Spiritual Wellness and Recovery is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Parts 160 and 164). We maintain, use, and disclose protected health information (PHI) only in accordance with HIPAA and applicable state law.

Protected health information includes any individually identifiable information that relates to your past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare services.

Our Duties Under HIPAA

We are required by law to:

• Maintain the privacy of your protected health information
• Provide you with notice of our legal duties and privacy practices
• Abide by the terms of the Notice of Privacy Practices currently in effect
• Notify you in the event of a breach of your unsecured protected health information, as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)

A full Notice of Privacy Practices is available upon request and will be provided at or before the time of your first service with us.

2. Confidentiality of Substance Use Disorder Records (42 CFR Part 2)

To the extent Spiritual Wellness and Recovery creates, maintains, or receives records that identify an individual as having or having had a substance use disorder, those records are protected by federal law under 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) and Section 543 of the Public Health Service Act (42 U.S.C. § 290dd-2).

Federal law and regulations prohibit us from making unauthorized disclosures of these records. Generally, we may not disclose that you are or have been a patient at our facility, or share any information from your substance use disorder records, without your written consent — except as specifically permitted or required by law.

Permitted disclosures without patient authorization may include, but are not limited to:

• Medical emergencies threatening your life or the life of another
• Audit and evaluation activities by oversight entities under proper agreements
• Court orders meeting the specific requirements of 42 CFR Part 2
• Reports of suspected child abuse or neglect to appropriate state authorities as required by law
• Communications within our facility among treating staff directly involved in your care
• Qualified service organization agreements (QSOAs) with business partners operating under proper protections

You have the right to consent in writing to disclosures not otherwise permitted by law. Any such consent may be revoked in writing at any time for future disclosures, except to the extent action has already been taken in reliance on it.

Violations of 42 CFR Part 2 may be reported to the U.S. Attorney for the judicial district in which the violation occurs.

3. How We May Use and Disclose Your Information

Subject to applicable law, Spiritual Wellness and Recovery may use and disclose protected health information and other personal information for the following purposes:

Treatment — To provide, coordinate, and manage healthcare and related services, including communicating with other providers involved in your care.

Payment — To obtain reimbursement for services provided, verify coverage, submit claims, and manage billing-related activities.

Healthcare Operations — For internal business functions including quality improvement, staff training, accreditation, licensing (including our DHCS, Joint Commission, and CARF obligations), and compliance activities.

Legal and Regulatory Requirements — When required or permitted by applicable federal or state law, including compliance reviews by the U.S. Department of Health and Human Services Office for Civil Rights, reporting requirements, court orders, and law enforcement purposes meeting applicable legal standards.

Business Associates — We may share information with third-party service providers (“business associates”) who perform services on our behalf. We require all business associates to protect your information under written agreements meeting HIPAA and applicable legal standards.

Emergency Situations — To prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law.

Other Permitted Purposes — Including approved research under proper IRB or privacy board review, audits, and evaluations.

We will not use or disclose your protected health information for purposes not described in this policy without your written authorization. Where authorization is required, you may revoke it in writing at any time for future uses and disclosures.

4. Your Privacy Rights

Depending on the nature of the information and applicable law, you may have the following rights:

Right to Notice — The right to receive a copy of this Privacy Policy and our Notice of Privacy Practices.

Right to Access — The right to inspect and obtain copies of your health information maintained in our records, subject to limited exceptions under HIPAA.

Right to Amend — The right to request corrections or amendments to your health information if you believe it is inaccurate or incomplete.

Right to an Accounting of Disclosures — The right to receive a list of certain disclosures we have made of your protected health information.

Right to Request Restrictions — The right to request that we restrict certain uses or disclosures of your health information. We are not required to agree to all requests, but if we do agree, we will honor the restriction.

Right to Confidential Communications — The right to request that we communicate with you about your health information through alternative means or at alternative locations.

Right to Restrict Disclosures to Health Plans — If you pay out of pocket in full for a specific healthcare item or service, you have the right to request that we not disclose information about that item or service to your health plan for payment or healthcare operations purposes, unless disclosure is otherwise required by law.

Right to a Paper Copy — The right to receive a paper copy of this policy upon request.

Right to File a Complaint — If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services, Office for Civil Rights, at:

U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 Toll-free: 1-877-696-6775 www.hhs.gov/ocr

We will not retaliate against you for filing a complaint.

To exercise any of these rights, please contact us using the information in Section 10 of this policy.

5. Website Information Collection

When you visit spiritualwellnessandrecovery.com, we may collect certain information automatically and through your voluntary interactions with the site.

