Privacy policy.

Patient Privacy Policy

Effective Date: 3/11/2025
Our Privacy Policy
Steadfast is committed to providing you with quality behavioral healthcare services. An important
part of that commitment is protecting your health information according to applicable law. This
notice (“Notice of Privacy Practices”) describes your rights and our duties under Federal
Law. Protected health information (“PHI”) is information about you, including demographic
information, that may identify you and that relates to your past, present or future physical or mental
health or condition; the provision of healthcare services; or the past, present or future payment for
the provision of healthcare services to you.
Our Duties
We are required by law to maintain the privacy of your PHI, provide you with notice of our legal
duties and privacy practices with respect to your PHI, and to notify you following a breach of
unsecured PHI related to you. We are required to abide by the terms of this Notice of Privacy
Practices. This Notice of Privacy Practices is effective as of the date listed on the first page of this
Notice of Privacy Practices. This Notice of Privacy Practices will remain in effect until it is revised. We
are required to modify this Notice of Privacy Practices when there are material changes to your
rights, our duties, or other practices contained herein.
We reserve the right to change our privacy policy and practices and the terms of this Notice of
Privacy Practices, consistent with applicable law and our current business processes, at any time. Any
new Notice of Privacy Practices will be effective for all PHI that we maintain at that time. Notification
of revisions of this Notice of Privacy Practices will be provided as follows upon request, electronically
via our website or via other electronic means, or as posted in our place of business.
In addition to the above, we have a duty to respond to your requests (e.g. those corresponding to your
rights) in a timely and appropriate manner. We support and value your right to privacy and are
committed to maintaining reasonable and appropriate safeguards for your PHI.
Confidentiality of Substance Use Disorder Patient Records
The confidentiality of substance use disorder patient records maintained by us is also protected by
Federal law and regulations. Generally, the law and regulations provide that:
1. We may not disclose to a person outside the treatment center that you are present in the
treatment center, that you are a patient of the treatment center, or any information identifying you as
having or having had a substance use disorder;
2. Except in specific, limited circumstances described in the federal regulations, we will not
disclose any of your substance use disorder patient information to any person outside of the
treatment center unless you consent in writing (as discussed below in “Authorization to use or
Disclose Confidential Information”);
3. Information related to your commission of a crime on the premises of the treatment center
or against personnel of the treatment center is not protected; and
4. Mandated reports made under state law to appropriate state or local authorities is not
protected.
See 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3 for Federal laws and 42 CFR part 2 for Federal
regulations.
Violation of the federal law and regulations by the treatment center is a crime. Suspected violations
may be reported to United States Attorney for the judicial district in which the violation occurs as
well as to the Substance Abuse and Mental Health Services (SAMHSA) office responsible for
oversight of the treatment center.
Uses and Disclosures
Uses and disclosures of your PHI may be permitted, required, or authorized. The following
categories describe various ways that we use and disclose PHI.
Among Steadfast Personnel: We may use or disclose information between or among personnel
having a need for the information in connection with their duties that arise out of the provision of
diagnosis, treatment, or referral for treatment of alcohol or drug abuse, provided such
communication is (i) within the treatment center; or (ii) between the treatment center and Steadfast.
For example, our staff, including doctors, nurses, and clinicians, will use your PHI to provide your
treatment care. Your PHI may be used in connection with billing statements we send you and in
connection with tracking charges and credits to your account. Your PHI will be used to check for
eligibility for insurance coverage and prepare claims for your insurance company where appropriate.
We may use and disclose your PHI to conduct our healthcare business and to perform functions
associated with our business activities, including accreditation and licensing.
Secretary of Health and Human Services: We are required to disclose PHI to the Secretary of the
U.S. Department of Health and Human Services when the Secretary is investigating or determining
our compliance with the HIPAA Privacy Rules.
Business Associates: We may disclose your PHI to Business Associates that are contracted by us to
