Privacy Policy

Introduction:

Welcome to Ark Behavioral Health. We are committed to maintaining the privacy and protection of your personal information. This privacy policy (the “privacy policy” or “policy”) outlines our practices concerning the collection, use, and sharing of your personal information. By visiting https://springhillrecovery.com/ (our “Website”) and using our services, you agree to the terms outlined in this policy.

Ark National Holdings LLC, its affiliates and/or subsidiaries, d/b/a Ark Behavioral Health (“Ark Behavioral Health” or “Company”) operates facilities in Massachusetts and Ohio, providing clinical, medical, and psychiatric care for substance use, mental health, and co-occurring disorders, and owns and operates the Website. As a healthcare organization, we are not only bound by state laws of Massachusetts and Ohio but also by the Health Insurance Portability and Accountability Act (“HIPAA”). Our commitment to your privacy extends to all aspects of our operations, and we continuously strive to protect your data and uphold the highest standards of confidentiality.

This policy applies to information we collect:

• On this Website;
• In email, text, and other electronic messages between you and this Website.

It does not apply to information collected by:

• Us offline or through any other means, including on any other website operated by Ark Behavioral Health or any third party (including our affiliates and subsidiaries); or
• Any third party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from or through the Website.

Please read this policy carefully to understand how we collect, use, and safeguard the information you provide to us. If you have any questions or concerns about our privacy practices, please contact us using the details provided at the end of this policy.

If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change occasionally (see “Changes to this Privacy Policy”). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

Information Collection

Automatic Data Collection:

Upon visiting our Website, our web server software automatically logs every web request, capturing the following details:

• IP Address
• User-Agent (Browser and Operating System)
• Date and Time of Access
• Request Method (e.g., GET or POST)
• URL Requested
• HTTP Status Code
• Referrer URL
• Bytes Transferred
• Cookies

Third-Party Data Collection:

Some content or applications on the Website are served by third-parties (see below). These third parties may use cookies alone or with web beacons or other tracking technologies to collect information about you when you use our Website. The information they collect may be associated with your personal information, or they may collect information, including personal information, about your online activities over time and across different websites and other online services.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see “Choices About How We Use and Disclose Your Information.”

Currently, we have integrated several third-party tools on our Website to enhance the user experience and monitor user interactions:

1. Google Analytics: Collects data on user interaction, cookies and identifiers, user behavior, device and browser information, referral source, IP address (anonymized for user privacy), events and custom data that Ark Behavioral Health configures as it sees fit.
2. Call Tracking Metrics: Gathers data on referring URL, landing URL, advertising data, tracking source, user agent and IP Address. If you place a call to us, using any number on our Website, we may additionally collect the caller ID information. Please note, we may also monitor and/or record telephone conversations for our business purposes such as quality assurance and training purposes and to protect our rights.
3. Avochato (Live Chat): Records information on device type, operating system, browser type, IP address, and referrer.

Manual Data Collection:

Users of our Website, have the option to manually provide information through various forms on our Website:

1. Contact Us Form: Collects name, email address, phone number, and a general inquiry field.
2. Text Us Form: Gathers name and phone number.
3. Insurance Verification Form: Acquires name, phone number, email address, residential address, date of birth, insurance company phone number, insurance provider, member number, group number, and plan type.

Use of Information Collection

At Ark Behavioral Health, the information we collect serves multiple purposes, ensuring we can best cater to our users and continually refine our operations:

1. Services: To provide you with information, products, or services that you request from us.
2. Site Monitoring: We utilize the collected data to monitor compliance with our Terms of Use, ensuring that all interactions on our platform adhere to our guidelines and standards.
3. Communication: The information provided, especially through our forms, allows us to communicate with, and present content to, our users. Whether it’s updates, responses to inquiries, or information related to placement and consulting requests, we aim to maintain open and timely communication.
4. Website Enhancement: Feedback and user interaction data are invaluable for improving our Website. By understanding user behavior, preferences, and issues, we can make necessary adjustments, address problems, and introduce features that enhance user experience.
5. Request Processing: Data, especially from the Insurance Verification form, is crucial for processing user requests efficiently and accurately.
6. Personalized Experience: We believe in tailoring our services to individual needs. By understanding our users better through the data they provide, we can offer a more personalized and relevant experience.
7. Customer Service Improvement: The data aids us in enhancing our customer service. By understanding user needs, preferences, and feedback, we can respond more effectively to service requests and support inquiries.
8. Promotions and Features: Occasionally, we might introduce promotions, surveys, or other features on our Website. The collected data helps us administer these features, ensuring they reach the relevant audience and achieve their intended purpose.
9. Changes: To notify you about changes to our Website or any products or services we offer or provide through it.

