// Trust & Security Report

    Talkiatry Management Services, LLC (platform); care delivered by affiliated medical groups, e.g. MCCD Psychiatry Services, P.L.L.C. and state-specific MCCD entities logo

    Talkiatry Management Services, LLC (platform); care delivered by affiliated medical groups, e.g. MCCD Psychiatry Services, P.L.L.C. and state-specific MCCD entities

    Telepsychiatry care delivery platform. Consumer/patient-facing service connecting patients to in-network psychiatrists and therapists for virtual visits, medication management, and therapy, billed through insurance. Also offers a B2B referral/partnership channel (Talkiatry Connect) for health systems and referring clinicians. Not a developer API or self-serve SaaS tool; it is a healthcare provider organization with a web/app booking and telehealth platform.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HIPAA
    HELD

    "Talkiatry is HIPAA compliant and takes great care to safeguard your personal health information." / "Information collected and stored by us or added by Customers into such Secure Platforms that is considered Protected Health Information ('PHI') and/or medical information is governed by applicable state and federal laws, for example the Health Insurance Portability and Accountability Act ('HIPAA')."

    Verify on talkiatry.com
    HIPAA Notice of Privacy Practices published
    HELD

    "Under HIPAA, MCCD Psychiatry Services must take steps to protect the privacy of your PHI." Notice of Privacy Practices is published covering MCCD Psychiatry Services, PLLC and its Affiliated Covered Entity.

    Verify on talkiatry.com
    CCPA / California privacy addendum
    HELD

    A dedicated California privacy addendum is published: "Privacy policy - Addendum for California residents."

    Verify on talkiatry.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence of a SOC 2 Type 1 report, trust center, or SOC 2 attestation on talkiatry.com. A Vanta marketing case-study page (vanta.com/healthcare/talkiatry) references Talkiatry as a Vanta customer but does not state any completed SOC 2 audit, and that page is on Vanta's domain, not Talkiatry's, so it cannot be used as vendor-domain proof.

    source: talkiatry.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of a SOC 2 Type 2 report on talkiatry.com; no trust center exists to host one.

    source: talkiatry.com
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 anywhere on talkiatry.com privacy, terms, or help-center pages found.

    source: talkiatry.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No mention of ISO 42001 or an AI-governance certification on talkiatry.com, despite the Terms of Use disclosing use of AI/machine learning in care delivery.

    source: talkiatry.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification.

    source: talkiatry.com
    PCI DSS
    NOT CONFIRMED

    No direct PCI DSS attestation by Talkiatry; payment handling is delegated: "The Platform uses a third-party online payment processing application that stores...Payment Method details securely in accordance with Payment Card Industry requirements." This describes a third-party payment processor's PCI compliance (the processor's cert), not a Talkiatry-held PCI DSS certification, so graded held=false for Talkiatry itself.

    source: talkiatry.com
    GDPR
    NOT CONFIRMED

    No public evidence of GDPR posture, EU data residency, or GDPR-specific commitments. Talkiatry is a US-only telehealth provider (state-licensed psychiatrists in specific US states); GDPR is out of scope for this vendor's current market.

    source: talkiatry.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States only (state-licensed telepsychiatry provider); no EU/international data residency stated.

    The Terms of Use disclose that the medical service provider may use AI/machine learning for treatment, payment, or healthcare operations, and that patient data may be used to improve those AI tools: "the medical service provider...may use artificial intelligence (AI) and other machine learning technologies for your treatment, payment, or healthcare operations" and "To improve...AI tools, the Provider may use your data in accordance with all applicable laws, including...HIPAA." No patient-facing opt-out from AI use in clinical care was found. Separately, de-identified data may be used, disclosed, aggregated, or sold to third parties per Terms of Use Section 8. No formal Data Processing Agreement (DPA) template was found published for enterprise/B2B partners (Talkiatry Connect); this is unconfirmed rather than confirmed absent.

