Privacy Policy

Ojai Recovery LLC (“Ojai Recovery,” “we,” “us,” or “our”) is committed to protecting the privacy and confidentiality of all individuals who seek information about, or receive, our behavioral health and substance use disorder treatment services at our inpatient facility located in Oak View, California. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal and protected health information in connection with our website (https://www.ojairecovery.com) and our clinical services. By using our website or engaging with our services, you acknowledge receipt of this Privacy Policy.
This Privacy Policy applies to information collected through our website, telephone intake, admissions processes, and delivery of clinical treatment services. It does not apply to third-party websites linked from our site. For healthcare-related disclosures governed by HIPAA, please also refer to our separate Notice of Privacy Practices, available upon request or at point of admission.

1. Information We Collect
1.1 Personal Information You Provide
We collect personal information that you voluntarily provide when contacting us, completing intake forms, or engaging with our services, including:
Full name, date of birth, gender, and government-issued identification
Contact information including home address, telephone number(s), and email address
Health insurance information, policy numbers, and group identifiers for benefits verification
Financial and payment information, including billing address and payment method details
Emergency contact and authorized representative information
Communications you submit via our website contact forms, live chat, email, or telephone

1.2 Protected Health Information (PHI)
In the course of providing clinical services, we collect and maintain Protected Health Information (PHI) as defined under HIPAA, including but not limited to:

• Medical history, diagnoses, and treatment records
• Substance use history and substance use disorder treatment records (protected under both HIPAA and 42 CFR Part 2)
• Mental health history, psychiatric evaluations, and psychotherapy notes (where separately maintained)
• Medication records, laboratory results, and vital signs
• Insurance claims, billing records, and remittance data
• Intake assessments, treatment plans, progress notes, and discharge summaries

1.3 Automatically Collected Information
When you visit our website, we and our service providers may automatically collect certain technical information, including:

• IP address, browser type, operating system, and device identifiers
• Pages visited, time spent on pages, links clicked, and referral source URLs
• Geographic location data derived from IP address (general location only)
• Session replay and analytics data used to improve website performance and user experience

  This information is collected through cookies, web beacons, pixels, and similar technologies. Please see Section 9 for more information about cookies.

2. How We Use Your Information
2.1 Healthcare Operations and Treatment
We use personal information and PHI primarily to provide, coordinate, and improve clinical services, including:

• Conducting intake assessments and developing individualized treatment plans
• Coordinating care among our licensed clinical staff, physicians, and support personnel
• Communicating with patients, family members (with appropriate authorization), and referring providers
• Verifying insurance eligibility and processing insurance claims and billing
• Maintaining clinical records as required by applicable federal and California state law
• Conducting quality assurance, clinical audits, and performance improvement activities

2.2 Administrative and Operational Uses
We also use information for lawful administrative and operational purposes, including:

• Scheduling appointments and sending reminders
• Responding to inquiries, feedback, and complaints
• Maintaining the security of our facilities, records, and information systems
• Complying with regulatory requirements, licensing obligations, and court orders
• Preventing fraud, abuse, and unauthorized access to our systems
• Conducting staff training and organizational risk management

2.3 Marketing and Communications (With Consent)
With your prior express written or electronic consent, we may contact you with information about our services, alumni programs, and recovery resources. You may withdraw consent for marketing communications at any time by contacting us at the address in Section 13 or by following the opt-out instructions in any communication.

3. SMS Messaging & Compliance
By opting into SMS messaging through https://ojairecovery.com/contact-us/, you agree to receive appointment reminders, customer support messages, service notifications, and marketing communications from Ojai Recovery LLC.Message frequency: Up to 1–3 messages per day.

To opt out of all SMS communications, reply STOP at any time.

To request assistance, reply HELP or contact us directly.
Standard message and data rates may apply depending on your mobile carrier plan.
Opt-out requests will be processed promptly. You may re-enroll at any time.

We do not share your SMS opt-in data, telephone number, or consent records with any third party for marketing or promotional purposes. SMS consent obtained through our website or intake process is separate from clinical consent and is managed independently.

4. Third-Party Services and Vendors
We work with carefully selected third-party service providers who assist us in operating our website, managing communications, processing payments, and delivering clinical services. These vendors are contractually required to maintain appropriate safeguards for any information they access.