We may also use your information to contact you about goods and services that may be of interest to you. I For more information, see “Choices About How We Use and Disclose Your Information”.

All uses of information align with our commitment to uphold the highest standard of confidentiality, especially concerning sensitive data protected under HIPAA.

Information Sharing

At Ark Behavioral Health, we prioritize the confidentiality and security of the data we collect. However, there are specific scenarios where data sharing becomes necessary for our operations and to provide our services:

1. Integration with Third-Party Services:
   • All collected data, combined with third-party data from Google Analytics, Call Tracking Metrics, and Avochato, is stored in Salesforce.
   • Users who submit an Insurance Verification form will have their data sent to VerifyTX for a quick determination of insurance coverage. This information will also be shared with BBHealthTech who does a thorough verification of benefits.
2. Business Transitions:
   • In scenarios such as mergers, acquisitions, or other business transitions, user data may be transferred to the succeeding entity.
3. Data Management and Analytics:
   • BBHealthTech manages a dataset containing all of our company’s data, sourced from Salesforce, Call Tracking Metrics, and Avochato. They provide us with dashboards to monitor the organization’s key performance indexes.
4. Legal and Compliance Sharing:
   • We may be required to share user data in response to legal obligations, such as subpoenas, court orders, or other legal processes. As a healthcare organization adhering to HIPAA legislation, specific guidelines are followed when sharing data for legal reasons. We may also share if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of the Company, our customers, or others.
5. Research:
   • Anonymized or aggregated data may be shared with entities for research purposes, ensuring individual identities remain protected.
6. Contractors and Service Providers:
   • We may share user data with contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
7. Subsidiaries and Affiliates:
   • We may share user data with subsidiaries and affiliates.
8. Other Purposes:
   • To fulfill the purpose for which you provided it, for any other purpose disclosed by us when you provide the information, or otherwise with your consent.

We are committed to ensuring that all data sharing practices align with industry standards and legal requirements, prioritizing the privacy and security of our users.

Choices About How We Use and Disclose Your Information

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following controls over your information:

• Tracking Technologies and Advertising: You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of the site may then be inaccessible or not function properly.
• Disclosure of Your Information for Third-Party Advertising: If you do not want us to share your personal information with unaffiliated or non-agent third parties for promotional purposes, you can opt-out. To opt-out, please email us at [email protected].
• Promotional Offers from the Company: If you do not wish to have your email address / contact information used by the Company to promote our own or third parties’ products or services, you can opt-out by sending us an email stating your request to [email protected]. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions.
• Targeted Advertising: If you do not want us to use information that we collect or that you provide us to deliver advertisements according to our advertisers’ target-audience preferences, you can opt-out by emailing us at [email protected]. For this opt-out to function, you must have your browser set to accept all browser cookies.

We do not control third parties’ collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI’s Website.

Residents of certain states, such as California, Nevada, Colorado, Connecticut,, Virginia and Utah may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

Data Protection

At Ark Behavioral Health, safeguarding the data we collect and manage is of paramount importance. We have implemented a series of robust measures to ensure data confidentiality, integrity, and availability:

1. Cloud Server Storage:
   • Our web server logs are stored on cloud servers, which are fortified with Cloudflare protection. Periodic vulnerability assessments and strict patch management are conducted to ensure the security of these servers.
   • Access to these logs is restricted to web server administrators, with authentication managed by the server operating system. While our marketing staff may request copies of these logs for data analysis, the data, even with IP addresses, remains anonymous.
2. Third-Party Data Management:
   • All our third-party providers, including but not limited to: Call Tracking Metrics, Salesforce, Avochato, Google Analytics, and BBHealthTech, have entered into HIPAA Business Associates agreements with us. These agreements legally bind them to uphold stringent data protection standards.
   • Yearly assessments are conducted to ensure these third-party providers maintain the agreed upon security controls. Data transmitted to these entities is encrypted in transport and remains encrypted at rest in their systems.
3. Access Control:
   • We employ Role-Based Access Control and the principle of least privilege to ensure that employees only access data essential for their role. This approach aligns with our commitment as a healthcare organization to maintain strict data access controls.
4. Regular Security Assessments:
   • We enlist an external security firm to conduct an annual Risk Assessment of our computing environment, ensuring that data confidentiality remains a top priority.
5. Employee Training:
   • Regular training sessions are held for employees on data protection best practices and current cyber threats, in compliance with the HIPAA Security Rule’s employee training requirement.
6. Backup and Recovery:
   • Our third-party providers have established backup and recovery processes to ensure data continuity and availability in case of unforeseen events.