Information You Provide Voluntarily

This includes information you submit through contact forms, admissions inquiry forms, insurance verification requests, phone calls, emails, chat tools, or any other direct communication. This may include your name, contact information, insurance details, and the nature of your inquiry.

Important: We treat any information you provide in connection with a potential or actual admissions inquiry with the same care and confidentiality standards that apply to patient information, including applicable HIPAA and 42 CFR Part 2 protections.

Automatically Collected Technical Data

We may automatically collect certain non-personal technical information when you visit our website, including:

• IP address and approximate geographic location
• Browser type and version
• Device type and operating system
• Pages visited and time spent on each page
• Referring website or search engine
• Date and time of visit

This data is used to maintain website security, diagnose technical issues, improve user experience, and understand how the site is used in aggregate.

6. Cookies and Tracking Technologies

Our website may use cookies and similar tracking technologies (such as pixels, web beacons, or local storage) for purposes including session management, authentication, user preferences, website analytics, and functionality.

You may manage, restrict, or delete cookies through your browser settings. Note that disabling certain cookies may affect the functionality of some website features.

Important notice regarding health information and advertising tracking: We do not use standard advertising pixels (such as the Meta Pixel or Google Ads conversion tracking) in a manner that associates condition-specific page visits with identifiable user data, as such practices may implicate HIPAA. Any analytics or tracking tools we use for marketing purposes are implemented through a HIPAA-covered intermediary under a signed Business Associate Agreement (BAA), or through privacy-preserving, non-identifying analytics platforms.

7. Third-Party Service Providers

We may engage third-party vendors and service providers to support website operations, analytics, communications, payment processing, and hosting. These providers may access personal or technical information only to the extent necessary to perform their services on our behalf and are contractually required to maintain appropriate confidentiality and security protections.

Where a service provider handles protected health information, we require a signed Business Associate Agreement (BAA) meeting HIPAA requirements before any information is shared.

Payment processing: Payment card and financial data, when applicable, is processed directly by PCI-DSS compliant third-party payment processors. We do not store payment card numbers on our systems.

We are not responsible for the privacy practices of third-party websites linked from our site. Users should review the privacy policies of any external sites before providing personal information.

8. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect personal information and protected health information from unauthorized access, use, disclosure, alteration, or destruction. These include access controls, encrypted transmission, staff training, and regular security review.

No method of internet transmission or electronic storage is completely secure. While we work diligently to protect your information, we cannot guarantee absolute security. In the event of a breach affecting unsecured protected health information, we will notify affected individuals and relevant authorities as required by HIPAA and applicable state law.

9. Children’s Privacy

Our website and services are intended for adults seeking addiction and mental health treatment services. We do not knowingly collect personal information from individuals under the age of 18 through our website without parental or legal guardian consent where required by law.

If we become aware that we have collected personal information from a minor without appropriate authorization, we will take prompt steps to delete that information. If you believe a minor’s information has been collected inappropriately, please contact us immediately.

10. California Residents — Additional Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), to the extent those laws apply to your information.

These rights may include:

• The right to know what personal information is collected, used, shared, or sold
• The right to delete personal information we hold about you
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information
• The right to limit the use of sensitive personal information
• The right to non-discrimination for exercising your privacy rights

Please note: Information protected under HIPAA and 42 CFR Part 2 is generally exempt from CCPA requirements and is governed by those federal laws. For all other personal information, you may submit a request using the contact information in Section 11 below.

11. Policy Updates

This Privacy Policy may be updated periodically to reflect changes in applicable law, our services, technologies, or business practices. When we make material changes, we will update the “Last Updated” date at the top of this policy. The updated policy becomes effective when posted unless we state otherwise.

We encourage you to review this policy periodically. Continued use of our website or services after an updated policy is posted constitutes your acknowledgment of the changes.

12. Contact Us

For questions about this Privacy Policy, to exercise your privacy rights, or to submit a privacy-related complaint, please contact:

Privacy Officer Spiritual Wellness and Recovery 17250 Parthenia Street Northridge, CA 91325 Phone: (866) 671-3405 Email: [info@spiritualwellnessandrecovery.com]

Attorney Review Notice

This Privacy Policy has been drafted specifically for Spiritual Wellness and Recovery and incorporates applicable provisions of HIPAA (45 CFR Parts 160 and 164), 42 CFR Part 2, the HITECH Act, California law including CCPA/CPRA, and general website privacy principles. Before publishing, this policy should be reviewed by a qualified healthcare attorney or privacy compliance professional to confirm it accurately reflects the facility’s specific services, data practices, technology vendors, business associate relationships, and current legal obligations.