Privacy Policy For Website
Effective Date: 12/27/2021
Applicable To The Following Website:
Article 1 – DEFINITIONS:
a) COMPANY: Legacy Family Services, Inc., an Oklahoma Corporation, hereinafter referred to as “Company,” “Legacy Family Services,” “Data Controller,” “we,” “us,” or “our.”
b) WEBSITE: This Privacy Policy applies to the website http://www.legacyfs.org and any corresponding mobile applications currently in use or hereinafter developed.
c) YOU/CLIENT: The individual accessing our Website or receiving mental health services from the Company, hereinafter referred to as “you,” “your,” “Client,” or “user.”
d) SERVICES: Mental health services provided by the Company, including but not limited to individual therapy, couples therapy, family therapy, group therapy, telehealth services, and related clinical services.
e) PERSONAL DATA: Personal data and information that we obtain from you in connection with your use of the Website or receipt of Services which is capable of identifying you in any manner.
f) PROTECTED HEALTH INFORMATION (PHI): Individually identifiable health information related to your past, present, or future physical or mental health condition, the provision of healthcare services to you, or the payment for such services, as defined by the Health Insurance Portability and Accountability Act (HIPAA).
g) PSYCHOTHERAPY NOTES: Notes recorded by a mental health professional documenting or analyzing the contents of a conversation during a private, group, joint, or family counseling session, which are maintained separately from the rest of the Client’s medical record.
h) HIPAA: The Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations.
i) PROVIDER: A licensed mental health professional providing Services on behalf of the Company.
j) MINOR: Any individual under the age of eighteen (18) years.
k) BUSINESS DAYS: Monday through Friday, excluding federal holidays and any days the Company is closed for business.
Article 2 – GENERAL INFORMATION:
This Privacy Policy describes how we collect, use, disclose, and protect the Personal Data and Protected Health Information that we receive about you when you visit our Website, use our Services, or otherwise interact with Legacy Family Services.
Legacy Family Services is committed to protecting your privacy. As a mental health practice, we are subject to federal and state laws governing the confidentiality of health information, including HIPAA and Oklahoma state law regarding mental health records.
This Privacy Policy applies to:
I) Information collected through our Website
II) Information collected in connection with the provision of mental health Services
III) Information collected through electronic communications, including email, text messages, and telehealth platforms
This Privacy Policy does not cover information that we may receive through sources other than those described above. Our Website may link to other websites or applications; this Privacy Policy does not apply to those linked sites.
By using our Website or receiving Services from Legacy Family Services, you acknowledge that you have reviewed this Privacy Policy and agree to its terms. If you do not agree to this Privacy Policy, please do not use our Website or Services.
Article 3 – CONTACT INFORMATION:
The Party responsible for the processing of your Personal Data and PHI is:
Legacy Family Services
11901 N MacArthur Blvd., Suite C6
Oklahoma City, OK 73162
Phone: (405) 370-4594
Email: info@legacyfs.org
Website: http://www.legacyfs.org
For questions about this Privacy Policy, our privacy practices, or to exercise your rights regarding your information, please contact us using the information above.
Article 4 – LOCATION OF DATA PROCESSING:
Data processing activities take place in the United States, specifically in Oklahoma. If you are accessing our Website or Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
Article 5 – MODIFICATIONS AND REVISIONS:
We reserve the right to modify, revise, or amend this Privacy Policy at any time. If we make material changes, we will notify you by posting the updated Privacy Policy on our Website and updating the Effective Date. For significant changes affecting your PHI, we will provide direct notice and, where required by law, obtain your consent.
Changes to this Privacy Policy will apply to information collected after the Effective Date of the revised policy unless we obtain your consent to apply changes retroactively.
It is your responsibility to periodically review this Privacy Policy for updates.
PART I: WEBSITE PRIVACY
Article 6 – PERSONAL DATA WE COLLECT THROUGH THE WEBSITE:
Depending on how you interact with our Website, we may collect different types of Personal Data:
a) Registered Users: If you register for an account, schedule an appointment, or access our client portal, we may collect:
I) Name
II) Email address
III) Phone number
IV) Physical address
V) Date of birth
VI) Insurance information
VII) Payment and billing information
VIII) Any other information you voluntarily provide
b) Appointment Requests and Contact Forms: If you submit an appointment request or contact form, we collect the information you provide, which may include your name, contact information, reason for seeking services, and any other details you choose to share.
c) Unregistered Users: If you browse our Website without registering, we may still collect certain information passively, including:
I) IP address
II) Browser type and version
III) Device information
IV) Pages visited and time spent on pages
V) Referring website
VI) General location information
d) All Users: The passive data collection described for unregistered users applies to all visitors to our Website.
e) Payment Information: If you make payments through our Website, we collect billing information necessary to process your payment. Payment card information is processed through secure third-party payment processors and is not stored on our servers.
