PRIVACY POLICY & HIPAA NOTICE

IMPORTANT NOTICE

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Provided in compliance with 45 C.F.R. § 164.520

Last Updated: 9/22/2025
Effective Date: 9/22/2025

About This Policy
HIPAA Notice of Privacy Practices
Website Privacy Policy
Your Privacy Rights
Contact Information

ABOUT THIS POLICY

These terms and conditions (the “Terms”) govern your access to and use of Luxury Rehab Atlas’s websites and mobile applications that link to or reference these Terms (“Site”). By accessing or using the Site, you are agreeing to these Terms and concluding a legally binding contract with Luxury Rehab Atlas (“Company,” “we,” “us,” or “our”), operated by Numa Recovery Centers in Los Angeles, California. Do not access or use the Site if you are unwilling or unable to be bound by the Terms.

Luxury Rehab Atlas is committed to protecting your privacy and ensuring the confidentiality of your health information. This document contains two important policies:

HIPAA Notice of Privacy Practices: Governs how we handle your protected health information (PHI)
Website Privacy Policy: Covers information collected through our website and digital services

By using our services or website, you acknowledge that you have read and understand both policies.

HIPAA NOTICE OF PRIVACY PRACTICES

WHO WE ARE

Luxury Rehab Atlas provides addiction treatment services and care coordination. Your health information is contained in records that are the physical property and responsibility of Luxury Rehab Atlas.

HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION

Routine Uses and Disclosures (No Authorization Required)

We are permitted under federal law to use and disclose PHI without your written authorization for certain routine purposes:

For Treatment:

We use your PHI to provide and coordinate your treatment
We may share relevant health information with treatment providers to ensure continuity of care
We may communicate with healthcare providers about your treatment needs and progress

For Payment:

We use your PHI to verify insurance benefits and eligibility
We may disclose information to your health plan to determine coverage for recommended treatments
We may assist with prior authorization requests and claims processing

For Health Care Operations:

We may use your PHI to evaluate and improve our services
We may disclose information to accreditation organizations, auditors, or consultants
We may use information for quality assessment and care coordination activities

Other Permitted Uses and Disclosures (No Authorization Required)

Required by Law:

We may disclose PHI when required by federal, state, or local law
We may disclose PHI to the Secretary of Health and Human Services for compliance investigations

Public Health Activities:

Reporting to public health authorities for disease prevention and control
Reporting child abuse or neglect to authorized agencies
Reporting adverse drug events to the FDA when required

Health Oversight Activities:

Disclosures to licensing boards, auditors, or regulatory agencies
Responses to investigations, inspections, or disciplinary actions

Judicial and Administrative Proceedings:

Disclosures in response to court orders, subpoenas, or administrative warrants
Disclosures for legal proceedings when proper safeguards are in place

Law Enforcement:

Limited disclosures to law enforcement in specific circumstances as required by law
Reporting certain types of wounds or injuries as required by state law

Serious Threats to Health or Safety:

Disclosures to prevent or lessen serious and imminent threats to health or safety
Disclosures to law enforcement to identify or apprehend individuals in specific circumstances

Specialized Government Functions:

Disclosures for national security or intelligence activities when authorized
Disclosures to correctional institutions if you are an inmate

Workers’ Compensation:

Disclosures as authorized by workers’ compensation laws

Coroners, Medical Examiners, and Funeral Directors:

Disclosures to identify deceased persons or determine cause of death

Organ Donation:

Disclosures to organ procurement organizations when necessary

Research:

Disclosures for research approved by institutional review boards with appropriate safeguards

Business Associates:

Disclosures to contractors and vendors who perform services for us and have signed agreements to protect your PHI

Uses and Disclosures With Your Agreement or Opportunity to Object

Family and Friends:

We may share PHI with family members, friends, or others involved in your care unless you object
We may use PHI to notify family members of your general condition or location

Uses and Disclosures Requiring Your Written Authorization

Marketing:

We must obtain written authorization to use your PHI for most marketing communications
This does not include treatment communications or health care operations activities

Sale of PHI:

We must obtain written authorization for any disclosure that constitutes a sale of PHI