We are dedicated to continuously enhancing our data protection measures, ensuring that the trust users place in us is well-founded. That being said, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

Cookies and Tracking

At Ark Behavioral Health, we utilize cookies and tracking technologies to enhance the user experience, gather analytics, and understand user behavior on our Website.

What are Cookies?

Cookies are small files that a Website, or its service provider, transfers to your computer’s hard drive through your web browser (if you allow it) that enables the Website’s or service provider’s systems to recognize your browser and capture and remember certain information.

How We Use Cookies:

• Web Server Logs: Our web server logs capture cookie data, which provides insights into user interactions with our Website.
• Google Analytics: This tool collects data on user interactions, behavior, device and browser information, referral sources, IP addresses (anonymized for privacy), events, and custom data. It uses cookies to measure user interactions and provide us with valuable insights to improve our Website.
• Call Tracking Metrics: This system uses cookies to gather data on referring URLs, landing URLs, advertising data, tracking sources, user agents, and IP addresses. It helps us understand user interactions with our phone and call tracking systems.
• Avochato: Avochato’s tracking script collects data on device type, operating system, browser type, IP address, and referrer. This allows us to offer a seamless live chat experience to our users.

Managing Cookies:

You have the option to manage, disable, or allow cookies through your browser settings. However, disabling cookies might affect the functionality and features of our Website. For more information, see Choices About How We Use and Disclose Your Information.

Privacy and Cookies:

We respect user privacy, and all data collected through cookies is treated with confidentiality and in accordance with our privacy policy.

By using our Website, you consent to our use of cookies and tracking technologies as described above.

Third-Party Links

At Ark Behavioral Health, our Website may contain links to external websites, services, or content providers that are not operated or controlled by us. These third-party links are provided for your convenience and reference.

Disclaimer: While we strive to provide only quality links to useful and ethical websites, we have no control over the content and nature of these external sites. Clicking on any third-party link will direct you to that website. It’s important to note that these external sites may have their own privacy policies, terms of use, and customer service policies. Browsing and interaction on any other Website, including websites which have a link to our site, is subject to that website’s terms and policies.

Privacy Policy Limitation: Our privacy policy applies only to information collected by our Website. Any information you provide or that is collected by third-party websites is governed by their own privacy policies. We strongly advise you to review the privacy policy of every website you visit.

Liability: We are not responsible or liable for any harm or damages related to the purchase or use of goods, services, resources, content, or any other transactions made in connection with any third-party websites. Please review carefully the third-party’s policies and practices and make sure you understand them before you engage in any transaction.

By using our Website and accessing these third-party links, you acknowledge and agree that we are not responsible for the privacy practices or the content of such external sites.

Children’s Privacy

At Ark Behavioral Health, we are committed to protecting the privacy of children. Our Website and services are not designed for, intended to attract, or directed toward children under the age of 18.

No Collection of Children’s Data: We do not knowingly collect, use, or disclose personal information from children under the age of 18. Our services are designed for adults, and we do not target children for data collection or marketing purposes.

No Service for Children: Ark Behavioral Health does not offer services to children. Our focus is on providing services to adults, and our content and marketing efforts reflect this focus.

Parental Concerns: If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately. We will take steps to promptly remove such information from our records.

User Responsibility: We urge all parents and guardians to monitor their children’s online activities and teach them about safe internet practices. Users under the age of 18 should always obtain parental consent before providing any personal information online.

By using our Website and services, you affirm that you are at least 18 years of age or have received parental or guardian consent.

If we learn we have collected or received personal information from a child under [18], we will delete that information. If you believe we might have any information from or about a child under [18], please contact us at [email protected].

Rights of Individuals

At Ark Behavioral Health, we recognize and respect the rights of individuals concerning their personal data. While we prioritize the confidentiality and security of the data we collect, especially given the sensitive nature of the services we provide, we also acknowledge the following rights:

Access and Portability: While individuals cannot directly access their data in our systems due to the nature of our operations and the presence of HIPAA protected information, they can request a copy of their data in a commonly used, machine-readable format. Such requests must be made in writing.

