Next Step Recovery (“NSR”,” “us”, “we”, or “our”) operates the nextsteprecovery.com (“Website”), and provides various services to clients in order to manage and care for individuals who suffer from behavioral illnesses, chemical dependencies or addiction disorders. Among other services, we offer recovery programs and intensive outpatient programs (hereinafter collectively referred to as the “Services”).
- Personal Information (also known as “Personal Data”): Personal Information means data about a particular individual or household that identifies, relates to, describes, could be reasonably linked with, or could be used to identify that person or household (or from those and other information either in our possession or likely to come into our possession). Personal Information includes medical and clinical information (Protected Health Information or PHI). It also includes other information that may be associated with your Personal Information, such as your Usage Data (defined below), location, preferences, or interests, if that information can be used to identify you or your household.
- Services: As noted above, our Services include the website owned and operated by NSR as well as any services provided, including, but not limited to, on-site guarding, fire and safety services, and corporate risk management.
- Cookies: Cookies are small files stored on your device (computer or mobile device).
- Data Processors: Any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.
- User: Any individual who uses our Services and is the subject of Personal Information collected and/or processed.
- Information Collection and Use
Included below is a list of several different types of information for various purposes to provide and improve our Service to you.
- Personal Information. While using our Services, we may ask you to provide us with or otherwise obtain certain personally identifiable information that can be used to contact or identify you (“Personal Information,” as defined above). Such Personal Information may include but is not limited to, your name, address, email address, username, and any other information that may identify you.
- Generic Information. Generic information is information that does not directly reveal the identity of a NSR customer, or visitor to the Website. This information may include Usage Data and other aggregate usage metrics such as the total number of Website visitors, pages viewed, and usage patterns within the Website, etc. This may also include information about your device. We may automatically gather some Generic Information from our members, customers, and Website visitors. At times, the combination of various types of data, including Generic information and Usage Data, may enable you to be identified, and may therefore qualify as Personal Information.
- Usage Data: We may also collect information on how you access and use our Services (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags, and scripts to collect and track information and to improve and analyze our Services.
Examples of Cookies and other technologies we may use include, but are not limited to:
- Session Cookies– These are cookies that enable our website to keep track of movement from page to page so you do not get asked for information that you have already provided to the Website.
- First Party Cookies– This allows NSR to remember website configurations about our users (e.g. language preferences).
Your Cookie Choices
III. How We Collect Information
NSR collects and obtains your information in a few ways: there is information that you choose to give to us, the information we obtain through your use of our Services – including our Website – and information we obtain from third parties.
- Information You Give Us
We collect information that you decide to share with us. At times, we may require you to provide certain information – including Personal Information – in order to use certain parts of our Website, fulfill your requests with us, or provide you with certain Services. For instance, we may require you to provide your name, email address, or other contact information when you contact us with a question or comment. Additionally, we may need you to provide certain Personal Information to use other portions of our Services.
- Information We Obtain When You Use Our Services
As noted above, we collect certain information from you through your use of our Services, such as Usage Data. For instance, in using our Website, we may collect information about the device you use to log into, access, and use the Website. We may collect other Generic Information in relation to how you use our Website or other Services (for example, aggregate metrics on how often certain pages on our Website are accessed and viewed).
- Information We Obtain from Third Parties
We may also obtain information about you from our third-party service providers who help us provide our Services to you.
- Purposes for Collecting, Processing, and Using Your Information
NSR collects, processes (or asks our service providers to process on our behalf), and uses your information to provide the Services we make available to you. We therefore will collect and use your information for a variety of reasons, including:
- To perform a contract with you, or provide those Services you have requested of NSR.
- You have otherwise given us your consent and permission to do so.
- The collection and processing are in our legitimate interests or the legitimate interests of a third party and are not outweighed by any applicable rights you may have. For instance, we may use your information to assist with fraud prevention, improve the security of our networks, assist with enhancing the physical security of our customers, and reporting suspected criminal activity to law enforcement. We may also use your information in relation to certain direct marketing events.
- To comply with applicable laws, in response to a lawful and enforceable request by law enforcement, judicial, or other public authority, or in connection with an applicable legal obligation.
- How We Use Your Information
Such general uses include, but are not limited to:
- Enhancing user experience and functionality on our Website;
- To provide and maintain our Services;
- To notify you about a change to our Services;
- To provide appropriate information to ensure the health and wellness of our clients;
- How We Disclose or Share Your Information
NSR does not and will not sell your personal information Please note that NSR may disclose your information in a number of ways in furtherance of our Services to you. For instance, we may share your information with other healthcare providers to ensure that all necessary information is transferred to facilitate necessary treatment and care.