perform services on our behalf which may involve receipt, use or disclose of your PHI. All of our
Business Associates must agree to: (i) protect the privacy of your PHI; (ii) use and disclose the
information only for the purposes for which the Business Associate was engaged; (iii) be bound by
42 CFR Part 2; and (iv) if necessary, resist in judicial proceedings any efforts to obtain access to
patient records except as permitted by law.
Crimes on premises: We may disclose to law enforcement officers information that is directly
related to the commission of a crime on the premises or against our personnel or to a threat to
commit such a crime.
Mandated Reporting: We may disclose information required to report under state law incidents that are
required to be reported to the appropriate state or local authorities. However, we may not disclose the
original patient records, including for civil or criminal proceedings which may arise out of the report,
without consent.
Court order: We may disclose information required by a court order, provided certain regulatory
requirements are met.
Emergency situations: We may disclose information to medical personnel for the purpose of
treating you in an emergency.
Research: We may use and disclose your information for research if certain requirements are met,
such as approval by an Institutional Review Board.
Audit and Evaluation Activities: We may disclose your information to persons conducting certain
audit and evaluation activities, provided the person agrees to certain restrictions on disclosure of
information.
Reporting of Death: We may disclose your information related to cause of death to a public health
authority that is authorized to receive such information.
Central Registry: By enrolling for Medication for Addiction Treatment Services at this facility, your
health information may be released to the Central Registry within the state in which you receive
services.
This information will be viewed by staff at any legally licensed Medication for Addiction Treatment
facility in the United States when you present and request enrollment and/or emergency medication
services. In addition, the above described information could be released to any duly appointed State
Opioid Treatment Authority and their staff for the purposes of monitoring dual enrollment
verifications.
Authorization to use or disclose PHI
Other than as stated above, we will not use or disclose your PHI other than with your written
authorization. Subject to compliance with limited exceptions, we will not use or disclose
psychotherapy notes, use or disclose your PHI for marketing purposes or sell your PHI unless you
have signed an authorization. If you or your representative authorizes us to use or disclose your PHI,
you may revoke that authorization in writing at any time to stop future uses or disclosures. We will
honor oral revocations upon authenticating your identity until a written revocation is obtained. Your
revocation will not affect any use or disclosures permitted by your authorization while it was in
effect.
Patient/Client Rights
The following are the rights that you have regarding PHI that we maintain about you. Information
regarding how to exercise those rights is also provided. Protecting your PHI is an important part of
the services we provide you. We want to ensure that you have access to your PHI when you need it
and that you clearly understand your rights as described below.
Right to Notice
You have the right to adequate notice of the uses and disclosures of your PHI, and our duties and
responsibilities regarding same, as provided for herein. You have the right to request both a paper
and electronic copy of this Notice. You may ask us to provide a copy of this notice at any time. You
may obtain this notice on our website at www.steadfasthealth.com or from facility staff or through
our compliance department.
Right of Access to Inspect and Copy
You have the right to access, inspect and obtain a copy of your PHI for as long as we maintain it as
required by law. This right may be restricted only in certain limited circumstances as dictated by
applicable law. All requests for access to your PHI must be made in writing. Under a limited set of
circumstances, we may deny your request. Any denial of a request to access will be communicated to
you in writing. If you are denied access to your PHI, you may request that the denial be reviewed.
The Director of Clinical Compliance at Steadfast will review your request and the denial. The person
conducting the review will not be the person who denied your request. We will comply with the
decision made by the designated professional. If you are further denied, you have a
right to have a denial reviewed by a licensed third-party healthcare professional (i.e. one not
affiliated with us). We will comply with the decision made by the designated professional.
We may charge a reasonable, cost-based fee for the copying and/or mailing process of your request.
As to PHI which may be maintained in electronic form and format, you may request a copy to which
