← Back to Genograms.net

1. Introduction

Genograms.net ("we," "our," "the Service") is a clinical genogram builder platform designed for healthcare providers and their clients. This Privacy Policy describes how we collect, use, disclose, and protect your information, including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

2. Information We Collect

2.1 Account Information

• Name
• Email address
• Encrypted password (we never store plaintext passwords)
• Account role (provider or client)

2.2 Clinical Data (PHI)

When you create or collaborate on genograms, the following PHI may be collected:

• Patient/family member names, birth dates, death dates
• Medical conditions and diagnoses
• Mental health conditions and treatment status
• Substance use history
• Family relationship structures and dynamics
• Emotional relationship patterns (abuse, violence, enmeshment, etc.)
• Life events (trauma, incarceration, hospitalization, etc.)
• Occupation, education, religion, ethnicity, location
• Sexual orientation and gender identity
• Family roles and household information
• Clinical notes and annotations

2.3 Technical Data

• IP address (for security and audit logging)
• Browser user-agent (for security logging)
• Authentication timestamps
• Session activity data

3. How We Use Your Information

We use your information solely for the following purposes:

• Service Delivery: To provide the genogram builder platform and collaboration features
• Authentication: To verify your identity and maintain secure sessions
• Provider-Client Relationships: To facilitate provider invitations and client management
• Data Security: To protect against unauthorized access and detect suspicious activity
• Audit Compliance: To maintain legally required audit trails as mandated by HIPAA
• Service Improvement: Aggregated, de-identified usage patterns may be used for service improvement

4. How We Protect Your Information

4.1 Encryption

• In Transit: All data is encrypted using TLS 1.2 or higher
• At Rest: All stored data (user accounts, genograms, session data) is encrypted using AES-256-GCM

4.2 Access Controls

• Role-based access control (provider vs. client)
• Strong password requirements (12+ characters with complexity)
• Account lockout after 5 failed login attempts
• Automatic session timeout after 15 minutes of inactivity
• 8-hour maximum session duration

4.3 Security Measures

• CSRF protection on all state-modifying operations
• Content Security Policy (CSP) headers
• Rate limiting on authentication endpoints
• Comprehensive audit logging of all access and modifications
• WebSocket connections require authentication
• Secure cookie flags (HttpOnly, Secure, SameSite=Strict)

5. Information Sharing and Disclosure

We do not sell, rent, or trade your PHI. We may disclose information only in the following circumstances:

• Provider-Client Relationship: Providers can access genograms belonging to their linked clients
• Shared Genograms: Users you explicitly share genograms with can access that data
• Collaboration Sessions: Authenticated users in a collaboration session can view and edit shared genogram data
• Legal Requirements: We may disclose information if required by law, subpoena, or court order
• HIPAA Exceptions: As permitted under HIPAA for treatment, payment, or healthcare operations, or as required by law

6. Your Rights Under HIPAA

As a user of this Service, you have the following rights regarding your PHI:

• Right to Access: You may request a copy of your PHI at any time through the platform's export features
• Right to Amend: You may request corrections to your PHI through the platform's editing features
• Right to an Accounting of Disclosures: You may request a record of who has accessed your PHI (audit logs)
• Right to Restrict: You may request restrictions on certain uses and disclosures of your PHI
• Right to Confidential Communications: You may request that we communicate with you through specific means
• Right to Revoke Authorization: You may revoke any authorization you have given for use of your PHI
• Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services

7. Data Retention

• Active Accounts: Data is retained as long as your account is active
• Deleted Genograms: Genogram data is permanently deleted upon user request
• Collaboration Sessions: Session data is automatically purged after 30 days of inactivity
• Audit Logs: Retained for a minimum of 6 years as required by HIPAA
• Account Deletion: Upon request, all associated data will be securely deleted, except audit logs required by law

8. Cookies

We use a single essential cookie:

• auth_token: A secure, HttpOnly session cookie used solely for authentication. It contains no PHI and expires after 8 hours or upon logout.

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. Children's Privacy

This Service is intended for use by healthcare professionals and their adult clients. We do not knowingly collect information from children under 13. If you believe a child has provided PHI through the Service, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via the email address associated with their account. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Information

For questions about this Privacy Policy, to exercise your HIPAA rights, or to file a complaint:

• Email: support@genograms.net

For complaints to the federal government:
U.S. Department of Health and Human Services
Office for Civil Rights
https://www.hhs.gov/hipaa/filing-a-complaint/