Privacy Policy | Civitas Health Services

Privacy Policy
Last updated: July 30, 2025
1. Introduction
Civitas Health Services Inc. (“Civitas,” “we,” “our,” or “us”) respects your privacy and is committed to protecting the personal and protected health information (“PHI”) you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our websites, submit online forms, receive our communications, or otherwise interact with our services (collectively, the “Services”).

Healthcare Focus & Legal Compliance – Because we are a behavioral‑health organization, our privacy practices are designed to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), its implementing regulations, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, the Telephone Consumer Protection Act (“TCPA”), the CAN‑SPAM Act, the Virginia Consumer Data Protection Act (“VCDPA”), and other applicable federal and Virginia state laws.
2. Scope
This Policy covers information collected:

Directly from you – When you complete referral forms, schedule appointments, request information, or otherwise provide data.
Automatically – Through cookies, log files, analytics tools, and similar technologies when you use the Services.
From third parties – Such as insurance payers, healthcare providers, or authorized family members, when permitted or required by law.

3. Information We Collect
CategoryExamples
Identifying InformationName, postal address, email, phone, date of birth, Social Security number (when required for insurance).
PHI / Clinical DataDiagnosis codes, treatment notes, provider information, insurance details, prescription data.
Billing & InsurancePolicy numbers, payment history, eligibility responses, guarantor data.
Technical DataIP address, device identifiers, browser type, referring pages, time‑stamps, clickstream data.
Communications PreferencesOpt‑in/opt‑out records, marketing consents, survey responses.
We do not knowingly collect information from children under 13 years old without verified parental consent (see Section 11).
4. How We Collect Information

Forms & Portals – Online referral forms, patient portals, and appointment requests.
Cookies & Tracking – Essential, analytics, preference, and limited advertising cookies (see Section 8).
Telephony & Messaging – Call detail records, SMS logs, and voicemail transcriptions (if you contact us).
Third‑Party Integrations – Insurance eligibility APIs, electronic health‑record (“EHR”) platforms, secure patient‑engagement tools.

5. Legal Bases for Processing

Treatment, Payment, and Healthcare Operations under HIPAA.
Consent – For marketing emails, SMS/text messaging, and certain cookies.
Legal Obligation – To comply with federal or state reporting requirements.
Legitimate Interests – Quality improvement, IT security, fraud prevention (where consistent with HIPAA and VCDPA).

6. How We Use Your Information

Clinical Care – Coordinate treatment, schedule appointments, and share records with your authorized providers.
Insurance & Billing – Verify coverage, submit claims, and manage payments.
Service Communications – Appointment reminders, portal alerts, emergency notifications.
Marketing & Education – With your express consent, send newsletters, wellness tips, or event invitations.
Analytics & Improvement – Monitor site performance, optimize workflows, and enhance user experience.
Legal & Regulatory – Fulfill reporting duties, respond to subpoenas, and enforce our Terms & Conditions.

7. How We Share or Disclose Information
RecipientPurposeSafeguards
Healthcare ProvidersTreatment coordinationHIPAA‑compliant secure messaging or EHR exchange
Insurance PayersClaims & eligibilityEncrypted API connections; minimum necessary data
Business Associates & VendorsCloud hosting, SMS gateways, analytics, EHR systemsExecuted Business Associate Agreements (“BAAs”); role‑based access
Legal AuthoritiesCourt orders, public‑health reportingOnly as required or permitted by law
With Your AuthorizationRelease to family, caregivers, or other third partiesWritten HIPAA authorization or electronic consent
We never sell PHI or other personal data.
8. Cookies & Tracking Technologies
We use four types of cookies:
TypeDefault StatusPurpose
EssentialAlways‑onMaintain log‑ins, secure forms, prevent fraud
AnalyticsConsent‑basedMeasure traffic (e.g., Google Analytics with IP anonymization)
PreferencesConsent‑basedRemember language, accessibility settings
AdvertisingConsent‑based & limitedTrack response to our own outreach; no behavioral ads that reveal PHI
You can manage cookies via our banner, browser settings, or by emailing info@civitashealth.com.
9. Phone, SMS, and Email Communications

Opt‑In Required – We send marketing or non‑essential texts/emails only after you actively consent (see TCPA & CAN‑SPAM).
Opt‑Out Mechanisms – Reply STOP to SMS, click “unsubscribe” in emails, or contact us.
Transactional Messages – Appointment reminders or statements may be sent without marketing consent but will follow HIPAA’s minimum‑necessary rule.

10. Data Retention

Clinical & Billing Records – Retained for at least 6 years from the date of last service (or longer, if required by Virginia law).
Marketing Consents – Stored until you withdraw consent plus 2 years for audit purposes.
Cookies & Logs – Analytics data kept for 14 months; server logs for 12 months, unless required for security or legal reasons.
We do not share or sell mobile phone numbers or opt-in data to third parties.