you are otherwise entitled in that electronic form and format if it is readily producible, but if not,
then in any readable form and format as we may agree (e.g. PDF). Your request may also include
transmittal directions to another individual or entity.
Right to Amend
If you believe the PHI we have about you is incorrect or incomplete, you have the right to request
that we amend your PHI for as long as it is maintained by us. The request must be made in writing
and you must provide a reason to support the requested amendment. Under certain circumstances
we may deny your request to amend, including but not limited to, when the PHI: 1. was not created
by us; 2. is excluded from access and inspection under applicable law; or 3. is accurate and
complete. If we deny amendment, we will provide the rationale for denial to you in writing. You may
write a statement of disagreement if your request is denied. This statement will be maintained as
part of your PHI and will be included with any disclosure. If we accept the amendment we will work
with you to identify other healthcare stakeholders that require notification and provide the
notification.
Right to Request an Accounting of Disclosures
We are required to create and maintain an accounting (list) of certain disclosures we make of your
PHI. You have the right to request a copy of such an accounting during a time period specified by
applicable law prior to the date on which the accounting is requested (up to six years). You must
make any request for an accounting in writing. We are not required by law to record certain types of
disclosures (such as disclosures made pursuant to an authorization signed by you), and a listing of
these disclosures will not be provided. If you request this accounting more than once in a 12-month
period, we may charge you a reasonable, cost-based fee for responding to these additional requests.
We will notify you of the fee to be charged (if any) at the time of the request.
Right to Request Restrictions
You have the right to request restrictions or limitations on how we use and disclose your PHI for
treatment, payment and operations. We are not required to agree to restrictions for treatment,
payment and healthcare operations except in limited circumstances as described below. This
request must be in writing. If we do agree to the restriction, we will comply with restriction going
forward, unless you take affirmative steps to revoke it or we believe, in our professional judgment,
that an emergency warrants circumventing the restriction in order to provide the appropriate care
or unless the use or disclosure is otherwise permitted by law. In rare circumstances, we reserve the
right to terminate a restriction that we have previously agreed to, but only after providing you
notice of termination.
Out-of-Pocket Payments
If you have paid out-of-pocket (or in other words, you or someone besides your health plan has paid
for your care) in full for a specific item or service, you have the right to request that your PHI with
respect to that item or service not be disclosed to a health plan for purposes of payment or
healthcare operations, and we are required by law to honor that request unless affirmatively
terminated by you in writing and when the disclosures are not required by law. This request must
be made in writing.
Right to Confidential Communications
You have the right to request that we communicate with you about your PHI and health matters by
alternative means or alternative locations. Your request must be made in writing and must specify
the alternative means or location. We will accommodate all reasonable requests consistent with our
duty to ensure that your PHI is appropriately protected.
Right to Notification of a Breach
You have the right to be notified if we (or one of our Business Associates) discover a breach
involving unsecured PHI.
Right to Voice Concerns
You have the right to file a complaint in writing with us or with the U.S. Department of Health and
Human Services if you believe we have violated your privacy rights. Any complaints to us should be
made in writing to our Privacy Official at the address listed below We will not retaliate against
you for filing a complaint.
Questions, Requests for Information and Complaints
For questions, requests for information, more information about our privacy policy or concerns,
please contact us. Our company Privacy Official can be contacted at:
Steadfast:
Attn: Head of Compliance
Compliance@steadfasthealth.com
We support your right to privacy of your protected health information. You will not be retaliated
against in any way if you choose to file a complaint with us or with the U.S. Department of Health and
Human Services.
If you believe your rights have been violated and would like to submit a complaint directly to the U.S.
Department of Health & Human Services, then you may submit a formal written complaint to the
following address:
U.S. Department of Health & Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
877.696.6775
OCRMail@hhs.gov
www.hhs.gov

