// Trust & Security Report
Talkiatry Management Services, LLC (platform); care delivered by affiliated medical groups, e.g. MCCD Psychiatry Services, P.L.L.C. and state-specific MCCD entities
Telepsychiatry care delivery platform. Consumer/patient-facing service connecting patients to in-network psychiatrists and therapists for virtual visits, medication management, and therapy, billed through insurance. Also offers a B2B referral/partnership channel (Talkiatry Connect) for health systems and referring clinicians. Not a developer API or self-serve SaaS tool; it is a healthcare provider organization with a web/app booking and telehealth platform.
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on talkiatry.com“"Talkiatry is HIPAA compliant and takes great care to safeguard your personal health information." / "Information collected and stored by us or added by Customers into such Secure Platforms that is considered Protected Health Information ('PHI') and/or medical information is governed by applicable state and federal laws, for example the Health Insurance Portability and Accountability Act ('HIPAA')."”
Verify on talkiatry.com“"Under HIPAA, MCCD Psychiatry Services must take steps to protect the privacy of your PHI." Notice of Privacy Practices is published covering MCCD Psychiatry Services, PLLC and its Affiliated Covered Entity.”
Verify on talkiatry.com“A dedicated California privacy addendum is published: "Privacy policy - Addendum for California residents."”
> Show 7 unconfirmed / not-held certifications
source: talkiatry.comNo public evidence of a SOC 2 Type 1 report, trust center, or SOC 2 attestation on talkiatry.com. A Vanta marketing case-study page (vanta.com/healthcare/talkiatry) references Talkiatry as a Vanta customer but does not state any completed SOC 2 audit, and that page is on Vanta's domain, not Talkiatry's, so it cannot be used as vendor-domain proof.
source: talkiatry.comNo public evidence of a SOC 2 Type 2 report on talkiatry.com; no trust center exists to host one.
source: talkiatry.comNo mention of ISO 27001 anywhere on talkiatry.com privacy, terms, or help-center pages found.
source: talkiatry.comNo mention of ISO 42001 or an AI-governance certification on talkiatry.com, despite the Terms of Use disclosing use of AI/machine learning in care delivery.
source: talkiatry.comNo public evidence of CSA STAR registration or certification.
source: talkiatry.comNo direct PCI DSS attestation by Talkiatry; payment handling is delegated: "The Platform uses a third-party online payment processing application that stores...Payment Method details securely in accordance with Payment Card Industry requirements." This describes a third-party payment processor's PCI compliance (the processor's cert), not a Talkiatry-held PCI DSS certification, so graded held=false for Talkiatry itself.
source: talkiatry.comNo public evidence of GDPR posture, EU data residency, or GDPR-specific commitments. Talkiatry is a US-only telehealth provider (state-licensed psychiatrists in specific US states); GDPR is out of scope for this vendor's current market.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States only (state-licensed telepsychiatry provider); no EU/international data residency stated.
The Terms of Use disclose that the medical service provider may use AI/machine learning for treatment, payment, or healthcare operations, and that patient data may be used to improve those AI tools: "the medical service provider...may use artificial intelligence (AI) and other machine learning technologies for your treatment, payment, or healthcare operations" and "To improve...AI tools, the Provider may use your data in accordance with all applicable laws, including...HIPAA." No patient-facing opt-out from AI use in clinical care was found. Separately, de-identified data may be used, disclosed, aggregated, or sold to third parties per Terms of Use Section 8. No formal Data Processing Agreement (DPA) template was found published for enterprise/B2B partners (Talkiatry Connect); this is unconfirmed rather than confirmed absent.
// Security controls
Administrative/technical/physical safeguards
"We have taken steps and implemented administrative, technical, and physical safeguards designed to protect against the risk of accidental, intentional, unlawful, or unauthorized access..." No specific encryption standard (e.g. AES-256) or protocol is named.
talkiatry.comEncryption in transit / at rest
Not publicly specified. Privacy policy acknowledges "The Internet is not 100% secure and we cannot guarantee the security of information transmitted through the Internet."
talkiatry.comWorkforce training
"All of our employees and physicians are required to maintain the confidentiality of PHI and receive appropriate privacy training."
talkiatry.comThird-party vendor security incident (disclosed)
"One of our vendors was impacted by a security incident, which affected some of our patients' or their primary insured's protected health information." Disclosed on the privacy/help-center pages; details of vendor name, scope, and date not published in the crawled pages. This is a known-vendor breach disclosure common across many healthcare organizations in 2025-2026 (e.g. widescale clearinghouse/vendor incidents), not necessarily a Talkiatry-caused breach, but it is a material disclosure buyers should see.
talkiatry.comThird-party tracking/analytics on marketing site
Uses Google Analytics, Meta Pixel, TikTok Pixel, Freshpaint, Microsoft Bing Ads, Snap Pixel and other trackers on the public marketing site (cookie consent banner present); separate from the clinical/patient portal.
talkiatry.comPHI retention
"Certain state and federal laws including...HIPAA prohibit Talkiatry from deleting most of the elements of individual protected health information (PHI)... Additionally, some states have a 10-year PHI retention period."
talkiatry.com// Products & data scope
data: Protected Health Information (PHI): clinical records, appointment/video visit data, medication history, insurance details. Governed by HIPAA and the published Notice of Privacy Practices.
Core consumer product: online psychiatrist matching, insurance-covered virtual visits, prescribing.
data: Referral and care-coordination data shared between referring providers and Talkiatry's affiliated medical groups under HIPAA Affiliated Covered Entity provisions.
Distinct audience (administrators/clinicians) from the consumer patient product; no separate security documentation found for this channel.
data: Non-PHI browsing/behavioral data collected via third-party ad/analytics pixels prior to any clinical relationship.
Governed by the general Privacy Policy, not the clinical Notice of Privacy Practices, until a patient relationship is established.
// What to watch
- No trust center, no SOC 2, and no ISO 27001 found anywhere on talkiatry.com despite handling clinical PHI at scale; only HIPAA (a legal/regulatory posture, not an independent third-party attestation) and a CCPA addendum are documented.
- A Vanta marketing case-study page names Talkiatry as a customer, which suggests possible use of compliance-automation tooling, but it is hosted on vanta.com (not talkiatry's domain) and does not state any completed SOC 2 or HITRUST certification -> treated as non-evidence per host-vs-vendor rule; do not infer SOC 2 from this alone.
- Terms of Use disclose AI/ML use in treatment, payment, and healthcare operations, and that patient data may be used to improve AI tools, with no visible patient opt-out mechanism found in the crawled/fetched pages -> flag for AI-training transparency.
- A vendor security incident affecting some patients' PHI is disclosed on the site (vendor unnamed, scope/date not found) -> buyers should ask Talkiatry for the incident notification letter and remediation details before listing this as a fully clean record.
- PCI DSS is handled by a third-party payment processor per Terms of Use language; this is the processor's certification, not Talkiatry's own -> correctly graded held=false for Talkiatry per host-vs-vendor rule.
// At a glance
Pricing model
Insurance-billed care (patients pay copay/coinsurance through in-network insurance); not a subscription SaaS or per-seat/API pricing model.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Talkiatry Management Services, LLC (platform); care delivered by affiliated medical groups, e.g. MCCD Psychiatry Services, P.L.L.C. and state-specific MCCD entities's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
talkiatry.com