    // Security controls

    Administrative/technical/physical safeguards

    "We have taken steps and implemented administrative, technical, and physical safeguards designed to protect against the risk of accidental, intentional, unlawful, or unauthorized access..." No specific encryption standard (e.g. AES-256) or protocol is named.

    talkiatry.com

    Encryption in transit / at rest

    Not publicly specified. Privacy policy acknowledges "The Internet is not 100% secure and we cannot guarantee the security of information transmitted through the Internet."

    talkiatry.com

    Workforce training

    "All of our employees and physicians are required to maintain the confidentiality of PHI and receive appropriate privacy training."

    talkiatry.com

    Third-party vendor security incident (disclosed)

    "One of our vendors was impacted by a security incident, which affected some of our patients' or their primary insured's protected health information." Disclosed on the privacy/help-center pages; details of vendor name, scope, and date not published in the crawled pages. This is a known-vendor breach disclosure common across many healthcare organizations in 2025-2026 (e.g. widescale clearinghouse/vendor incidents), not necessarily a Talkiatry-caused breach, but it is a material disclosure buyers should see.

    talkiatry.com

    Third-party tracking/analytics on marketing site

    Uses Google Analytics, Meta Pixel, TikTok Pixel, Freshpaint, Microsoft Bing Ads, Snap Pixel and other trackers on the public marketing site (cookie consent banner present); separate from the clinical/patient portal.

    talkiatry.com

    PHI retention

    "Certain state and federal laws including...HIPAA prohibit Talkiatry from deleting most of the elements of individual protected health information (PHI)... Additionally, some states have a 10-year PHI retention period."

    talkiatry.com

    // Products & data scope

    Talkiatry (patient telepsychiatry)Consumer/patient mental health telehealth

    data: Protected Health Information (PHI): clinical records, appointment/video visit data, medication history, insurance details. Governed by HIPAA and the published Notice of Privacy Practices.

    Core consumer product: online psychiatrist matching, insurance-covered virtual visits, prescribing.

    Talkiatry Connect (referral/health-system partnerships)B2B referral integration for health systems and referring clinicians

    data: Referral and care-coordination data shared between referring providers and Talkiatry's affiliated medical groups under HIPAA Affiliated Covered Entity provisions.

    Distinct audience (administrators/clinicians) from the consumer patient product; no separate security documentation found for this channel.

    Marketing website / self-assessment quizzesPublic marketing and lead-generation tools

    data: Non-PHI browsing/behavioral data collected via third-party ad/analytics pixels prior to any clinical relationship.

    Governed by the general Privacy Policy, not the clinical Notice of Privacy Practices, until a patient relationship is established.

    // What to watch

    • No trust center, no SOC 2, and no ISO 27001 found anywhere on talkiatry.com despite handling clinical PHI at scale; only HIPAA (a legal/regulatory posture, not an independent third-party attestation) and a CCPA addendum are documented.
    • A Vanta marketing case-study page names Talkiatry as a customer, which suggests possible use of compliance-automation tooling, but it is hosted on vanta.com (not talkiatry's domain) and does not state any completed SOC 2 or HITRUST certification -> treated as non-evidence per host-vs-vendor rule; do not infer SOC 2 from this alone.
    • Terms of Use disclose AI/ML use in treatment, payment, and healthcare operations, and that patient data may be used to improve AI tools, with no visible patient opt-out mechanism found in the crawled/fetched pages -> flag for AI-training transparency.
    • A vendor security incident affecting some patients' PHI is disclosed on the site (vendor unnamed, scope/date not found) -> buyers should ask Talkiatry for the incident notification letter and remediation details before listing this as a fully clean record.
    • PCI DSS is handled by a third-party payment processor per Terms of Use language; this is the processor's certification, not Talkiatry's own -> correctly graded held=false for Talkiatry per host-vs-vendor rule.

    // At a glance

    Pricing model

    Insurance-billed care (patients pay copay/coinsurance through in-network insurance); not a subscription SaaS or per-seat/API pricing model.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Talkiatry Management Services, LLC (platform); care delivered by affiliated medical groups, e.g. MCCD Psychiatry Services, P.L.L.C. and state-specific MCCD entities's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    talkiatry.com

    > Browse all vendor trust reports