THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices (“Notice”) applies to any individual whose Protected Health Information (“PHI”) is maintained, accessed, or processed by Basil Therapy Inc. (“Basil Therapy,” “TheraDriver,” “we,” “us,” or “our”) in the course of providing services on behalf of health care providers, health systems, or other HIPAA-covered entities (“Covered Entities”). Basil Therapy serves exclusively as a “Business Associate” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations. As a Business Associate, Basil Therapy does not provide medical care directly to individuals, but supports the delivery of such care through technology, data handling, and communication services.
Our technology platform, TheraDriver, enables AI-assisted messaging, appointment coordination, care plan delivery, behavioral health tracking, and communication support services for clinicians and administrative personnel. As part of these services, we may process PHI shared with us by your provider or generated during your use of the platform. This Notice informs you of how we may use and disclose your PHI and outlines your rights under HIPAA and other applicable privacy laws, including relevant U.S. state laws and global privacy regimes where applicable.
Basil Therapy is legally required to maintain the privacy and security of PHI that we receive, access, or process on behalf of Covered Entities. We must follow the privacy and security requirements set forth under HIPAA, the HITECH Act, and related state and international privacy laws, to the extent applicable.
We are obligated to implement administrative, technical, and physical safeguards designed to protect PHI from unauthorized access, disclosure, alteration, or destruction. These safeguards include encryption, access controls, monitoring, and strict internal policies governing how PHI is handled. We are also required to report any impermissible use or disclosure of PHI, including data breaches, to the Covered Entity in a timely manner.
In addition, we are required to enter into Business Associate Agreements with the Covered Entities we support, and with any subcontractors or vendors who assist us in providing services. These agreements bind all parties to the same obligations of confidentiality, security, and lawful handling of PHI.
We may not use or disclose your PHI for any purpose other than those described in this Notice, unless you or your provider provide written authorization. We will never sell your PHI, and we do not use PHI for marketing purposes without appropriate authorization.
We are permitted to use or disclose your PHI under HIPAA and related laws only for certain defined purposes, which we describe in this section. These uses and disclosures are either necessary to perform services on behalf of your provider or are required or permitted by law.
Basil Therapy may use or disclose PHI to deliver technology-enabled services that your healthcare provider has authorized or requested. This includes facilitating appointment scheduling, sending reminders and confirmations, conducting pre-session check-ins or symptom surveys via WhatsApp or SMS, delivering care plan updates, coordinating follow-up activities, and processing patient-reported outcomes.
We may also provide tools that allow your provider to monitor your progress, view reports, and manage communication history. All such uses of PHI are performed solely in support of the care you receive from your provider, and we do not independently access, review, or act on your clinical data beyond what is necessary to fulfill those service functions.
We may use PHI internally for certain operational needs directly related to our role as a Business Associate. This includes internal audits, security testing, system maintenance, privacy compliance reviews, staff training, and quality assurance. These functions are conducted to ensure that our systems are secure, our staff are properly trained in HIPAA compliance, and our services operate reliably in support of your provider’s obligations to you.
We may also use PHI to evaluate the performance of our platform, including to identify system errors, assess AI functionality, or improve the delivery of communications. However, such uses are always subject to access limitations and privacy protections.
In order to perform our services, we may engage third-party service providers, such as cloud hosting vendors, secure communications platforms, and data backup services. These subcontractors may have access to PHI in the course of performing their services for us.
Before disclosing PHI to any subcontractor, we require that party to sign a written agreement obligating them to implement HIPAA-compliant safeguards and to refrain from using or disclosing PHI for any purpose other than what we have authorized. We conduct due diligence before engaging such vendors and monitor compliance through audits and periodic reviews.
We may disclose PHI when required to do so by law. This includes disclosures to regulatory agencies, health oversight authorities, or law enforcement in response to a valid legal order, subpoena, or administrative request. We may also disclose PHI to comply with mandatory reporting obligations, such as those involving abuse, neglect, domestic violence, or public health threats.
