re also updating our Client Portal Terms of Service and Client Portal Privacy Policy. Clients will be notified of this via the Client Portal, and will be asked to accept these updates on August 9th, to continue using the Client Portal.”
That’s a lot of information! What exactly is changing?
Honestly, this is basically a full rewrite of the terms and conditions from what we can see. So, this is not as simple as a section being added or deleted. We’ve not found any link thus far to the old terms and conditions. We’d love a copy if you have them — please link in the comments below. We received a copy of the terms of service from 2020 from a lawyer who had a copy. You can see them here.
But why are people so concerned about the new SimplePractice Terms and Conditions?
We’d boil it down to two sections primarily when getting questions from our coaching clients and what’s being posted in various therapist groups, but there are definitely additional areas that people find concerning.
The first is Section 9.2 of the terms. Here it is in its entirety. Be sure to take a deep breath and sit down before you read it. Don’t be afraid to take a few notes:
“9.2 License to User Data. By uploading or submitting any User Data to or through the Services, and permitting other Users (including, without limitation, Clients) to upload any User Data into the Services, You hereby automatically at such time grant SimplePractice (and its affiliates) a non-exclusive, worldwide, royalty-free, fully paid-up, perpetual, irrevocable, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, perform and display such User Data (including User Data that is created, collected or generated by the Services or SimplePractice using the User Data Users submit), for the purposes of providing you the Services and further developing, improving, and marketing SimplePractice’s products and services (including the Services), it being understood that the results generated from use for purposes other than providing the Services are not identifiable with the Organization or any natural person. The foregoing rights and licenses will be exercised in accordance with the SimplePractice Privacy Policies referenced in Section 10 below. You agree that the license includes the right to copy, analyze and use any User Data as SimplePractice may deem necessary or desirable for purposes of debugging, testing, or providing support or development services in connection with the Services and future improvements to the Services. The license granted in this Section is referred to as the “Service Data License.” You also acknowledge that the Service Data License granted to SimplePractice with respect to User Data will survive the expiration or termination of Your Account. Notwithstanding the foregoing license, the license granted to SimplePractice to use User Data that includes content that You provide for purposes of Your Professional Website is set forth in Section 17.2 (Professional Website Service) below. You further irrevocably waive any “moral rights” or other rights with respect to attribution of authorship or integrity of materials regarding User Data that You may have under any applicable law under any legal theory.
“User Data” means any data or images that You or Your Clients upload, stream or submit to or through the Services, or generated or collected on Your behalf from the Services or third parties, including but not limited to Protected Health Information as that term is defined above, video, image and sound data, Transaction Data, Practice Information, and Your Listing Information."
And the second spot that people are concerned about is this:
“NOTICE OF ARBITRATION AGREEMENT AND CLASS ACTION WAIVER: THIS AGREEMENT INCLUDES A BINDING ARBITRATION CLAUSE (UNLESS YOU OPT OUT) AND A CLASS ACTION WAIVER, SET FORTH BELOW, WHICH AFFECT YOUR RIGHTS ABOUT RESOLVING ANY DISPUTE WITH US. PLEASE READ THESE REQUIREMENTS CAREFULLY.”
SimplePractice has clarified via their support desk according to one user that you can opt out by informing them in writing to their offices in Santa Monica of the arbitration clause, but there’s no way to opt out of the class action waiver. That response aligns with the way the above information is written.
Update: Now having access to the previous terms and conditions it is clear the arbitration and class action clause was there previously. I haven’t compared the actual language of the full terms but it looks like this was not an update as I had been previously told.
Wait, so what exactly does all of that mean?
Great question! We’re not lawyers, and we know most of you aren’t either. So, most of us when we’re given something that sounds concerning that we don’t understand want to reach out for support. Giving therapists only two weeks to read, digest, and obtain legal counsel (in the midst of the most popular vacation month) seems extremely problematic in the case that customers are granting rights that survive the termination of the account. “You also acknowledge that the Service Data License granted to SimplePractice with respect to User Data will survive the expiration or termination of Your Account.”