Psychotherapy Notes:

We must obtain written authorization to use or disclose psychotherapy notes

Other Uses:

Any other uses or disclosures not described above require your written authorization
You may revoke authorization in writing at any time (except where action has already been taken)
Authorizations for marketing or sale of PHI do not expire unless you specify an expiration date
Other authorizations are valid until revoked or expire as specified in the authorization

SPECIAL PROTECTIONS FOR REPRODUCTIVE HEALTH INFORMATION

In compliance with 2024 HIPAA regulations, we provide enhanced protections for reproductive health information:

We will not use or disclose reproductive health PHI to investigate or impose liability on individuals seeking lawful reproductive healthcare
Certain requests for reproductive health information require special attestations
We maintain additional safeguards for sensitive reproductive health data

SPECIAL PROTECTIONS FOR SUBSTANCE USE DISORDER INFORMATION

Information related to substance use disorder treatment receives additional federal protection under 42 CFR Part 2:

More restrictive consent requirements for disclosure
Enhanced confidentiality protections
Special procedures for court orders and law enforcement requests
Specific notification requirements for breaches

WEBSITE PRIVACY POLICY

INFORMATION WE COLLECT

Personal Information You Provide

Contact Information: Name, email address, phone number, mailing address
Health Information: Medical history, current medications, treatment preferences, insurance information
Assessment Data: Responses to addiction assessment questionnaires
Communication Records: Chat logs, call recordings, email correspondence

Information Collected Automatically

Usage Data: IP address, browser type, device information, pages visited, time spent on site
Location Data: General geographic location based on IP address
Cookies and Tracking: Session cookies, preference cookies, security cookies, analytics data

Information from Third Parties

Healthcare Providers: Treatment information when you authorize sharing
Insurance Companies: Coverage and eligibility information
Treatment Facilities: Referral status updates and treatment progress reports

HOW WE USE YOUR INFORMATION

Primary Purposes

Treatment Services: Providing addiction treatment and therapeutic services
Insurance Services: Verifying benefits, obtaining prior authorizations
Care Management: Coordinating with providers and monitoring treatment progress
Customer Service: Responding to inquiries and providing support

Secondary Purposes

Service Improvement: Analyzing usage patterns to enhance our platform
Quality Assurance: Monitoring service quality and compliance
Legal Compliance: Meeting regulatory requirements and responding to lawful requests

COOKIES AND TRACKING TECHNOLOGIES

We use the following types of cookies:

Essential Cookies:

Session management and user authentication
Security features and fraud prevention
Basic site functionality

Analytics Cookies:

Google Analytics (with Business Associate Agreement)
Site usage statistics and performance monitoring
User experience improvement

Marketing Cookies (with consent):

Advertising effectiveness measurement
Remarketing campaigns for treatment resources
Social media integration features

Cookie Management: You can control cookies through your browser settings. Note that disabling cookies may limit some website functionality.

THIRD-PARTY SERVICES

We work with HIPAA-compliant third-party services:

Analytics Providers:

Google Analytics (Business Associate Agreement in place)
Heat mapping and user experience tools

Communication Services:

Email service providers with encryption
SMS/text messaging platforms
Video conferencing for telehealth consultations

Payment Processors:

HIPAA-compliant payment processing
Insurance verification services

Treatment Partners:

Healthcare providers and treatment facilities
Medical specialists and consultants

All third-party providers handling PHI have signed Business Associate Agreements ensuring HIPAA compliance.

DATA SECURITY

We implement comprehensive security measures:

Technical Safeguards:

End-to-end encryption for data transmission
Encrypted data storage and backup systems
Multi-factor authentication for system access
Regular security monitoring and intrusion detection

Administrative Safeguards:

HIPAA training for all staff members
Role-based access controls
Regular security risk assessments
Incident response procedures

Physical Safeguards:

Secure server facilities
Controlled access to workstations
Secure disposal of physical media

DATA RETENTION

We retain your information as follows:

Medical Records: Minimum 6 years from last service date or as required by state law Website Data: Generally 3 years unless longer retention is required Marketing Data: Until you opt out or as required for business purposes Legal Compliance: As required by applicable laws and regulations