If we are required to disclose PHI in response to a legal demand, we will, where permissible, notify the Covered Entity and allow them to respond directly or object as appropriate. We will not produce PHI without legal authority or in violation of our contractual obligations.
We may use or disclose PHI, without your provider’s or your consent, if we believe in good faith that such use or disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of another person. Any such disclosure would be made only to persons reasonably able to prevent or mitigate the threat, such as emergency responders, law enforcement, or medical personnel.
We may use PHI for research purposes, but only under specific circumstances permitted by HIPAA and applicable law. This includes situations where a research protocol has been approved by an Institutional Review Board (IRB) and where appropriate safeguards are in place to protect your privacy.
We may also de-identify your PHI using either the Safe Harbor method or expert determination process. Once data is de-identified in accordance with HIPAA standards, it is no longer considered PHI and may be used for research, analytics, product development, or benchmarking, provided that no attempt is made to re-identify the data.
Although Basil Therapy acts as a Business Associate to healthcare providers and does not control your PHI directly, we support Covered Entities in fulfilling your rights under HIPAA and, where applicable, under U.S. state and international privacy laws. These rights apply to the PHI maintained by the Covered Entity, and Basil Therapy will, upon request, assist your provider in fulfilling the following rights:
You have the right to request access to your PHI maintained by the Covered Entity. This includes the right to inspect or obtain a copy of your health records in paper or electronic format, where available. Upon receiving such a request through your provider, Basil Therapy will assist in securely retrieving or transmitting the requested information in a timely manner and in a format that is readily understandable. You also have the right to request that your information be provided to a third party or in a portable electronic format where technically feasible.
If you believe that information in your health record is inaccurate or incomplete, you have the right to request an amendment to your PHI. The request must be made in writing to your healthcare provider and must specify the reasons supporting the amendment. If your provider approves the request, Basil Therapy will assist in implementing the correction or supplement. If the provider denies the request, you have the right to submit a statement of disagreement, which will be included in future disclosures of your PHI.
You have the right to request an accounting of certain disclosures of your PHI made in the six years prior to the date of your request. This accounting will exclude disclosures made for treatment, payment, or healthcare operations, and may not include disclosures made to you, to your authorized representatives, or pursuant to a valid authorization. Basil Therapy will provide your provider with detailed records of such disclosures, where applicable, to help them respond to your request.
You have the right to request restrictions on how your PHI is used or disclosed. For example, you may request that a provider not share certain information with a health plan if you paid for the service out of pocket. While your provider is not obligated to agree to all requested restrictions, they are required to comply with restrictions that meet specific legal conditions. Basil Therapy will implement and honor any restrictions communicated to us in accordance with our agreements and applicable law.
You have the right to request that communications about your PHI be sent to you through alternative means or to an alternative location. For instance, you may request to receive appointment reminders via a different email address, phone number, or mailing address. If your provider approves your request, Basil Therapy will support such alternate communication methods by adjusting the communication pathways within our system.
You have the right to obtain a paper or electronic copy of this Notice at any time, even if you have agreed to receive the Notice electronically. A copy is always available through the Basil Therapy website or may be requested through your provider.
If you are located in a jurisdiction outside the United States, such as the European Union, the United Kingdom, Canada, or India, you may have additional rights under applicable privacy laws. These may include the right to object to processing, the right to data portability, the right to erasure (also known as the “right to be forgotten”), the right to withdraw consent, and the right to file complaints with a supervisory authority or data protection regulator. Basil Therapy will assist Covered Entities in responding to the exercise of these rights to the extent permitted or required by applicable law.
Basil Therapy operates in the United States. If you are located in a country outside the United States, please be aware that any information you provide to your healthcare provider or any PHI that is created or maintained in connection with services provided through the TheraDriver platform may be transferred to and processed in the United States. The data protection laws of the United States may not provide the same level of protection as the laws of your jurisdiction.