Article 7 – COOKIES AND AUTOMATIC DATA COLLECTION:
a) Cookies: We use cookies and similar tracking technologies to enhance your experience on our Website. Cookies are small text files stored on your device that help us recognize you, remember your preferences, and understand how you use our Website.
b) Types of Cookies We Use:
I) Essential Cookies: Necessary for the Website to function properly, including secure login and session management.
II) Functional Cookies: Remember your preferences and settings to provide a personalized experience.
III) Analytics Cookies: Help us understand how visitors interact with our Website, which pages are most popular, and how we can improve user experience.
IV) Third-Party Cookies: We may allow third-party service providers to place cookies on your device for analytics and functionality purposes.
c) Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, disabling cookies may affect the functionality of our Website.
For information on managing cookies in your browser:
Chrome: https://support.google.com/accounts/answer/61416
Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471
Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge
d) Log Data: Our servers automatically collect certain information when you visit our Website, including:
I) IP address
II) Browser type and device parameters
III) Internet Service Provider
IV) Date and time of visit
V) Pages visited
VI) Referring and exit pages
This information is used in aggregated form to analyze Website performance, ensure security, and improve user experience.
Article 8 – USE OF PERSONAL DATA COLLECTED THROUGH THE WEBSITE:
We use Personal Data collected through the Website for the following purposes:
a) To respond to your inquiries and appointment requests
b) To schedule and manage appointments
c) To process payments
d) To send appointment reminders and confirmations
e) To communicate with you about our Services
f) To send marketing communications, if you have opted in
g) To improve our Website and Services
h) To analyze Website usage and trends
i) To ensure Website security and prevent fraud
j) To comply with legal obligations
Article 9 – THIRD-PARTY SERVICE PROVIDERS (WEBSITE):
We may engage third-party service providers to assist with Website operations, including:
I) Website hosting
II) Payment processing
III) Email delivery
IV) Analytics
V) Customer relationship management
VI) Scheduling software
These providers may have access to your Personal Data only to perform services on our behalf and are obligated to protect your information in accordance with this Privacy Policy and applicable law.
We do not sell your Personal Data to third parties.
Article 10 – SOCIAL MEDIA:
Our Website may include links to social media platforms and social sharing buttons. These features may collect your IP address, track which pages you visit, and set cookies to enable functionality. Your interactions with these features are governed by the privacy policies of the respective social media platforms:
Facebook: https://www.facebook.com/policy.php
Instagram: https://help.instagram.com/519522125107875
LinkedIn: https://www.linkedin.com/legal/privacy-policy
Twitter/X: https://twitter.com/en/privacy
PART II: PROTECTED HEALTH INFORMATION AND CLINICAL PRIVACY
Article 11 – HIPAA COMPLIANCE:
a) Commitment to HIPAA: Legacy Family Services is committed to protecting your Protected Health Information in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and applicable Oklahoma state laws governing mental health records.
b) Notice of Privacy Practices: In addition to this Privacy Policy, we maintain a separate Notice of Privacy Practices (NPP) as required by HIPAA. The NPP describes in detail how your PHI may be used and disclosed for treatment, payment, and healthcare operations, as well as your rights regarding your PHI. You will receive a copy of our NPP at intake, and it is available upon request.
c) Relationship Between Documents: This Privacy Policy provides a comprehensive overview of our privacy practices for both Website and clinical information. Our Notice of Privacy Practices provides additional detail specifically required by HIPAA. In the event of any conflict regarding PHI, the Notice of Privacy Practices shall control.
Article 12 – PROTECTED HEALTH INFORMATION WE COLLECT:
In connection with providing mental health Services, we collect and maintain the following types of PHI:
a) Demographic Information: Name, date of birth, address, phone number, email address, emergency contacts, and insurance information.
b) Clinical Information: Intake assessments, diagnoses, treatment plans, progress notes, discharge summaries, and other clinical documentation.
c) Psychotherapy Notes: Separate notes documenting or analyzing the contents of therapy sessions, maintained apart from your general treatment record.
d) Billing Information: Insurance claims, payment records, and related financial information.
e) Communications: Records of communications between you and your Provider or our staff related to your care.
f) Coordination of Care: Information shared with or received from other healthcare providers involved in your treatment.