We reached out to California Association of Marriage and Family Therapist’s (CAMFT) legal department after they opened this morning to get some support and expressed our concerns. One of the best perks of membership is unlimited legal phone support.
CAMFT has started to receive calls, but this is the first call this particular attorney had received, and asked to take it to their afternoon meeting. I forwarded her the information I received, and she said they’re reaching out to SimplePractice for clarification and will go from there. It’s worth noting for transparency that SimplePractice and CAMFT are affinity partners and CAMFT and SimplePractice both receive income from that relationship.
I’m hopeful that CAMFT can use that relationship for the good of their membership to exact pressure as needed to support the needs of members and the profession.
Update: CAMFT’s response:
We have taken a look at Simple Practice’s terms of service and from what we have seen they do appear to comply with law and reflect standard internet practices. I don’t know if you have seen it already, but Simple Practice also put out an FAQ document that may be helpful in answering any additional questions: https://support.simplepractice.com/hc/en-us/articles/18351059584141#additional
Below we’ll share some alternate positions from other attorneys. I will also be calling them again to get some clarity about their interpretation of the above language as that was not clear.
As part of a Q & A with another attorney who specializes with therapy practices they had a few specific concenrs:
The terms of data use: they agreed that the language is absolutely typical of internet and app development. However, “very typical very broad licensing agreement… but not with healthcare information.” They go on to say “that it didn’t occur to them to run this through compliance” is concerning. If this doesn’t occur to them then what else are they doing that doesn’t occur that the rules are different when healthcare information is involved. So, if they can do this- what else might happen?
Similar provision if you have your website posted through them. They own anything and everything you post on your website. They own any information they own on your website. They reserve the right to post advertisements on your website that you don’t have access to screen if they are appropriate. You can PAY to not have ads posted to your website. Typical language but NOT in healthcare. You have no control over what ads they may post and it could be inappropriate based on the type of services you provide.
Broad prohibition posting anything offensive, derogatory, or threatening on anything anywhere within SimplePractice. What does a therapist do when documenting things that happen in a session? This just doesn’t make sense based on what we do because they’ve lumped everything into such a broad category and mixed things together that don’t really make sense. This is a medical record and they’ve not been clear in the terms the difference between the terms for medical records and public-facing services.
SimplePractice may not be accessed by a clinician or client outside of the United States and Canada. We don’t want to attempt to comply with regulations in other countries.
“in the short term I am not concerned with your liability my concern is that they are going to actually go
In one of the responses
Here’s what many customers are concerned that the language above is referring to:
User data includes not just therapists’ but their client’s data as well.
Data that can be used includes written, audio, and video content that’s uploaded, submitted, or streamed.
They’ll be using the data, including aggregated PHI, in marketing their business and affiliates.
It seems to give options for creating new services that are as of yet unnamed.
That data will be fed into artificial intelligence (AI) and can be used for basically any reason they choose.
The fact that you can’t opt out and that deleting your account or moving doesn’t take your data or your client’s data out.
But is that what it really means legally?
We’re trying to figure that out. Let us reiterate: We’re not lawyers, and that’s why we all need time to get legal direction.
For some, this reminds them of language like in BetterHelp’s terms and conditions and privacy policies. BetterHelp denied the interpretation but was later fined 7.8 million dollars for their use of PHI. You can read the press release regarding BetterHelp from July 14, 2023, here.
SimplePractice references recent case law, but it doesn’t share what case law they’re referring to. Some people feel like this is a language that’s all about the integration of AI. Some are positing that this might be related to recent mergers and acquisitions.
At the end of the day, you need to understand what this means for you and your clients. We wish we had a full legal answer today, but we don’t. However, we do have steps every therapist or client can take today.
Steps to take regarding SimplePractice Terms and Conditions:
If you’re a therapy client of any practice that uses SimplePractice, do NOT sign or agree without reading the terms and conditions. We’d also recommend waiting until someone comes out with a legal opinion before signing it.
If you use SimplePractice, advise your clients not to sign for the client portal until both you and your clients can read and understand what’s being agreed to.
Contact your liability provider and/or professional association to get legal direction or consultation if that’s a benefit of membership. If you’re licensed in California (no matter the license designation or associate standing), consider your membership, which includes unlimited legal phone consults.
