Privacy Policy

Effective Date: January 1, 2026

Last Updated: March 19, 2026

Delray Beach Intensive Outpatient ("IOP Delray Beach," "we," "us," or "our") operates the website iopdelraybeach.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information and protected health information ("PHI") when you visit our website, contact us, or use our services. We are committed to protecting your privacy in full compliance with the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records), and all other applicable federal and state privacy laws.

By accessing or using our Site, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our Site.

1. Information We Collect

1.1 Personal Information You Provide

When you interact with our Site, you may voluntarily provide personal information, including but not limited to:

• Contact Information: Full name, email address, phone number, and mailing address
• Inquiry Details: Information you provide when completing contact forms, requesting callbacks, or submitting insurance verification requests
• Insurance Information: Insurance provider, policy number, group number, and policyholder details submitted through our insurance verification forms
• Demographic Information: Age, gender, and geographic location when voluntarily provided
• Communication Records: Records of your correspondence with us via email, phone, live chat, or web forms

1.2 Protected Health Information (PHI)

As a healthcare-related service connecting individuals with addiction treatment programs, we may collect Protected Health Information as defined under HIPAA, including:

• Substance use history and treatment needs
• Mental health conditions and co-occurring disorders
• Medical history relevant to treatment placement
• Previous treatment history and recovery status
• Insurance and billing information related to healthcare services

All PHI is handled in strict accordance with HIPAA regulations and 42 CFR Part 2, which provides additional protections for substance use disorder treatment records. We will never share your PHI without your explicit written authorization unless required by law.

1.3 Automatically Collected Information (Usage Data)

When you visit our Site, we may automatically collect certain technical and usage information, including:

• Device Information: Browser type and version, operating system, device type, and screen resolution
• Usage Data: Pages visited, time spent on each page, click patterns, referring URLs, and exit pages
• Network Information: IP address, approximate geographic location (city/state level), and internet service provider
• Session Data: Date and time of visits, session duration, and interaction sequences

1.4 Cookies and Tracking Technologies

Our Site uses cookies and similar tracking technologies to enhance your browsing experience and analyze Site usage. These include:

• Essential Cookies: Required for basic Site functionality, such as navigation and secure access
• Analytics Cookies: Used to understand how visitors interact with our Site (e.g., Google Analytics)
• Functional Cookies: Remember your preferences and settings to improve your experience
• Advertising Cookies: May be used to deliver relevant advertisements and measure campaign effectiveness

For more information about how we use cookies, please see Section 7 (Cookie Policy) below.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Treatment Matching: To assess your needs and connect you with appropriate intensive outpatient programs and treatment providers in our vetted network
• Insurance Verification: To verify your insurance coverage and benefits for treatment services
• Communication: To respond to your inquiries, provide requested information, and follow up regarding treatment options
• Service Improvement: To analyze Site usage patterns and improve our website, services, and user experience
• Compliance: To fulfill legal obligations, including HIPAA compliance, record-keeping, and regulatory requirements
• Safety and Security: To detect, prevent, and address fraud, security breaches, and other harmful or unauthorized activities
• Marketing (with consent): To send you educational content, resources, and information about treatment services, only when you have opted in to receive such communications

We will never sell your personal information or protected health information to third parties for marketing purposes.

3. HIPAA Compliance

As a healthcare service provider, IOP Delray Beach is committed to full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. Our HIPAA compliance program includes:

3.1 Privacy Rule Compliance

• We maintain strict policies governing the use and disclosure of Protected Health Information
• PHI is only accessed by authorized personnel on a need-to-know basis
• We provide a Notice of Privacy Practices to individuals whose PHI we maintain
• We honor individual rights regarding their PHI, including the right to access, amend, and receive an accounting of disclosures

3.2 Security Rule Compliance

• We implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI)
• All electronic transmissions of PHI are encrypted using industry-standard protocols
• We conduct regular risk assessments and security audits
• Our staff receives ongoing HIPAA training and education

3.3 42 CFR Part 2 Compliance

In addition to HIPAA, records related to substance use disorder treatment are further protected under 42 CFR Part 2. This federal regulation provides heightened privacy protections for individuals seeking addiction treatment. Under 42 CFR Part 2:

• Your substance use disorder treatment records cannot be disclosed without your specific written consent
• Records are protected from use in criminal, civil, administrative, or legislative proceedings against you
• Re-disclosure of your records by third parties is prohibited without additional authorization

3.4 Breach Notification

In the unlikely event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, where applicable, the media, in accordance with the HIPAA Breach Notification Rule. Notifications will be provided without unreasonable delay and no later than 60 days after discovery of the breach.

4. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information or PHI to third parties. We may share your information only in the following limited circumstances:

4.1 Treatment Provider Partners

With your explicit consent, we may share relevant information with our vetted network of treatment providers to facilitate your admission and coordinate care. All partner facilities in our network are required to maintain HIPAA compliance and adhere to strict confidentiality standards.

4.2 Insurance Companies

With your authorization, we may share necessary information with insurance companies to verify your coverage and benefits for treatment services.

4.3 Service Providers

We may engage trusted third-party service providers who assist us in operating our website, conducting business, or providing services to you. These providers are contractually obligated to protect your information and are prohibited from using it for any purpose other than performing services on our behalf. Where applicable, we maintain Business Associate Agreements (BAAs) as required by HIPAA.

4.4 Legal Requirements

We may disclose your information when required to do so by law, regulation, court order, subpoena, or governmental request. We may also disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law or legal process
• Protect the rights, property, or safety of IOP Delray Beach, our users, or the public
• Prevent or investigate possible wrongdoing in connection with our services
• Respond to a medical emergency or report suspected child abuse or neglect as required by law

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Site of any change in ownership or uses of your personal information.