Article 13 – USE AND DISCLOSURE OF PHI:
a) Treatment: We may use and disclose your PHI to provide, coordinate, and manage your mental health treatment. This includes sharing information among members of your treatment team within our practice.
b) Payment: We may use and disclose your PHI to obtain payment for Services, including submitting claims to your insurance company, verifying coverage, and collecting amounts owed.
c) Healthcare Operations: We may use and disclose your PHI for our healthcare operations, including quality improvement, training, auditing, and administrative functions.
d) With Your Authorization: For uses and disclosures not described above, we will obtain your written authorization before using or disclosing your PHI. You may revoke any authorization at any time in writing, except to the extent we have already acted in reliance on it.
e) Psychotherapy Notes: Psychotherapy notes receive heightened protection. We will not use or disclose psychotherapy notes without your specific written authorization, except in limited circumstances permitted by law (such as for our own treatment purposes, to defend against legal action, for mandatory reporting, or to avert a serious threat).
Article 14 – CONFIDENTIALITY OF MENTAL HEALTH RECORDS:
a) Commitment to Confidentiality: We recognize that confidentiality is essential to the therapeutic relationship. All information shared during therapy is confidential and will not be disclosed without your written authorization, except as permitted or required by law.
b) Staff Access: Only staff members who need access to your information to perform their job duties will have access to your PHI. All staff are trained on confidentiality requirements and bound by confidentiality agreements.
c) Electronic Records: We maintain your treatment records in a secure electronic health record system that meets HIPAA security requirements, including encryption, access controls, and audit logging.
Article 15 – LIMITS OF CONFIDENTIALITY:
There are legal and ethical circumstances under which we may be required or permitted to disclose your PHI without your authorization:
a) Danger to Self: If your Provider reasonably believes you pose an imminent danger of harm to yourself, they may disclose information necessary to protect your safety, including contacting emergency services, family members, or others who may help.
b) Danger to Others: If your Provider reasonably believes you pose a serious and imminent threat to an identifiable third party, they may be required to take protective action, including warning the potential victim and/or notifying law enforcement.
c) Abuse or Neglect: Our Providers are mandated reporters under Oklahoma law. If we have reasonable cause to believe that a child, elderly person, or vulnerable adult is being abused or neglected, we are required to report to the appropriate authorities.
d) Court Orders and Legal Proceedings: We may be required to disclose your PHI pursuant to a valid court order, subpoena, or other legal process. We will make reasonable efforts to notify you and limit the scope of disclosure.
e) Workers’ Compensation: If you are receiving Services related to a workers’ compensation claim, we may be required to disclose relevant PHI to your employer or the workers’ compensation insurer.
f) Healthcare Oversight: We may disclose PHI to health oversight agencies for audits, investigations, licensure, and other activities authorized by law.
g) Public Health: We may disclose PHI for public health activities, such as reporting communicable diseases or responding to a public health emergency.
h) Law Enforcement: In limited circumstances, we may disclose PHI to law enforcement officials as required by law or in response to a valid legal process.
i) As Otherwise Required by Law: We may disclose PHI when required by federal, state, or local law.
Article 16 – MINOR CLIENTS AND PARENTAL ACCESS:
a) Treatment of Minors: We may provide mental health Services to minor Clients. Privacy rights of minors and access rights of parents or legal guardians are governed by HIPAA and Oklahoma state law.
b) Parental Consent: Generally, a parent or legal guardian must consent to mental health treatment for a minor. However, Oklahoma law permits minors to consent to certain treatment without parental involvement in limited circumstances.
c) Parental Access to Records: Parents and legal guardians generally have the right to access their minor child’s treatment records. However, access may be limited when:
I) The minor lawfully consented to treatment without parental consent
II) A court authorized treatment without parental consent
III) The parent agreed to confidential communications between the minor and Provider
IV) The Provider determines that access may endanger the minor
d) Confidentiality with Minors: To support effective treatment, your Provider will discuss confidentiality expectations with parents and minor Clients at the outset of treatment, balancing parental involvement with age-appropriate privacy.
e) Custody Situations: In cases involving divorced or separated parents, access to records will be governed by custody agreements, court orders, and applicable law. We may require documentation of custody arrangements.