We may also disclose or share your information for the following purposes:
- To comply with a legal obligation;
- To prevent or investigate wrongdoing or mistakes in connection with our Services;
- To protect against legal liability;
- When there is a good faith belief that such action is necessary to investigate or protect against harmful activities to our guests, visitors, associates, or property, or to others (including NSR itself). This may include disclosures to law enforcement to investigate potential criminal activity or other civil violations.
VII. Security of Data
NSR takes reasonable, technical, organization, and other measures to protect the personal information we collect from being subject to accidental or unlawful destruction, accidental loss or alteration, disclosure without authorization, and any other unlawful actions taken against otherwise protected information. Moreover, NSR takes all judicious legal, technical, and organizational measures reasonably necessary to ensure that all personal information is handled with a sufficient level of security. Furthermore, NSR takes all reasonable measures to protect personal information when it is shared with third parties.
Despite the security measures taken, NSR cannot guarantee the protection of the data you provide to us.
VIII. Your Data Protection and Privacy Rights Under the California Consumer Privacy Act (“CCPA”)
California Residents. NSR takes reasonable steps to allow you to exercise your rights pursuant to CCPA. As such, where applicable under the relevant law, you are entitled to the following[Moran, Th1] :
- Right to Access / Disclosure: The right to have access to your Personal Information upon simple request – that is, you may receive a copy of such data upon receipt of a verifiable request, along with other information related to the processing.
- Disclosure of Direct Marketers: The right to have access upon simple request, and free of charge, the categories and names of addresses of third parties that have received Personal Information for direct marketing purposes. NSR does not disclose your personal information to direct marketers.
- Selling, Sharing, or Disclosing Personal Information: Upon receipt of a verifiable request, to obtain a list of:
- The categories of Personal Information collected about you, sold to third parties, or disclosed to third parties for business purposes;
- The categories of Personal Information sold within the last 12 months;
- The categories of sources from which Personal Information is collected;
- The business or commercial purpose for collecting or selling Personal Information; and
- The categories of third parties with whom Personal Information is shared, sold or disclosed for a business purpose.
- Right to Correction: The right to correct your Personal Information if you find it is inaccurate, incomplete, or obsolete.
- Right to Deletion / “Right to be Forgotten”: The right to obtain the deletion of your Personal Information in the situations set forth by applicable data protection law. This right does not apply to many situations involving medical information where treatment is still ongoing or the information is otherwise necessary.
- Withdraw of Consent to Processing: The right to withdraw your consent to the data processing without affecting the lawfulness of processing, where your Personal Information has been collected and processed based on your consent and not any other basis.
- Right to Object: The right to object to the processing of your Personal Information under certain circumstances, in which case we may ask you to justify your request by explaining to us your particular situation.
- Right to Restrict Processing: The right to request limits to the processing of your data, when allowed by and in circumstances set forth under applicable law.
- Right to Data Portability: The right to have your Personal Information directly transferred by us to a third-party processor of your choice (where technically feasible; may be limited to situations when processing is based on your consent).
- Right to Non-Discrimination: As defined under the relevant law, you have a right to non-discrimination in the Services or quality of Services you receive from us for exercising your rights.
Please contact us using the information in the “Contact Information” section at the very bottom of this document, in relation to exercising these rights.
- Exercising Your CCPA Rights
- Access to Specific Information
California residents have the right to request information from us regarding the manner in which we share certain categories of personal information with these parties for their direct marketing purposes, in addition to the rights set forth above. Under California law, you have the right to send us a request at the designated address at the conclusion of this policy. You may request the following information:
- The categories of personal information we collected about you.
2. The categories of sources for the personal information we collected about you.
3. Our business or commercial purpose for collecting that personal information.
4. The categories of third parties with whom we share that personal information.
5. The specific pieces of personal information we collected about you (also called a data portability request).
6. If we disclose or sell your information for a business purpose, you have the right to identify the personal information categories that each category of recipient obtained.
- Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to limited exceptions. Once we receive a verifiable request and determine that it is not subject to exceptions, we will delete your personal information from our records. Please note, personal information involved in the ongoing treatment of our patients, with NSR or elsewhere, will not be subject to deletion.
