Privacy Policy & HIPAA Notice

Recentered Life, LLC (“Recentered Life,” “we,” “our,” or “us”) is a JCAHO-accredited behavioral health provider licensed to deliver virtual intensive outpatient, outpatient therapy, and guided recovery services in the State of California. We are committed to protecting the privacy and security of your personal information and protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the California Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), and all other applicable federal and state laws.

This Privacy Policy and HIPAA Notice of Privacy Practices describes how we collect, use, maintain, protect, and disclose your information. It applies to information collected through our website (recenteredlife.com), our clinical programs, and any related communications.

1. Information We Collect

1.1 Personal Information

When you interact with our website, request a benefits verification, complete an assessment, or enroll in a program, we may collect:

• Full name, date of birth, and contact information (email, phone number, mailing address)
• Insurance carrier, member ID, group number, and subscriber information
• Emergency contact information
• Referring provider or facility information

1.2 Protected Health Information (PHI)

During the course of your treatment, we create and maintain clinical records that may include:

• Clinical assessments, intake evaluations, and diagnostic impressions
• Treatment plans, progress notes, and discharge summaries
• Group therapy attendance and participation records
• Self-assessment responses (e.g., pattern assessment quiz results)
• Medication information, if applicable
• Correspondence between you and your treatment team

1.3 Website and Technical Data

We automatically collect certain technical information when you visit our website:

• IP address, browser type, device type, and operating system
• Pages visited, time spent, and referral source
• Cookies and similar tracking technologies (see Section 8)

Website analytics data is collected in aggregate and does not include PHI.

1.4 Payment Information

Payment transactions are processed through Stripe, Inc., a PCI DSS Level 1 certified payment processor. Recentered Life does not store, process, or have access to your full credit card number. Stripe's privacy policy governs the handling of payment data.

2. How We Use Your Information

We use your information for the following purposes:

• Treatment: To provide, coordinate, and manage your clinical care, including intake assessments, treatment planning, group and individual sessions, and care coordination with referring providers
• Payment: To verify insurance benefits, submit claims, process payments, and communicate about billing
• Healthcare Operations: To conduct quality improvement activities, clinical supervision, compliance auditing, accreditation surveys (including JCAHO), and staff training
• Communication: To contact you regarding appointments, program updates, and educational resources you have opted into
• Legal Compliance: To comply with federal and state laws, respond to lawful requests from government authorities, and cooperate with regulatory agencies

3. HIPAA Notice of Privacy Practices

This section constitutes our Notice of Privacy Practices as required by 45 CFR 164.520.

3.1 Uses and Disclosures That Do Not Require Your Authorization

We may use or disclose your PHI without your written authorization in the following circumstances:

• Treatment, payment, and healthcare operations as described in Section 2
• As required by law, including mandatory reporting obligations under California law
• Public health activities, such as reporting communicable diseases or adverse events
• Victims of abuse, neglect, or domestic violence, as required by California Welfare and Institutions Code
• Health oversight activities, including audits, investigations, and licensure inspections
• Judicial and administrative proceedings, in response to a court order or lawful subpoena
• Law enforcement purposes, as required or permitted by law
• To avert a serious threat to health or safety, consistent with the Tarasoff duty to warn under California law
• Coroners, medical examiners, and funeral directors, as necessary for their lawful duties
• Workers' compensation, as authorized by and necessary to comply with workers' compensation laws

3.2 Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before:

• Using or disclosing your PHI for marketing purposes
• Selling your PHI (we do not sell PHI)
• Disclosing psychotherapy notes, if maintained separately from the medical record
• Sharing your information with parties not involved in your treatment, payment, or healthcare operations

You may revoke any authorization in writing at any time, except to the extent that we have already acted in reliance on the authorization.

3.3 Substance Use Disorder Records

If you receive treatment for substance use disorders, your records are protected under 42 CFR Part 2, which imposes additional restrictions on disclosure beyond standard HIPAA protections. These records may not be disclosed without your specific written consent, except in limited circumstances defined by federal law (e.g., medical emergencies, qualified research, court order with specific findings).