Article 17 – COORDINATION OF CARE:
a) Other Providers: With your written authorization, we may communicate with other members of your treatment team, such as physicians, psychiatrists, or other therapists, to coordinate your care.
b) Referrals: If we refer you to another provider, we may share relevant information to facilitate continuity of care, subject to your authorization.
c) Insurance and Third-Party Payers: If you use insurance, we will disclose necessary PHI to your insurer for payment purposes. This typically includes your diagnosis, dates of service, and procedure codes. By using insurance, you authorize these disclosures.
Article 18 – GROUP THERAPY:
a) Nature of Group Services: We may offer group therapy, support groups, or workshops. By participating, you acknowledge that confidentiality cannot be guaranteed in group settings.
b) Expectations: We require all group participants to maintain confidentiality of information shared by others. However, we cannot control the actions of other participants.
c) Provider Obligations: Your Provider will maintain confidentiality to the same extent as in individual therapy, subject to the exceptions in Article 15.
PART III: COMMUNICATIONS
Article 19 – COMMUNICATION POLICIES:
a) Preferred Contact Method: During intake, you will indicate your preferred contact method and whether we may leave messages. We will make reasonable efforts to honor your preferences.
b) Response Time: We strive to respond to non-urgent communications within one to two (1-2) Business Days. Do not use email, text, or voicemail for emergencies.
c) Security of Electronic Communications: Email, text messaging, and other electronic communications are not completely secure. By consenting to electronic communications, you acknowledge and accept these risks.
d) Between-Session Contact: Therapy occurs during scheduled sessions. Between-session communications should be limited to scheduling and brief matters. Extensive communication may be billed.
Article 20 – SMS/TEXT MESSAGE COMMUNICATIONS:
a) Consent: By providing your mobile phone number, you consent to receive text messages from Legacy Family Services, including:
I) Appointment reminders and confirmations
II) Cancellation or rescheduling notices
III) Billing and payment reminders
IV) Care coordination communications
V) Responses to your inquiries
VI) Marketing messages (only with separate opt-in)
b) Message Frequency: Frequency varies based on your interaction with our Services. Appointment reminders are typically sent 24-48 hours before appointments.
c) Rates: Standard message and data rates may apply. We are not responsible for carrier charges.
d) Opting Out: Reply STOP to any message to opt out. You will receive confirmation. Opting out may affect our ability to send appointment reminders.
e) Not Required: Text message consent is not required to receive Services. Contact info@legacyfs.org to arrange alternative communication.
f) Help: Reply HELP for assistance or contact info@legacyfs.org or (405) 370-4594.
Article 21 – TELEHEALTH COMMUNICATIONS:
a) Telehealth Services: We offer telehealth services using HIPAA-compliant video conferencing platforms. By participating, you consent to electronic delivery of Services.
b) Security: We use platforms with encryption and security measures. However, no electronic transmission is completely secure, and you accept inherent risks.
c) Recording: Telehealth sessions are not recorded unless agreed in writing. You agree not to record sessions without written consent.
d) Technical Requirements: You are responsible for adequate internet connectivity and a private location for telehealth sessions.
e) Location: You must be physically located in a state where your Provider is licensed during telehealth sessions.
Article 22 – THIRD-PARTY COMMUNICATION PLATFORMS:
a) Platforms Used: We use third-party platforms for electronic health records, scheduling, email, text messaging, telehealth, and payment processing.
b) Data Sharing: We share necessary information with these platforms to facilitate Services, including your name, contact information, appointment details, and billing information.
c) Third-Party Obligations: These providers are contractually obligated to protect your information and, where applicable, comply with HIPAA.
d) Security: We select platforms with appropriate security measures. However, we cannot guarantee absolute security of information transmitted through third-party platforms.
Article 23 – CLINICAL VERSUS MARKETING COMMUNICATIONS:
a) Clinical Communications: Communications necessary for your care are not marketing and include:
I) Appointment scheduling and reminders
II) Treatment-related information
III) Billing statements
IV) Care coordination
V) Responses to your inquiries
b) Marketing Communications: Communications encouraging you to purchase additional services or promoting third-party services require your opt-in consent.
c) Your Choices: You may opt out of marketing at any time. Opting out does not affect clinical communications.