YOUR PRIVACY RIGHTS

HIPAA Rights

Right to Access:

You can request copies of your PHI
We will provide access within 30 days (with possible 30-day extension)
Electronic records will be provided in electronic format upon request

Right to Amendment:

You can request corrections to your PHI
We will respond within 60 days (with possible 30-day extension)
You may appeal denied amendment requests

Right to Restrictions:

You can request limits on how we use or disclose your PHI
We must agree to restrictions on disclosures to health plans for services paid out-of-pocket
We may decline other restriction requests but will consider them carefully

Right to Confidential Communications:

You can request communications through alternative means or locations
We will accommodate reasonable requests

Right to Accounting:

You can request a list of certain PHI disclosures
Available for disclosures made in the past 6 years
First accounting per year is free; additional requests may incur fees

Right to Notification:

You will be notified if your PHI is breached
Notifications include steps being taken to protect your information

Right to Opt-Out:

You can opt out of fundraising communications
You can restrict certain marketing communications

General Privacy Rights

Access and Portability:

Request copies of personal information we maintain
Receive information in machine-readable format where technically feasible

Correction:

Request correction of inaccurate personal information
Add clarifying information to your records

Deletion:

Request deletion of personal information in certain circumstances
Legal and business requirements may limit deletion rights

Objection:

Object to certain processing activities
Opt out of marketing communications

California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to Know:

Categories of personal information collected
Sources of personal information
Business purposes for collection
Third parties with whom information is shared

Right to Delete:

Request deletion of personal information
Subject to certain exceptions

Right to Opt-Out:

Opt out of sale of personal information (we do not sell personal information)
Opt out of sharing personal information for cross-context behavioral advertising
Opt out of automated decision-making that produces legal or significant effects

Exercising Your Rights

To exercise any privacy rights:

Submit Written Request: Email privacy@numabh.com
Verify Identity: We may request additional information to confirm identity
Specify Request: Clearly describe the right you wish to exercise
Receive Response: We will respond within required timeframes

No Retaliation: We will not discriminate against you for exercising your privacy rights.

SPECIAL CIRCUMSTANCES

Minors (Under 18)

Parental consent required for treatment services
Special privacy protections for adolescent treatment
Limited circumstances where minors can consent independently

Emergency Situations

Disclosure may occur without authorization to prevent serious harm
Minimum necessary standard still applies
Documentation of emergency circumstances

Legal Proceedings

We may be required to disclose information pursuant to court orders
We will assert applicable privileges and protections
You will be notified when possible

Business Transfers

PHI protections continue if business ownership changes
You will be notified of material changes to privacy practices

BREACH NOTIFICATION

If your PHI is breached, we will:

Investigate: Assess the scope and cause of the breach
Notify You: Within 60 days of discovery (30 days for electronic breaches affecting 500+ individuals)
Notify Authorities: Report to Department of Health and Human Services as required
Media Notice: If breach affects 500+ individuals in same state/jurisdiction
Remediate: Take steps to prevent future breaches

UPDATES TO THIS POLICY

We may update this policy to reflect:

Changes in legal requirements
Updates to our services
Improvements to our privacy practices

Notification of Changes:

Email notification for material changes
Posted notice on our website
Updated effective date

Your Continued Use: Continued use of our services after changes indicates acceptance of the updated policy.

COMPLAINTS

You may file complaints about our privacy practices:

With Us:

Privacy Officer: privacy@numabh.com
Phone: (833) 721-4107
Mail: 826 N Mariposa Ave, Los Angeles, CA 90029

With Government:

Department of Health and Human Services
Office for Civil Rights
Online: https://www.hhs.gov/ocr/privacy/hipaa/complaints/

No Retaliation: We will not retaliate against you for filing complaints.

CONTACT INFORMATION

Privacy Officer:

Email: privacy@numabh.com
Phone: (833) 721-4107
Address: 826 N Mariposa Ave, Los Angeles, CA 90029

General Inquiries:

Email: privacy@numabh.com
Phone: (833) 721-4107

Notice Effective Date: 9/22/2025