Rectification: Individuals have the right to request corrections or updates to any inaccurate or incomplete personal data. All such requests must be submitted in writing to ensure accuracy and verification.

Erasure (Right to be Forgotten): Individuals can request the deletion of their personal data, unless they have been admitted to one of our programs. Due to state and federal regulations, we are required to keep all patient data for a period of seven years. Any request for erasure must be put in writing.

Objection: Individuals have the right to object to certain types of data processing. Details on how to exercise this right can be provided upon request.

Fees: We may charge a reasonable fee for processing individual rights requests. We strive to respond to all requests in a timely manner.

Limitations: It’s important to note that certain rights may be limited based on our legal obligations and the necessity to retain data for service provision, especially in the context of healthcare services.

By using our services and Website, individuals acknowledge these rights and our commitment to upholding them.

Data Breach Protocols

At Ark Behavioral Health, we prioritize the security and confidentiality of the data that we manage. In the unfortunate event of a data breach, we have established protocols to ensure a swift and effective response.

Detection and Immediate Response:

• We utilize endpoint detection and response software that is monitored 24×7, enabling us to detect internal breaches in real time.
• Our third-party providers, where most of our data is stored, have their own breach notification rules and dedicated incident response teams.

Incident Response Plan:

• In compliance with HIPAA, we initiate an incident response plan upon detecting a breach. Our actions are guided by the NIST SP 800–61 guidelines, ensuring a structured and effective response.

Notification Procedures:

• As a healthcare organization, we adhere to the HIPAA legislation for breach reporting. Detailed obligations can be found on the HHS Website.
• Affected individuals, regulatory bodies, and other relevant entities will be notified as per the guidelines.

Containment and Recovery:

• Our immediate action upon detecting a breach is containment, followed by eradication of the threat, recovery of systems, and a thorough review of the lessons learned.
• All our data is backed up, ensuring that we can restore any lost data in the aftermath of a breach.

Prevention of Future Breaches:

• The lessons learned from any breach lead to the implementation of additional security controls to prevent similar incidents in the future.

Training and Awareness:

• Our employees undergo annual training on breach protocols, ensuring they are equipped to respond effectively in the event of a breach.

Communication:

• We have a structure internal communication plan to inform stakeholders, partners, and the media about significant breaches, ensuring transparency and trust.

By using our services and Website, individuals acknowledge our commitment to data security and our established protocols in the event of a breach.

Data Retention

At Ark Behavioral Health, we recognize the importance of retaining data in compliance with healthcare regulations and the sensitive nature of the information we handle.

Retention Period: While various state laws dictate different retention periods for patient data, to streamline our processes and ensure consistent handling of all data, we have adopted a unified approach. All data, whether is pertains to health, demographics, or any other category, is retained for a period of seven years.

Rationale for Retention Period: Our seven-year retention policy is designed to reduce administrative overhead and ensure we meet the most stringent of state requirements. This ensures we remain compliant while also simplifying our data management process. While we understand that most of the data collected through our Website is not protected under the HIPAA legislation, instead of managing different retention policies for different types of data, we just routinely keep collected data for the same period of time we are required to retain healthcare related data.

Data Disposal: After the seven-year retention period, data is securely disposed of in a manner that ensures its complete deletion and that it cannot be reconstructed or retrieved.

Commitment to Compliance: We are dedicated to upholding the highest standards of data protection and compliance, especially given our role as a healthcare provider. Our data retention practices reflect this commitment, ensuring that patient and user data is handled with the utmost care and respect.

By using our services and Website, individuals acknowledge our data retention practices and the care with which we manage their information.

State Privacy Rights

California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA) Compliance

Ark Behavioral Health acknowledges the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). However, as a healthcare organization, the majority of the data we handle is healthcare data governed by the Health Insurance Portability and Accountability Act (HIPAA).

Given our status as a healthcare entity and the specific exemptions provided under the CCPA and CPRA for entities governed by HIPAA, the provisions of these California laws do not apply to our primary data handling activities related to patient care.

While we strive to ensure the utmost privacy and protection for all data we handle, it’s essential for users to understand that our primary obligations and commitments for data protection are under HIPAA. If you have any questions or concerns regarding our data privacy practices or our relationship with California privacy laws, please contact our Chief Compliance Officer. His contact information can be found in the “Contact Information” section at the end of this policy.