PART IV: DATA PROTECTION AND YOUR RIGHTS
Article 24 – HOW WE PROTECT YOUR INFORMATION:
a) Security Measures: We implement physical, technical, and administrative safeguards to protect your Personal Data and PHI, including:
I) Encrypted electronic storage and transmission
II) Secure physical storage of paper records
III) Access controls and authentication
IV) Staff training on privacy and security
V) Business associate agreements with third-party vendors
VI) Regular security assessments
b) Limitations: Despite our efforts, no security system is completely secure. We cannot guarantee the absolute security of your information.
c) Breach Notification: In the event of a breach of your Personal Data or PHI, we will notify you as required by law, including within the timeframes specified by HIPAA and applicable state law.
Article 25 – RETENTION OF INFORMATION:
a) Website Data: Personal Data collected through the Website is retained as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.
b) Mental Health Records: We retain mental health treatment records in accordance with HIPAA and Oklahoma law:
I) Adult Clients: Minimum of seven (7) years following termination of treatment
II) Minor Clients: Minimum of seven (7) years following termination or until three (3) years after the minor reaches age 18, whichever is longer
c) Destruction: Upon expiration of retention periods, records are securely destroyed so that information cannot be recovered.
Article 26 – YOUR RIGHTS:
You have the following rights regarding your Personal Data and PHI:
a) Right to Access: You have the right to inspect and obtain a copy of your PHI maintained in our records. Requests must be in writing. We may charge a reasonable fee for copies.
b) Right to Amend: If you believe information in your record is inaccurate or incomplete, you may request an amendment in writing. We will respond as required by HIPAA.
c) Right to an Accounting of Disclosures: You may request a list of certain disclosures of your PHI made by us for purposes other than treatment, payment, or healthcare operations.
d) Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI. We are not required to agree to all restrictions, but if we do, we will honor them.
e) Right to Confidential Communications: You may request that we communicate with you by specific means or at specific locations (for example, only by mail to a specific address).
f) Right to a Paper Copy: You have the right to obtain a paper copy of this Privacy Policy and our Notice of Privacy Practices upon request.
g) Right to Revoke Authorization: If you have signed an authorization for disclosure of PHI, you may revoke it at any time in writing, except to the extent we have already acted in reliance on it.
h) Right to Opt Out: You may opt out of marketing communications at any time.
i) Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with:
Legacy Family Services
info@legacyfs.org
(405) 370-4594
U.S. Department of Health and Human Services
Office for Civil Rights
http://www.hhs.gov/ocr
Oklahoma State Board of Behavioral Health Licensure
(405) 522-3267
http://www.ok.gov/behavioralhealth
We will not retaliate against you for filing a complaint.
Article 27 – OPTING OUT OF MARKETING:
You may opt out of marketing communications at any time by:
I) Clicking the unsubscribe link in any marketing email
II) Replying STOP to any marketing text message
III) Contacting us at info@legacyfs.org
Opting out of marketing does not affect clinical or transactional communications related to your care.
Article 28 – DO NOT TRACK:
Some browsers offer a “Do Not Track” feature. Our Website does not currently respond to Do Not Track signals.
Article 29 – CHILDREN’S PRIVACY:
Our Website is not intended for children under 13. We do not knowingly collect Personal Data from children under 13 through the Website. If you believe we have collected information from a child under 13, please contact us immediately.
This provision does not affect our provision of mental health Services to minor Clients with appropriate parental or guardian consent.
PART V: GENERAL PROVISIONS
Article 30 – THIRD-PARTY LINKS:
Our Website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any site you visit.
Article 31 – ACCEPTANCE OF RISK:
By using our Website or Services, you acknowledge that no transmission of information via the internet or electronic storage is completely secure. You transmit information at your own risk.
Article 32 – GOVERNING LAW:
This Privacy Policy is governed by the laws of the State of Oklahoma and applicable federal laws, including HIPAA.
Article 33 – CHANGES TO THIS PRIVACY POLICY:
We may update this Privacy Policy periodically. The Effective Date at the top indicates when the policy was last revised. Material changes will be communicated as described in Article 5.
Article 34 – CONTACT US:
If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our privacy practices, please contact us:
Legacy Family Services
11901 N MacArthur Blvd., Suite C6
Oklahoma City, OK 73162
Phone: (405) 370-4594
Email: info@legacyfs.org
Website: http://www.legacyfs.org