To address this, Basil Therapy employs appropriate safeguards to protect your information in connection with international data transfers. These may include the use of Standard Contractual Clauses (SCCs) approved by the European Commission or UK Information Commissioner, Data Processing Agreements, Vendor Due Diligence, Transfer Impact Assessments, and other legally required mechanisms. In jurisdictions like India, where the DPDP Act applies, we will ensure cross-border transfers meet local adequacy or explicit consent requirements, depending on regulatory guidance.
We also limit the data shared across borders to only what is strictly necessary to perform our services and ensure that it is handled with the same level of security and confidentiality as we apply within the United States.
Basil Therapy maintains a robust incident response plan and takes all reasonable steps to protect PHI from unauthorized access, disclosure, or misuse. However, in the event of a breach of unsecured PHI, we are required to notify the applicable Covered Entity without unreasonable delay and no later than 30 calendar days from the date the breach is discovered or should reasonably have been discovered.
We will provide the Covered Entity with all legally required information regarding the breach, including a summary of what occurred, the type of information involved, the date of the breach, the date of discovery, the number of individuals affected, and the steps we are taking to investigate and mitigate harm. We will also cooperate in preparing notifications to affected individuals where required.
In jurisdictions outside the United States, we also comply with local breach notification requirements, such as the GDPR’s 72-hour deadline to notify supervisory authorities, and similar requirements under Canada’s PIPEDA and India’s DPDP Act. We document all incidents internally and conduct root cause analyses and mitigation efforts to prevent recurrence.
If you have any questions about this Notice, our privacy practices, or how your PHI is used or disclosed, you may contact us directly. You may also use the contact information below to request a copy of this Notice, exercise your rights, or file a concern.
Privacy Officer
Basil Therapy Inc.
1 Bluxome Street Apt 411 San Francisco
CA 94107
Email: privacy@theradriver.com
We take all privacy-related inquiries seriously and will work with the relevant Covered Entity to address your request or concern in a timely and transparent manner. You will not be retaliated against for raising a question or filing a complaint.
If you believe your privacy rights have been violated, you may submit a complaint to your healthcare provider or directly to Basil Therapy using the contact information provided above. You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, by visiting https://www.hhs.gov/ocr/privacy/hipaa/complaints/ or by sending correspondence to:
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: https://www.hhs.gov/ocr/privacy/hipaa/complaints/
If you are located outside of the United States, you may also have the right to submit a complaint to a local supervisory authority or data protection regulator. For individuals located in the European Union, this would generally be the Data Protection Authority in the country where you reside. For individuals in the United Kingdom, this would be the Information Commissioner’s Office (ICO). For individuals in Canada, this would be the Office of the Privacy Commissioner of Canada (OPC). For individuals in India, complaints may be filed with the Data Protection Board of India, once fully constituted under the Digital Personal Data Protection Act, 2023.
Basil Therapy encourages you to express any concerns about privacy without fear of retaliation. We will treat all complaints with seriousness and professionalism and will coordinate with the applicable Covered Entity to investigate and resolve any concern raised in accordance with applicable law and our internal privacy program. We are committed to maintaining trust in our services and protecting the rights of all individuals whose PHI we handle.
Basil Therapy reserves the right to change the terms of this Notice at any time, and to make the revised Notice effective for all PHI that we maintain, including information we received before the changes were made. We may revise this Notice due to changes in our privacy practices, updates to our services, or to reflect new legal or regulatory requirements at the federal, state, or international level.
Whenever we make a material change to this Notice, we will update the “Effective Date” at the top of the page. We will also post the revised Notice prominently on our website and, where required by law or applicable Business Associate Agreements, provide additional notification to the Covered Entities we serve.
We encourage you to review this Notice periodically to stay informed about how we protect your information and your rights. If you have any questions about changes to this Notice or would like a current copy, please contact us using the information provided in Section 7.