Colorado Privacy Act (CPA) Compliance

Ark Behavioral Health acknowledges the Colorado Privacy Act (CPA). However, based on our current operations and data handling practices, we do not meet the thresholds set by the CPA for applicability. Specifically:

1. We do not process the personal data of 100,000 or more Colorado residents annually.
2. We do not sell personal data and do not deal with 25,000 or more Colorado residents annually.

Given these factors, Ark Behavioral Health is exempt from the obligations of the CPA.

While we strive to ensure the utmost privacy and protection for all data we handle, it’s essential for users to understand that our primary obligations and commitments for data protection are under HIPAA. If you have any questions or concerns regarding our data privacy practices or our relationship with Colorado privacy laws, please contact our Chief Compliance Officer. His contact information can be found in the “Contact Information” section at the end of this policy.

Virginia Consumer Data Protection Act (VCDPA) Compliance

Ark Behavioral Health acknowledges the Virginia Consumer Data Protection Act (VCDPA). However, based on our current operations and data handling practices, we are exempt from the obligations of the VCDPA for the following reasons:

1. Healthcare Exemption: As a healthcare organization, much of the personal data we handle is governed by the Health Insurance Portability and Accountability Act (HIPAA). The VCDPA provides an exemption for personal data created, processed, or disclosed pursuant to HIPAA.
2. Below Thresholds for Applicability: We do not control or process the personal data of 100,000 or more Virginia residents annually. Additionally, we do not derive 50% or more of our gross revenue from the sale of personal data.

Given these factors, Ark Behavioral Health is exempt from the obligations of the VCDPA.

While we strive to ensure the utmost privacy and protection for all data we handle, it’s essential for users to understand that our primary obligations and commitments for data protection are under HIPAA. If you have questions or concerns regarding our data privacy practices or our relationship with Virginia privacy laws, please contact our Chief Compliance Officer. His contact information can be found in the “Contact Information” section at the end of this policy.

Connecticut Data Privacy Act (CTDPA)

Ark Behavioral Health acknowledges the Connecticut Data Privacy Act (CTDPA). However, as a healthcare organization, we are primarily governed by the Health Insurance Portability and Accountability Act (HIPAA).

Given our status and the specific exemptions provided under the CTDPA, the provisions of the CTDPA do not apply to our organization.

While we strive to ensure the utmost privacy and protection for all data we handle, it’s essential for users to understand that our primary obligations and commitments for data protection are under HIPAA. If you have any questions or concerns regarding our data privacy practices or our relationship with Connecticut privacy laws, please contact our Chief Compliance Officer. His contact information can be found in the “Contact Information” section at the end of this policy.

Utah Consumer Privacy Act (UCPA)

Ark Behavioral Health acknowledges the Utah Consumer Privacy Act (UCPA). However, as a healthcare organization, we are primarily governed by the Health Insurance Portability and Accountability Act (HIPAA).

Given our status as a healthcare entity and the specific exemptions provided under the UCPA for entities governed by HIPAA, the provisions of the UCPA do not apply to our organization.

While we strive to ensure the utmost privacy and protection for all data we handle, it’s essential for users to understand that our primary obligations and commitments for data protection are under HIPAA. If you have any questions or concerns regarding our data privacy practices or our relationship with Utah privacy laws, please contact our Chief Compliance Officer. His contact information can be found in the “Contact Information” section at the end of this policy.

Changes to This Privacy Policy

At Ark Behavioral Health, we are committed to ensuring the privacy and protection of our users’ data. As part of this commitment, we may periodically update this privacy policy to reflect changes in our practices, services, or in response to evolving legal and regulatory requirements.

Notification of Changes: Should any significant changes be made to this privacy policy, we will make reasonable efforts to notify our users. This may include posting a notice on our Website, sending an email notification, or through other communication channels we deem appropriate.

Reviewing the Policy: We encourage all users to periodically review this privacy policy to stay informed about how we are protecting their data. The date of the latest revision will be indicated at the top or bottom of the policy.

Acceptance of Changes: By continuing to use our services and Website after changes are made to this policy, users acknowledge and agree to the updated terms. If you do not agree with any changes, we recommend discontinuing the use of our services and Website.

Contact Information

For any inquiries, concerns, or requests related to this privacy policy of your personal data, please contact our Chief Compliance Officer:

Doug Schotters
Address:
500 Victory Rd. 3rd Floor
Quincy, MA 02171
Email: [email protected]