Connect with other professionals to read, understand, and pool resources together. If you have the resources and privilege of getting legal support, consider sharing your findings with others that don’t have access.
Even if your associations or liability providers don’t provide legal consultation, contact them to ask for support in fully understanding the legal and ethical issues related to the new terms. If enough members contact them, it can create a reason to provide direction.
The goal of understanding the new terms is if your client asked you what these terms meant you could confidently explain why you said yes or no to what you’re agreeing to on their behalf.
Set a reminder to export your client data before you are locked out and run a report of the financials for each of your clients so that you have options if you decide you can’t sign the new terms. It can take SimplePractice 48 hours to export your data.
I’m not a SimplePractice customer. What do I need to know?
But wait — I’m not even with SimplePractice. Does this impact me? Now’s the time to go read YOUR terms and conditions, privacy policy, and BAAs, and be on the lookout if anything new comes out for anything where you are working with data you’d like to keep private. As many of these EHRs have been bought up by big tech companies, this may become more common. Also, now’s the time to really read up on terms and conditions for any practices where you’re a client. Gone are the days of checking the box without reading.
For example, Zoom just made a similar update to their terms and conditions valid as of August 7, 2023:
“10.4 Customer License Grant. You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: (i) as may be necessary for Zoom to provide the Services to you, including to support the Services; (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof; and (iii) for any other purpose relating to any use or other act permitted in accordance with Section 10.3. If you have any Proprietary Rights in or to Service Generated Data or Aggregated Anonymous Data, you hereby grant Zoom a perpetual, irrevocable, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to enable Zoom to exercise its rights pertaining to Service Generated Data and Aggregated Anonymous Data, as the case may be, in accordance with this Agreement.” Here are their full terms. And here is an article sharing Zoom’s response and attempts to explain what they did and did not mean through these terms.
As of August 11th, Zoom has since updated their terms and conditions to be more clear about what data will and will not be used based on the customer feedback.
Here is the updated terms section:
10.2 Permitted Uses and Customer License Grant. Zoom will only access, process or use Customer Content for the following reasons (the “Permitted Uses”): (i) consistent with this Agreement and as required to perform our obligations and provide the Services; (ii) in accordance with our Privacy Statement; (iii) as authorized or instructed by you; (iv) as required by Law; or (v) for legal, safety or security purposes, including enforcing our Acceptable Use Guidelines. You grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary for the Permitted Uses.
Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models.
You can read more about it here and here. The staff and attorneys at Person Centered Tech’s office hours (highly recommend) reported it was incredibly important to not opt-in to the meeting IQ summaries that give access to machine learning and to really make sure you understand the impact on HIPAA before opting in to any new services if you are using zoom in a HIPAA consistent manner.
Of course, whether a business intends to allow certain uses of data for certain purposes, ultimately, we’re deciding whether to agree to a contract based on what it allows. As business owners, we can’t agree based on what you say you intend to do. Ultimately, we have to look at what the law would allow based on that contract.
What SimplePractice Says via email August 14th, 8:23 am PDT:
On August 2nd, 2023 we informed you of an update to our Terms of Service , Privacy Policy Privacy Policy, and Business Associate Agreement. Customers originally had until August 16th to accept these terms.
After listening to our customers' feedback, we’ve decided to extend the acceptance date to September 1st, 2023 (responses due by 11:59 pm 8/31) to give additional time to review the updated terms and policies.SimplePractice strictly complies with HIPAA guidelines, HITRUST, and data privacy laws. Here’s what we don’t do with customer/client data:
We do not sell our customers’ or your clients’ Protected Health Information (PHI) or Personally Identifiable Information (PII).We do not access PHI outside of HIPAA guidelines.We do not keep PHI after termination of customers’ accounts.We do not provide AI with access to customer or client data.We do not record telehealth sessions.
Please refer to our FAQs for additional details about this update.
Thank you for being part of the SimplePractice community.
Pulling Together Differing Opinions:
Here’s the feedback from an attorney who’s also a therapist:
“Based on my review of the terms and policies, I have a few thoughts. Remember that although I am an attorney, I’m not YOUR attorney and this is not legal advice.