3.4 Your Rights Under HIPAA

You have the following rights regarding your PHI:

• Right to access: You may request a copy of your health records. We will provide them within 30 days of your request in the format you prefer, if reasonably available.
• Right to amend: You may request that we correct information you believe is inaccurate or incomplete. We may deny the request in certain circumstances and will provide a written explanation if we do.
• Right to an accounting of disclosures: You may request a list of disclosures we have made of your PHI for purposes other than treatment, payment, healthcare operations, or disclosures you authorized in writing.
• Right to request restrictions: You may ask us to limit how we use or disclose your PHI. We are not required to agree to all requests, but we must comply if you pay for services out of pocket and request that we not disclose to your health plan.
• Right to confidential communications: You may request that we communicate with you by alternative means or at alternative locations (e.g., a different phone number or email address).
• Right to a paper copy: You may request a paper copy of this Notice at any time.
• Right to be notified of a breach: You will be notified in writing if a breach of your unsecured PHI occurs, as required by the HITECH Act.

To exercise any of these rights, contact our Privacy Officer using the information in Section 11.

4. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to know: You may request that we disclose what personal information we have collected, used, disclosed, or sold about you in the preceding 12 months.
• Right to delete: You may request that we delete personal information we have collected, subject to certain exceptions (including information necessary for clinical care or legal compliance).
• Right to opt out of sale: We do not sell personal information. If this practice changes, we will provide a conspicuous opt-out link.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

Note: PHI governed by HIPAA is exempt from CCPA. The CCPA applies to personal information that is not part of your clinical record.

5. Information Sharing and Third Parties

We do not sell your personal information or PHI. We may share information with the following categories of recipients:

• Insurance carriers and billing partners: To verify benefits, obtain prior authorization, and process claims
• Referring providers and facilities: With your written consent, to coordinate care transitions
• Business associates: Third-party service providers who perform functions on our behalf (e.g., electronic health records, video conferencing, payment processing, email delivery) under HIPAA-compliant Business Associate Agreements (BAAs)
• Government agencies: When required by law, including mandatory reporting obligations, public health authorities, and law enforcement with appropriate legal process

6. Telehealth-Specific Privacy Considerations

All clinical services are delivered via HIPAA-compliant video conferencing technology. You should be aware that:

• We use end-to-end encrypted platforms that comply with HIPAA technical safeguards
• We maintain BAAs with all telehealth technology vendors
• You are responsible for ensuring that your physical environment is private during sessions
• We cannot guarantee the privacy of information transmitted over the internet, though we implement industry-standard protections
• Recording of clinical sessions by any party without prior written consent from all participants is prohibited
• In the event of a technology failure during a session, your clinician will follow established re-connection protocols

7. Data Security

We implement administrative, technical, and physical safeguards to protect your information, including:

• Encrypted data transmission (TLS 1.2+) and encrypted data storage (AES-256)
• Role-based access controls limiting PHI access to authorized clinical and administrative staff
• Multi-factor authentication for all systems containing PHI
• Regular security risk assessments and penetration testing
• Workforce training on HIPAA privacy and security requirements
• Incident response procedures for suspected breaches
• Secure cloud infrastructure with SOC 2 Type II certified hosting providers

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for website functionality (e.g., session management, form submissions)
• Analytics cookies: Help us understand how visitors use our site (e.g., page views, traffic sources). We use these in aggregate and they do not collect PHI.
• Marketing cookies: Used to deliver relevant content and measure advertising effectiveness. These may be shared with advertising partners.

You may control cookies through your browser settings. Disabling certain cookies may limit website functionality. Our website does not currently respond to Do Not Track (DNT) browser signals, though we honor opt-out requests made through the mechanisms described in Section 4.

9. Minors

Our clinical programs are designed for adults 18 years of age and older. We do not knowingly collect personal information from individuals under 18 through our website. If you believe we have inadvertently collected information from a minor, contact us immediately and we will delete it.

10. Data Retention

We retain clinical records for a minimum of 10 years from the date of last treatment, or as otherwise required by California law and applicable professional licensing standards. Non-clinical personal information (e.g., website inquiries, newsletter subscriptions) is retained for as long as necessary to fulfill the purpose for which it was collected, or as required by law.

11. Contact Information

For questions about this policy, to exercise your privacy rights, or to file a privacy complaint:

You also have the right to file a complaint with:

• The U.S. Department of Health and Human Services, Office for Civil Rights (OCR)
• The California Department of Public Health
• The California Attorney General's Office (for CCPA-related complaints)

We will not retaliate against you for filing a complaint.

12. Changes to This Policy

We reserve the right to update this Privacy Policy and HIPAA Notice at any time. If we make material changes, we will post the revised policy on our website with an updated effective date. Material changes to our privacy practices will be communicated to active patients in writing. Your continued use of our website or services after changes are posted constitutes your acknowledgment of the revised policy.