Privacy Policy

Effective Date: August 2025

This Privacy Policy (“Policy”) delineates the legal parameters governing the collection, utilization, disclosure, and safeguarding of Protected Health Information (“PHI”) and Personally Identifiable Information (“PII”) by 1 Stop Recovery Services (“the Provider”) pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Confidentiality of Substance Use Disorder Patient Records regulations codified at 42 C.F.R. Part 2, the Maryland Confidentiality of Medical Records Act (“MCMRA”), and all other applicable federal and state statutes, administrative regulations, and common law obligations.

1. Scope and Applicability

This Policy applies to all PHI and PII acquired, maintained, or transmitted by the Provider in connection with the rendering of behavioral health, substance use disorder, and ancillary treatment services. By receiving services from the Provider, the individual (“Data Subject” or “Patient”) acknowledges the Provider’s rights and obligations under this Policy and applicable law.

2. Categories of Data Collected

The Provider may collect, generate, or receive the following classes of information:

• 
  Name, date of birth, address, telephone number, electronic mail address, and emergency contact details.
  
• 
  Diagnoses, prognoses, treatment regimens, therapeutic progress notes, medical and psychiatric history, and other records germane to the provision of care.
  
• 
  Insurance carrier information, policy and group numbers, billing statements, remittance data, and payment authorizations.
  
• 
  Records of communications, scheduling, and service utilization.
  

3. Permissible Uses and Disclosures

The Provider may use or disclose PHI without the Patient’s explicit written authorization only to the extent permitted or mandated by HIPAA, 42 C.F.R. Part 2, and other controlling legal authorities. Such permissible purposes include, but are not limited to:

1. 
   Coordination or management of healthcare and related services by the Provider and other covered entities.
   
2. 
   Activities undertaken to obtain reimbursement for services rendered, including claims submission and utilization review.
   
3. 
   Administrative, financial, legal, and quality improvement activities necessary to the Provider’s functioning.
   
4. 
   Disclosures compelled by a court of competent jurisdiction, administrative subpoena, or other lawful process.
   

All other uses and disclosures of PHI require the Patient’s duly executed, written consent specifying the scope, duration, and revocability of such authorization.

4. Patient Rights

Pursuant to HIPAA, 42 C.F.R. Part 2, and the MCMRA, the Patient retains the following rights, subject to statutory and regulatory exceptions:

• 
  
  
• 
  
  
• 
  
  
• 
  
  
• 
  
  
• 
  
  

5. Security and Safeguards

The Provider implements administrative, technical, and physical safeguards reasonably designed to preserve the confidentiality, integrity, and availability of PHI, including encrypted data storage, controlled facility access, and role-based access controls.

6. Substance Use Disorder Confidentiality

In accordance with 42 C.F.R. Part 2, the Provider shall not disclose, acknowledge, or confirm the identity of any individual as having sought or received substance use disorder services except:

• 
  
  
• 
  
  
• 
  
  

7. Policy Amendments

The Provider reserves the unilateral right to modify this Policy at any time to reflect changes in legal requirements or operational practices. Any such amendments shall be effective upon publication at the Provider’s principal place of business and/or on its official website.

8. Contact for Further Information

All inquiries, requests, and grievances regarding this Policy shall be directed to:

Privacy Officer