4.1 Messaging Services
We use Twilio, Inc. as our SMS and communications platform. Information transmitted through Twilio, including phone numbers and message content, is subject to Twilio’s privacy and security policies and applicable TCPA compliance standards. Twilio maintains industry-standard security practices and SOC 2 compliance.

4.2 Website Analytics
We may use analytics services including Google Analytics and Microsoft Clarity to collect and analyze website usage data. These services may use cookies and similar tracking technologies to collect information about how visitors interact with our website. Google Analytics data is processed in accordance with Google’s privacy policies. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-On.

4.3 Insurance Verification
We use third-party insurance verification tools to confirm patient insurance eligibility and benefits prior to admission. Information shared with these services for verification purposes is limited to what is necessary to complete the verification and is governed by Business Associate Agreements where applicable.

4.4 Electronic Health Records
We maintain electronic health records through a HIPAA-compliant electronic health record (EHR) platform. Our EHR vendor is a Business Associate subject to a signed Business Associate Agreement and is required to maintain appropriate administrative, physical, and technical safeguards for all PHI.

4.5 Business Associates
We enter into Business Associate Agreements (BAAs) with all vendors who access, use, or maintain PHI on our behalf, as required by HIPAA. We do not permit business associates to use or disclose PHI for any purpose other than performing the contracted services on our behalf.

5. Disclosure of Your Information
5.1 Permitted Disclosures Under HIPAA
We may disclose PHI without your written authorization in certain circumstances permitted by HIPAA, including:
To healthcare providers involved in your treatment for purposes of care coordination
To health plans, insurers, and third-party payers for billing and payment purposes
For our own internal healthcare operations, including quality review and staff training
To public health authorities for mandatory reporting of communicable diseases or adverse events
To comply with legal obligations, including valid court orders, subpoenas, or law enforcement requests as permitted by law
To avert a serious and imminent threat to the health or safety of a person or the public
To government agencies for oversight and audit functions
As required for workers’ compensation or similar programs

5.2 Disclosures Requiring Your Authorization
Most other uses and disclosures of your PHI require your specific written authorization, including:

• Disclosures for marketing purposes
• Sale of PHI
• Disclosures of psychotherapy notes (where maintained separately)
• Any other use or disclosure not described in this Privacy Policy or our Notice of Privacy Practices

You may revoke any authorization in writing at any time. Revocation is not retroactive and does not affect actions we have already taken in reliance on your authorization.

5.3 No Sale of Personal Information
We do not sell, rent, trade, or otherwise transfer your personal information or PHI to outside parties for their own commercial purposes.

6. Data Security
We implement a comprehensive set of administrative, physical, and technical safeguards designed to protect your personal information and PHI from unauthorized access, use, disclosure, alteration, or destruction. These measures include:

• Encryption of PHI in transit using TLS/SSL protocols and encryption at rest for electronic records
• Role-based access controls limiting system access to authorized personnel based on job function
• Secure, password-protected electronic health record systems with audit logging
• Physical security controls at our facility, including restricted access to records and server rooms
• Regular staff training on HIPAA privacy and security requirements and organizational data handling policies
• Formal risk analysis and risk management processes in accordance with the HIPAA Security Rule
• Incident response and breach notification procedures

While we employ robust security measures, no electronic transmission or storage system is completely secure. We encourage you to exercise caution when submitting sensitive information through our website and recommend that you contact us by telephone for communications involving personal health information.

7. Healthcare Privacy — HIPAA, 42 CFR Part 2, and California Law
7.1 HIPAA Compliance
Ojai Recovery LLC is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. We are required by law to: (i) maintain the privacy of your PHI; (ii) provide you with a Notice of Privacy Practices describing our legal duties and privacy practices; (iii) abide by the terms of our current Notice of Privacy Practices; and (iv) notify you following a breach of your unsecured PHI.

Our full Notice of Privacy Practices, which provides a detailed explanation of your rights and our obligations under HIPAA, is provided to patients at or before the time of their first service encounter and is available upon request. For questions about our HIPAA practices, please contact our Privacy Officer at the address in Section 13.

7.2 42 CFR Part 2 — Substance Use Disorder Records
Because Ojai Recovery LLC provides federally assisted substance use disorder (SUD) diagnosis, treatment, and referral for treatment services, patient records relating to SUD treatment are protected under 42 CFR Part 2 (“Part 2”), in addition to HIPAA.