5. Data Security

We implement robust security measures to protect your personal information and PHI from unauthorized access, alteration, disclosure, or destruction. Our security practices include:

• Encryption: All data transmitted between your browser and our Site is encrypted using SSL/TLS (Secure Sockets Layer/Transport Layer Security) technology
• Access Controls: Role-based access controls ensure that only authorized personnel can access sensitive information
• Secure Infrastructure: Our servers and databases are hosted in secure, access-controlled environments with continuous monitoring
• Regular Audits: We conduct periodic security assessments, vulnerability scans, and penetration testing
• Employee Training: All staff members receive regular training on data protection, HIPAA compliance, and cybersecurity best practices
• Incident Response: We maintain a comprehensive incident response plan to quickly address any potential security breaches

While we strive to use commercially acceptable means to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest standards of data protection in the healthcare industry.

6. Data Retention

We retain your personal information and PHI only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Health Records: Maintained in accordance with applicable state and federal retention requirements, which typically mandate a minimum of seven (7) years from the date of last service
• Contact Information: Retained for as long as you maintain an active relationship with us or as needed to provide services
• Usage Data: Generally retained for up to twenty-six (26) months for analytics purposes
• Communication Records: Retained for a minimum of three (3) years from the date of communication

When information is no longer needed, it is securely destroyed or de-identified in accordance with industry best practices and applicable regulations.

7. Cookie Policy

Cookies are small text files stored on your device when you visit our Site. We use cookies and similar technologies to provide, personalize, and improve our services.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the Site to function properly. These cannot be disabled without affecting Site functionality.
• Performance/Analytics Cookies: Help us understand how visitors interact with our Site by collecting anonymous usage statistics. We use Google Analytics, which collects data such as pages viewed, time on site, and referral sources.
• Functionality Cookies: Remember choices you make (such as language or region preferences) and provide enhanced, personalized features.
• Targeting/Advertising Cookies: May be set through our Site by advertising partners to build a profile of your interests and show you relevant content on other sites.

7.2 Managing Cookies

Most web browsers are set to accept cookies by default. You can modify your browser settings to decline cookies or alert you when cookies are being sent. Please note that disabling cookies may affect the functionality of certain features on our Site. To manage cookies:

• Adjust your browser settings to block or delete cookies
• Use browser privacy/incognito mode to prevent cookie storage
• Opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on
• Manage advertising cookie preferences through the Network Advertising Initiative opt-out page

7.3 Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) signal. Because there is no uniform standard for responding to DNT signals, our Site does not currently respond to DNT browser signals or mechanisms. However, we respect your right to manage your privacy preferences through the cookie management options described above.

8. Third-Party Links

Our Site may contain links to third-party websites, services, or resources that are not owned or controlled by IOP Delray Beach. These may include links to treatment facility websites, educational resources, government health agencies (such as SAMHSA and NIDA), insurance providers, and social media platforms.

We are not responsible for the privacy practices, content, or security of any third-party websites. We encourage you to review the privacy policies of any third-party sites you visit. The inclusion of a link on our Site does not imply endorsement of the linked site or its content by IOP Delray Beach.

9. Your Rights and Choices

9.1 HIPAA Rights

Under HIPAA, you have the following rights regarding your Protected Health Information:

• Right to Access: You may request access to your PHI that we maintain
• Right to Amend: You may request that we amend your PHI if you believe it is inaccurate or incomplete
• Right to an Accounting of Disclosures: You may request a list of certain disclosures of your PHI that we have made
• Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI
• Right to Request Confidential Communications: You may request that we communicate with you through specific channels or at specific locations
• Right to a Copy of the Notice: You have the right to receive a paper copy of our Notice of Privacy Practices
• Right to File a Complaint: You may file a complaint with us or the U.S. Department of Health and Human Services if you believe your privacy rights have been violated

9.2 California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collect personal information, the business or commercial purpose for collecting personal information, and the categories of third parties with whom we share personal information
• Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions
• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you
• Right to Opt Out of Sale: You have the right to opt out of the sale or sharing of your personal information. IOP Delray Beach does not sell personal information
• Right to Non-Discrimination: You have the right not to be discriminated against for exercising your CCPA rights
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information to purposes necessary to provide the services you have requested

To exercise any of your CCPA rights, please contact us using the information provided in Section 12 below. We will respond to verified consumer requests within 45 days, as required by law. Please note that certain health information may be exempt from the CCPA where it is subject to HIPAA or 42 CFR Part 2.

9.3 Communication Preferences

You may opt out of receiving marketing communications from us at any time by:

• Clicking the "unsubscribe" link in any marketing email we send
• Contacting us directly at info@iopdelraybeach.com
• Calling us at 888-694-0744

Please note that even if you opt out of marketing communications, we may still send you non-promotional messages related to your inquiries, treatment coordination, or other service-related communications.

10. Children's Privacy

Our Site and services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at info@iopdelraybeach.com. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers promptly.

In cases where a minor requires addiction treatment services, we work exclusively with parents, legal guardians, or authorized representatives and comply with all applicable laws governing minors' health information, including the Children's Online Privacy Protection Act (COPPA) for children under 13.

11. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make changes, we will:

• Update the "Last Updated" date at the top of this page
• Post the revised Privacy Policy on our Site
• Notify you of material changes via email or a prominent notice on our Site prior to the changes becoming effective

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our Site after the posting of changes constitutes your acceptance of such changes.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal information, or our privacy practices, please contact us:

To file a complaint about our privacy practices, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/hipaa/filing-a-complaint or by calling 1-800-368-1019. We will not retaliate against you for filing a complaint.