Notice of Privacy Practices

Effective Date: June 1, 2025

This Notice describes how medical and substance use disorder (SUD) information about you may be used and disclosed, and how you can access this information. Please review it carefully.

Next Horizon Recovery dba Desert Oasis Recovery is committed to protecting your privacy in accordance with the Health Insurance Portability and Accountability Act (HIPAA), 42 CFR Part 2 (federal SUD confidentiality law), and applicable California privacy laws.

I. Definition of Confidential Information

“Confidential Information” includes, but is not limited to:

  • Personal identifiers (e.g., name, address, phone number, Social Security number);
  • Medical and behavioral health history;
  • Substance use history and treatment records;
  • Payment and insurance information;
  • Any other information that can reasonably be used to identify you.

All such information is protected under federal and state law, including HIPAA and 42 CFR Part 2.

II. Communication Protocols

Telephone Inquiries
  • We will not confirm or deny a client’s presence, admission status, or participation unless the caller is listed on a valid, current Release of Information (ROI) signed by the client.
  • Callers without an ROI may leave their name and number; if consent exists, the client may choose to return the call.
Mail and Packages
  • We do not accept or sign for mail requiring a signature unless the client has signed an ROI permitting it.
  • If restricted mail arrives, clients may sign a release to allow staff retrieval.
Visitors and Vendors
  • All visitors must sign a confidentiality log acknowledging their obligation to maintain the privacy of any client-related information they observe.
  • Unauthorized discussion of client information by visitors is strictly prohibited and may result in removal from the premises.

III. Legal and Regulatory Disclosures

Subpoenas, Warrants, and Court Orders
  • A subpoena alone is not sufficient to authorize release of client information.
  • Only a court order meeting the standards of 42 CFR Part 2 and showing good cause may authorize disclosure without client consent.
  • Law enforcement may only confirm the presence of a named individual if they are on-site at the time and with a valid arrest warrant.
  • A search warrant does not override 42 CFR Part 2 protections unless accompanied by a compliant court order.
Audits and Oversight
  • Federal and state oversight agencies and third-party payers may access records only for audit or compliance reviews under a signed confidentiality agreement.

IV. Access and Security of Records

  • Access is restricted to authorized personnel with legitimate role-based credentials.
  • All electronic access is password-protected, monitored, and logged.
  • Access is deactivated immediately upon the termination of staff privileges.

V. Use and Disclosure of Protected Health Information (PHI)

Desert Oasis Recovery may use or disclose PHI only in the following circumstances:

1. For Treatment, Payment, or Health Care Operations (TPO)

In accordance with HIPAA and 42 CFR Part 2.

2. With a Valid Client Authorization

Must be signed, dated, and specific about the nature and purpose of the disclosure.

3. As Required by Law

Including reporting child abuse, dependent adult abuse, or threats of serious harm to self or others.

4. For Oversight and Compliance Reviews

Disclosures may be made to the U.S. Department of Health and Human Services (HHS) and the California Department of Health Care Services (DHCS) for purposes of regulatory oversight, audits, inspections, investigations, or to ensure compliance with privacy, licensing, and certification requirements. These disclosures are permitted under HIPAA, 42 CFR Part 2, and applicable California laws. Any such disclosures will be limited to the minimum necessary and, where applicable, subject to a qualified service or confidentiality agreement.

Minimum Necessary Rule

We will only disclose the minimum necessary information to achieve the intended purpose unless the disclosure is to:

  • You or your personal representative;
  • A provider for treatment purposes;
  • A situation required by law.

VI. Email and Electronic Communication

  • All PHI-related email is encrypted.
  • PHI will not be sent via unencrypted text, instant messaging, or social media.
  • Clients may opt-in to receive limited communication by text/email with a signed consent acknowledging risks.

VII. Psychotherapy Notes

Psychotherapy notes are separately protected under HIPAA. They may only be disclosed:

  • With specific written authorization, OR
  • Without authorization only when:
    • Used by the originator for treatment;
    • Used for training within the program;
    • Required for legal defense;
    • Required for regulatory oversight.

VIII. Client Rights and Authorizations

You have the right to:

  • Request and receive access to your medical and treatment records (with some legal exceptions);
  • Request corrections to your health records;
  • Request restrictions on how we use or disclose your PHI;
  • Receive a list of certain disclosures of your PHI (an “accounting of disclosures”);
  • Request communications by alternative means or to alternative locations;
  • File a complaint if you believe your privacy rights have been violated;
  • To receive a paper copy of this notice upon request, even if you agreed to receive it electronically;
  • To revoke an authorization in writing at any time, unless we have already relied on it.
Authorizations
  • We require a signed authorization for uses and disclosures not related to treatment, payment, or operations unless otherwise required by law.
  • We do not condition care on your decision to sign an authorization, except where federal law allows (e.g., research participation).

IX. Special Protections for Substance Use Disorder (SUD) Records

Records related to your substance use disorder treatment are protected under 42 CFR Part 2. These records may not be disclosed without your written consent, unless:

  • Required by a valid court order;
  • Needed for a medical emergency;
  • Used for audits or program evaluations by authorized officials;
  • Otherwise allowed by law.

Violations of these protections may be reported to the U.S. Attorney.

X. Filing a Complaint

You may file a complaint if you feel your rights have been violated.

Contact Us:

Privacy Officer
Desert Oasis Recovery
13601 Rosedale Hwy, Ste G1100, Bakersfield, CA 93314
Phone: (760) 428-6389
Email: [email protected]

Or Contact:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
https://www.hhs.gov/ocr/privacy/hipaa/complaints/

And/or:

California Department of Health Care Services
Licensing and Certification Division
P.O. Box 997413, MS 2601
Sacramento, CA 95899-7413
Toll Free: (877) 685-8333
Fax: (916) 440-5094
Email: [email protected]

We will not retaliate against you for filing a privacy complaint with us, the Department of Health and Human Services, or the California Department of Health Care Services.