NOTICE: Your substance use disorder treatment records are protected under the Confidentiality of Substance Use Disorder Patient Records regulations, 42 CFR Part 2. These regulations prohibit us from making any disclosure of your SUD records to a person, entity, or agency outside of Ojai Recovery LLC without your written consent, or as otherwise expressly permitted by Part 2.

Part 2 provides heightened protections for SUD records that exceed standard HIPAA requirements. Key protections under Part 2 include:

SUD patient records may generally not be disclosed without specific written patient consent, except in a narrow set of circumstances defined by Part 2.

A single consent for all future uses and disclosures for Treatment, Payment, and Health Care Operations (TPO) is permitted under the 2024 Final Rule updates to Part 2.
SUD records may not be used in civil, criminal, administrative, or legislative proceedings against a patient unless the patient provides written consent or a court order authorizes such use with an accompanying subpoena.

SUD Counseling Notes (defined as a clinician’s notes analyzing a counseling session maintained separately from the treatment record) require specific patient consent beyond a general TPO consent and cannot be disclosed without such separate authorization.

Part 2 breach notification requirements align with those under HIPAA; we will notify you in the event of a breach of your unsecured SUD records as required by law.

Part 2 records may be disclosed without patient consent in limited circumstances, including: bona fide medical emergencies, mandatory reporting to public health authorities (using de-identified data where required), communications within our program for treatment purposes, qualified service organization activities, and as required by audit and evaluation requirements.

To file a complaint regarding our Part 2 practices, you may contact our Privacy Officer or file a complaint directly with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at https://www.hhs.gov/ocr/complaints.

7.3 California Confidentiality of Medical Information Act (CMIA)
California’s Confidentiality of Medical Information Act (Civil Code §§ 56 et seq.) provides additional protections for medical information held by healthcare providers in California. Under the CMIA:

• We may not disclose medical information about a patient without first obtaining written authorization from the patient or their authorized representative, subject to limited exceptions.
• Medical information includes any individually identifiable information, in electronic or physical form, regarding a patient’s medical history, mental or physical condition, or treatment.

California law provides greater protections than HIPAA in certain respects, and we comply with the most protective standard applicable in any given circumstance.

7.4 Non-Discrimination
We are required by applicable federal law, including Section 1557 of the Affordable Care Act, to provide services and health coverage without discrimination on the basis of race, color, national origin, disability, age, sex, sexual orientation, gender identity, or pregnancy-related conditions. If you believe you have been subjected to prohibited discrimination, please contact our Privacy Officer.

8. Data Retention
We retain personal information and PHI only as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with applicable legal and regulatory requirements, resolve disputes, and enforce our agreements. Specific retention periods are established by applicable law:

California law generally requires healthcare providers to retain adult patient records for a minimum of seven (7) years from the date of service, or for minors, until the patient reaches age 19 or seven years from the date of service, whichever is later.

Substance use disorder treatment records subject to 42 CFR Part 2 are retained in accordance with applicable federal and state law requirements.

Billing and payment records are retained as required by federal and California tax, healthcare, and financial regulations.

SMS consent records and opt-in/opt-out logs are retained for compliance and operational purposes for a minimum of five (5) years.

Website analytics and usage data may be retained for up to twenty-four (24) months in identifiable form.

When records are no longer required, we securely destroy or de-identify them in accordance with applicable law and our internal records management policies.

9. Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies, including web beacons and pixels, to enhance website functionality, analyze usage patterns, and improve your online experience. Categories of cookies we use include:

• Strictly Necessary Cookies: Essential for the website to function properly and cannot be switched off.
• Performance and Analytics Cookies: Collect information about how visitors use our site to help us improve it (e.g., Google Analytics, Microsoft Clarity).
• Functionality Cookies: Enable the website to remember choices you make and provide enhanced features.
• Targeting Cookies: May be used to build profiles about you and show relevant content or advertisements on other sites.

You can control or disable cookies through your browser settings. Please note that disabling certain cookies may limit your ability to use some features of our website. We do not use cookies to collect PHI and instruct users not to include health information in website contact forms where possible.

Our website is not designed to respond to “Do Not Track” signals at this time. For California residents, please see Section 12 regarding your rights under the California Consumer Privacy Act.