Our website address is: https://steadfasthealth.com.

Addendum to Privacy Policy and Terms of Service

Effective Date: May 29, 2026

Governing Regulations: Health Insurance Portability and Accountability Act (HIPAA); 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records)

This Addendum supplements and forms part of the organization’s existing Privacy Policy and Terms of Service (collectively, the “Policy”). In the event of a conflict between this Addendum and the Policy, the more protective provision with respect to patient privacy shall govern. This Addendum establishes the organization’s practices and obligations with respect to the use of Short Message Service (SMS) text messaging as a modality for communicating protected health information (PHI) and substance use disorder (SUD) treatment-related information to patients.

1. Scope and Applicability

This Addendum applies to all SMS text message communications initiated by the organization to patients who have provided prior written consent to receive such communications. It governs the collection, use, transmission, storage, and protection of any PHI or SUD treatment information conveyed via SMS.

2. Patient Consent

The organization will send SMS text messages containing care-related information only to patients who have provided explicit, informed, and documented written consent. Consent shall be obtained in accordance with HIPAA requirements and, where applicable, the heightened consent standards of 42 CFR Part 2.

Consent will specify, at minimum:

The types of information that may be communicated via SMS (e.g., appointment reminders, care coordination updates, treatment-related notifications);
That consent to receive SMS messages is voluntary and not a condition of receiving treatment;
The patient’s right to withdraw consent at any time by replying “STOP” to any text message or by submitting a written request to the organization; and
That standard message and data rates from the patient’s wireless carrier may apply.

Consent records will be retained in the patient’s file in accordance with applicable federal and state record retention requirements. The organization will not send care-related SMS messages to any patient who has not provided such consent, has revoked consent, or whose consent cannot be verified.

3. Permitted Uses of SMS Communication

SMS text messages may be used to communicate the following categories of care-related information to consenting patients:

Appointment scheduling, reminders, and confirmations;
Medication reminders and adherence support (where clinically indicated and approved by a licensed clinician);
Care coordination and follow-up communications;
Administrative notifications related to the patient’s course of treatment; and
Other communications consistent with the patient’s treatment plan and the purpose for which consent was obtained.

All SMS content will be limited to the minimum necessary information required to achieve the stated purpose of the communication, consistent with the HIPAA Minimum Necessary Standard and the confidentiality protections of 42 CFR Part 2.

4. Prohibition on Third-Party Disclosure

The organization will not sell, license, rent, trade, disclose, or otherwise share any PHI or SUD treatment information transmitted via SMS with any third party for any commercial, marketing, or non-treatment-related purpose.

Information communicated via SMS will not be disclosed to third parties except under the following strictly limited circumstances:

To Business Associates (as defined under HIPAA) who have executed a valid Business Associate Agreement (BAA) with the organization, solely to the extent necessary to provide contracted services;
As required by applicable federal or state law, including valid court orders or lawful government requests; or
With the patient’s separate, explicit written authorization consistent with HIPAA and, where applicable, 42 CFR Part 2.

Patient consent to receive SMS communications does not constitute authorization for the disclosure of PHI or SUD treatment information to third parties. Any such disclosure requires independent authorization in accordance with applicable law.

5. HIPAA-Compliant Platforms and Business Associate Agreements

All SMS communications containing PHI or SUD treatment information will be transmitted through and stored on technology platforms that are designed, operated, and contractually obligated to comply with applicable HIPAA Security Rule and Privacy Rule requirements.

Specifically, the organization will ensure that:

All third-party SMS platform vendors who create, receive, maintain, or transmit PHI on behalf of the organization will be classified as Business Associates under HIPAA;
A fully executed Business Associate Agreement (BAA) will be in place with each such vendor prior to any transmission of PHI through that platform;
Each BAA will, at minimum, comply with the requirements set forth at 45 CFR § 164.504(e), including provisions governing the use and disclosure of PHI, safeguards, reporting of breaches, and return or destruction of PHI upon termination;
Platforms will maintain appropriate administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect the confidentiality, integrity, and availability of electronic PHI; and
The organization will conduct or obtain documentation of reasonable vendor due diligence to verify that platform security practices meet applicable regulatory standards prior to onboarding and on a periodic basis thereafter.

The organization will not utilize any SMS platform for the transmission of PHI where a BAA cannot be or has not been executed. In the event that a Business Associate Agreement is terminated, expires, or a vendor is determined to be non-compliant, the organization will take prompt remedial action, including transitioning to a compliant platform.

6. Data Retention and Disposal

SMS communications containing PHI will be retained only for the period necessary to fulfill the purpose for which they were sent, or as required by applicable federal and state law, whichever is longer. Upon expiration of the applicable retention period, such communications will be disposed of in a secure manner consistent with HIPAA requirements and the organization’s data retention and destruction policies.

7. Patient Rights

Patients retain all rights afforded under HIPAA and 42 CFR Part 2 with respect to information communicated via SMS, including but not limited to the right to access, amend, and request an accounting of disclosures of their PHI. Patients may withdraw consent to receive SMS communications at any time without affecting the legality of prior communications or their right to continue receiving treatment services.

8. Amendments

The organization reserves the right to amend this Addendum at any time to reflect changes in applicable law, regulatory guidance, or organizational practice. Material amendments will be communicated to patients in accordance with the Notice of Privacy Practices update procedures required under HIPAA.

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.