Moreover, we may deny your deletion request if retaining the information is necessary for us or any applicable third party to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- Debug products to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement if you previously provided informed consent;
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- Comply with a legal obligation;
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
- Making a Request
To exercise the access or deletion rights listed above, please submit a verifiable consumer request to us by either:
- Write to: Next Step Recovery, 900 Hendersonville Rd Ste 203
Asheville, NC, USA 28803
- (828) 350-9960
Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests not submitted through one of the above-listed methods of communication.
Your request will only be processed if you are a California resident, and your identity can be verified. Furthermore, the CCPA does not apply to healthcare or employee information.
- HIPPA Compliance
This section describes how medical and clinical information (Protected Health Information or PHI) about you may be used and disclosed and how you can get access to this information. Please review it carefully.
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.
- Get an electronic or paper copy of your medical record
- You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.
- We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
- Ask us to correct your medical record
You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this. We may say “no” to your request, but we’ll tell you why in writing within 60 days. Your request can be denied for the following reasons:
- If we did not create the PHI in question
- If the amendment would not be part of normal record-keeping of PHI for us
- If the amendment would never be included for inspection by any other group or party
- If we believe the record is accurate and complete without the amendment
- Please note: If denied access to the information you can appeal the denial
- Request confidential communications
You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. We will say “yes” to all reasonable requests.
- Ask us to limit what we use or share
- You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
- If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
- You have the right to receive confidential communications based on reasonable requests by individuals to receive communications of PHI, from us, by alternative means
- We have an option to request the above details in writing.
- We have the option to condition the agreement for the above communications with the assurance that payment of special fees required will be handled.
- We have the option to condition the agreement for the above communications that the alternate is specified and reasonable.
- We may NOT require an explanation for the request from you as a condition of agreeing to follow it.
- Get a list of those with whom we’ve shared information
- You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year but may charge for additional requests.
- Get a copy of this privacy notice
- You can ask for a paper copy of this notice at any time and we will provide you with a paper copy promptly.
- Choose someone to act for you
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
- We will make sure the person has this authority and can act for you before we take any action.
- File a complaint if you feel your rights are violated
- You can complain if you feel we have violated your rights by contacting us using the contact information found at the very end of this document.
- You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting hhs.gov/ocr/privacy/hipaa/complaints/.
- We will not retaliate against you for filing a complaint.
For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions. In these cases, you have both the right and choice to tell us to:
- Share information with your family, close friends, or others involved in your care
- Share information in a disaster relief situation
If you are not able to tell us your preference we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.
In the following cases, we never share your information unless you give us written permission:
- Marketing purposes
- Sale of your information
- Most sharing of therapy notes
Our Uses and Disclosures
How do we typically use or share your health information?
We typically use or share your health information in the following ways.
- Treat you
We can use your health information and share it with other professionals who are treating you.
- Run our facility
We can use and share your health information to run our facility, improve your care, and contact you when necessary.
- Bill for your services
We can use and share your health information to bill and get payment from health plans or other entities.
How else can we use or share your health information?
We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health. We have to meet many conditions in the law before we can share your information for these purposes.
We can share health information about you for certain situations such as:
Help with public health and safety issues
- Preventing disease
- Helping with product recalls
- Reporting adverse reactions to medications
Reporting suspected abuse, neglect, or domestic violence
- Preventing or reducing a serious threat to anyone’s health or safety
Comply with the law
- We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
Work with a medical examiner or funeral director
- We can share health information with a coroner, medical examiner, or funeral director when an individual dies.
Address workers’ compensation, law enforcement, and other government requests
- For workers’ compensation claims
- For law enforcement purposes or with a law enforcement official
- With health oversight agencies for activities authorized by law
- For special government functions such as military, national security, and presidential protective services
Respond to lawsuits and legal actions
- We can share health information about you in response to a court or administrative order, or in response to a subpoena.
- We are required by law to maintain the privacy and security of your protected health information.
- We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
- We must follow the duties and privacy practices described in this notice and give you a copy of it.
- We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.
- Links to Other Sites
We exercise no control over and assume no responsibility for the content, privacy policies, or practices of any third-party site or services.
We reserve the right to amend this privacy notice at our discretion and at any time.
XIII. Contact Information
If you have any questions or comments about this notice, our Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us by mailing: Next Step Recovery, 900 Hendersonville Rd Ste 203
Asheville, NC, USA 28803 or call (828) 350-9960.