10. Children’s Privacy
Our website and general marketing communications are directed to adults (persons 18 years of age or older). We do not knowingly collect personal information through our website from individuals under the age of 18 without verifiable parental or guardian consent.

If we become aware that we have inadvertently collected personal information from a minor through our website without appropriate consent, we will take prompt steps to delete such information. This section does not limit our ability to collect and maintain clinical information for minor patients enrolled in our treatment programs, which is handled in accordance with HIPAA and applicable California minor consent laws.

11. Your Rights and Choices
11.1 Rights Regarding Healthcare Records (HIPAA & California)
As a patient, you have the following rights with respect to your PHI:

• Right to Access: You have the right to inspect and obtain a copy of your medical records maintained in a designated record set. Requests must be submitted in writing to our Privacy Officer.
• Right to Amendment: You may request an amendment to your medical records if you believe they are inaccurate or incomplete. We will respond within sixty (60) days of your request.
• Right to an Accounting of Disclosures: You have the right to receive a list of disclosures of your PHI that we have made for purposes other than treatment, payment, and healthcare operations.
• Right to Request Restrictions: You may request that we restrict certain uses and disclosures of your PHI. We are required to agree to a restriction on disclosures to a health plan if the disclosure is for payment or healthcare operations and you have paid out of pocket in full.
• Right to Confidential Communications: You may request that we communicate with you about your health matters using an alternative means or at an alternative location.
• Right to a Paper Copy of This Notice: You may request a paper copy of our Notice of Privacy Practices at any time.

11.2 Additional Rights Under 42 CFR Part 2
With respect to your SUD treatment records, you additionally have the right to:
Revoke any consent to disclose your SUD records in writing at any time, except to the extent action has already been taken in reliance on such consent.
Request a restriction on certain disclosures of your SUD records.

Request an accounting of disclosures of your SUD records (compliance date to be set by HHS).

11.3 SMS and Marketing Communications
You may opt out of SMS messages at any time by replying STOP to any message. You may opt out of marketing emails by following the unsubscribe instructions in any email. Opting out of marketing communications does not affect clinical communications necessary for your care.

12. California Residents — Additional Privacy Rights (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”). Please note that PHI collected in a healthcare context and maintained by a covered entity under HIPAA is generally exempt from certain CCPA provisions; however, we provide the following disclosure for any personal information not covered by that exemption.

12.1 Categories of Personal Information Collected
In the preceding twelve (12) months, we have collected the following categories of personal information for business and commercial purposes: identifiers (name, address, email, phone, IP address); protected classification characteristics (age, gender, medical condition); commercial information (payment records); internet or network activity (website usage); geolocation data (general location from IP); and inferences drawn from the above.

12.2 Your CCPA Rights
California residents have the right to:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information we have collected, subject to applicable exceptions.
• Right to Correct: Request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide our services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA rights request, please contact us using the information in Section 13. We will verify your identity before processing your request and respond within forty-five (45) days as required by law.

13. Breach Notification
In the event of a breach of unsecured PHI or unsecured SUD records, we will provide notification to affected individuals as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–164.414) and applicable California law. Notification will be provided without unreasonable delay and, in most cases, no later than sixty (60) days following our discovery of a breach. If a breach affects five hundred (500) or more residents of a state, we will also notify the Secretary of Health and Human Services and, if required, prominent media outlets.

14. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time as required by changes in applicable law, our practices, or other circumstances. If we make material changes, we will post the revised Privacy Policy on our website with an updated effective date and, where required by law, provide you with advance notice. Prior versions of this Privacy Policy will be retained and made available upon request. Continued use of our website or services following the effective date of any update constitutes your acceptance of the revised policy.

15. Contact Us
If you have questions or concerns about this Privacy Policy, wish to exercise your privacy rights, or need to reach our Privacy Officer, please contact us using the information below:

Ojai Recovery LLC
Address: 158 Rockaway Rd, Oak View, CA 93022
Phone: +1 (805) 273-8798
Email: [email protected]
Website: https://www.ojairecovery.com/

To file a complaint regarding our privacy practices, you may also contact the U.S. Department of Health and Human Services, Office for Civil Rights by visiting https://www.hhs.gov/ocr/complaints or calling 1-800-368-1019. We will not retaliate against you for filing a complaint.

This document does not constitute legal advice. Ojai Recovery LLC recommends that all privacy policy updates be reviewed by qualified healthcare and privacy counsel.