11. Children’s Privacy
We provide pediatric services, but all online submissions for minors must be completed by a parent or legal guardian. We do not knowingly solicit personal data from children under 13 without verifiable parental consent, in line with the Children’s Online Privacy Protection Act (“COPPA”).
12. Your Privacy Rights
HIPAA RightsVCDPA Rights
Access your PHIConfirm whether we process your personal data
Request amendmentsAccess and obtain a copy of personal data
Receive an accounting of disclosuresCorrect inaccuracies
Request restrictions or confidential communicationsDelete personal data
Obtain a copy of this policyOpt out of targeted advertising, profiling, or sale (we do not sell)
Exercising Rights – Email info@civitashealth.com or write to the address below. We will respond within 30 days (HIPAA) or 45 days (VCDPA).
13. Security Measures

Encryption – TLS 1.2+ for data in transit; AES‑256 for data at rest.
Access Controls – Multi‑factor authentication, role‑based permissions, audit logging.
Network Protections – Firewalls, intrusion detection, regular vulnerability scanning.
Incident Response – Documented plan for detection, containment, notification, and remediation of data breaches.

If a breach involves your PHI, we will notify you in accordance with HIPAA Breach Notification Rules and Virginia regulations.
14. International Data Transfers
Our primary servers are located in the United States. If you access the Services from outside the U.S., you consent to your information being transferred to and processed in the U.S., subject to this Privacy Policy.
15. Changes to This Privacy Policy
We may update this Policy periodically. Material changes will be posted on this page with a new “Last updated” date, and—when required—we will seek renewed consent.
16. Contact Us
Civitas Health Services Inc.
20 West Williamsburg Road, Sandston, VA 23150
Phone: (804) 737‑3917
Email: info@civitashealth.com
If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights, or with the Virginia Attorney General. We will not retaliate against you for filing a complaint.
© 2025 Civitas Health Services Inc. All rights reserved.

Directly from you – When you complete referral forms, schedule appointments, request information, or otherwise provide data.

Automatically – Through cookies, log files, analytics tools, and similar technologies when you use the Services.

From third parties – Such as insurance payers, healthcare providers, or authorized family members, when permitted or required by law.

Forms & Portals – Online referral forms, patient portals, and appointment requests.

Cookies & Tracking – Essential, analytics, preference, and limited advertising cookies (see Section 8).

Telephony & Messaging – Call detail records, SMS logs, and voicemail transcriptions (if you contact us).

Third‑Party Integrations – Insurance eligibility APIs, electronic health‑record (“EHR”) platforms, secure patient‑engagement tools.

5. Legal Bases for Processing

Treatment, Payment, and Healthcare Operations under HIPAA.

Consent – For marketing emails, SMS/text messaging, and certain cookies.

Legal Obligation – To comply with federal or state reporting requirements.

Legitimate Interests – Quality improvement, IT security, fraud prevention (where consistent with HIPAA and VCDPA).

6. How We Use Your Information

Clinical Care – Coordinate treatment, schedule appointments, and share records with your authorized providers.

Insurance & Billing – Verify coverage, submit claims, and manage payments.

Service Communications – Appointment reminders, portal alerts, emergency notifications.

Marketing & Education – With your express consent, send newsletters, wellness tips, or event invitations.

Analytics & Improvement – Monitor site performance, optimize workflows, and enhance user experience.

Legal & Regulatory – Fulfill reporting duties, respond to subpoenas, and enforce our Terms & Conditions.

Opt‑In Required – We send marketing or non‑essential texts/emails only after you actively consent (see TCPA & CAN‑SPAM).

Opt‑Out Mechanisms – Reply STOP to SMS, click “unsubscribe” in emails, or contact us.

Transactional Messages – Appointment reminders or statements may be sent without marketing consent but will follow HIPAA’s minimum‑necessary rule.

10. Data Retention

Clinical & Billing Records – Retained for at least 6 years from the date of last service (or longer, if required by Virginia law).

Marketing Consents – Stored until you withdraw consent plus 2 years for audit purposes.

Cookies & Logs – Analytics data kept for 14 months; server logs for 12 months, unless required for security or legal reasons.

​We do not share or sell mobile phone numbers or opt-in data to third parties.

Encryption – TLS 1.2+ for data in transit; AES‑256 for data at rest.

Access Controls – Multi‑factor authentication, role‑based permissions, audit logging.

Network Protections – Firewalls, intrusion detection, regular vulnerability scanning.

Incident Response – Documented plan for detection, containment, notification, and remediation of data breaches.

Cookies & Tracking – Essential, analytics, preference, and limited advertising cookies (see Section 8).

5. Legal Bases for Processing

6. How We Use Your Information

Legal & Regulatory – Fulfill reporting duties, respond to subpoenas, and enforce our Terms & Conditions.

10. Data Retention

Clinical & Billing Records – Retained for at least 6 years from the date of last service (or longer, if required by Virginia law).

Marketing Consents – Stored until you withdraw consent plus 2 years for audit purposes.

Cookies & Logs – Analytics data kept for 14 months; server logs for 12 months, unless required for security or legal reasons.

We do not share or sell mobile phone numbers or opt-in data to third parties.

Encryption – TLS 1.2+ for data in transit; AES‑256 for data at rest.