1- sharing data and sublicenses with third parties. Since Simplepractice does not offer many of its services in house, it uses other company service providers. Like the clearing houses, video platform providers, stripe etc. What this does is allow relevant data to be shared in order to coordinate services between the companies. The content of sessions is not traded although things like names, session history, session costs, etc. will be.
2- liability. These terms are broad reaching and fall into that odd world of “you can’t really hold us liable for anything.” While that is a term included, it doesn’t always mean a court will enforce it, especially if it is an egregious issue. I don’t like these terms to be included in services like this, but intend to be pro-consumer.
3- HIPAA. The use of PHI on simplepractice and with the BAAs in place means the data is being used in appropriate ways, however they weren’t very clear about this at first, they have since shifted their position and offered more transparency.
4- in sum. I am staying with simplepractice for now. I don’t like the way they rolled this out but they did a decent enough job to walk it back. I do believe we have reason to be concerned that the AI line may be crossed within the next few years. James Ahearn, JD, LPC
Comparing EHR’s terms of services:
But wait, what do other EHRs say in their terms of services? Is this standard language?
Someone forwarded us this Google document that cuts out similar portions of the terms of service from several different EHRs so you can compare what language different EHRs and practice management systems are using in order to provide similar services.
We’ve tried to find out who the author of this document was initially to give them credit. It’s obviously easy to recreate, but I’d love to give credit to the person who originally created this so if that’s you or you know them, let them know we appreciate them and to reach out if they’d like to be recognized. You can see the review of terms here.
I want to quit SimplePractice!
Some of you have already made your decision about SimplePractice. Whether this is specific to the new terms, the business practices, or the way it was rolled out, it’s okay to make a change. Making a switch from your EHR can be incredibly stressful and time-consuming — we totally understand that. Here’s a quick primer on steps you can take:
Get your documentation and billing as up-to-date as possible.
Make sure you do an export before you’re locked out of your system, and understand what does and doesn’t export.
Get clear on what you’re needing in your new service, and read those terms and conditions so you understand and feel comfortable with the changes.
Ask about the transfer process. A newer, but highly rated EHR, My Best Practice, is offering a white glove migration package for under $300, including setup of your new forms and such!
A few front runners for new EHRs to checkout based on what our clients are liking right now and exploring:
We reached out to My Best Practice to learn more about their white glove migration package, and they agreed to offer a free 30-minute Q&A on Friday, August 11th, at 8:30am PT you can watch the replay here.
I’d definitely ask any other company you’re considering about help with the transfer process and see if we can get some other companies to white glove for you! It seems several companies are jumping in to make it easy to transfer- so definitely ask for what you need and want.
We’d love to hear in the comments below about what is and isn’t working in your transfer process and if anyone else is doing great in helping with transfers.
Wait, haven’t y’all referred to SimplePractice in the past?
We have absolutely referred to them in the past. We knew their founder very well and he had the utmost integrity. The first few years after he sold, things stayed pretty status quo, but in the last year or two, things have been shifting with the way they roll out changes and their business practices. It’s truly unfortunate because they’ve had excellent developers and a great product.
We’ve always chosen to never get money for referring to software or other providers, even though that’s standard practice. We don’t want our referrals to be subtly or otherwise influenced by financial gain. We’ve been paid by them to provide trainings, and they’ve sponsored previous co-led events with zynnyme and other organizations.
Moving forward, we continue to hold to our stance that we should not be paid for referring clients to a program, software, or any other kind of company. This will allow us to continue to maintain integrity in providing support to our Business School for Therapists community and the mental health care community at large.
Okay, so what now?
Take a breath. It’s going to be okay. Most things don’t require this kind of quick response. We’re hoping at minimum that SimplePractice will extend their deadlines, so people have time to process and get actual legal counsel. Facebook groups are great, but they have their limitations.
We’d love to hear from you in the comments below with your questions, resources, or direction you’ve received from legal counsel. While we might be a field filled with a fair number of introverts and ambiverts, ultimately, I think we’re a field that does better together in safe communities.
