Digital Platform Privacy Policy

Last updated May 1, 2024

Introduction

The Center for Autism Spectrum Treatment (“CAST”) is part of Opya, Inc., a leading multidisciplinary early intervention autism therapy provider. CAST, as part of Opya, Inc., adheres to the privacy policy set forth here.

Opya, Inc. (hereinafter collectively referred to as “Opya”, “Company,” “we,” “us” or “our”) is committed to protecting your privacy. The following discloses our information-gathering and dissemination practices for our Company’s websites at opyacare.com and castautism.com (the “Website”, “Digital Platform”) in this Digital Platform Privacy Policy (“Policy”) unless otherwise and explicitly stated. Users on our Digital Platform are referred to herein as “you” from time to time. This Policy explains how we collect, use, disclose, and protect your Personal Information collected on our Digital Platform. This Policy describes what categories of personal data we collect, the purposes we use that data for, your choices regarding our use of your personal data, our security measures, and how you can review and correct our data about you. By accessing our Digital Platform, you consent to the data collection and use practices described in this privacy statement.

HIPAA Privacy

This Digital Platform Privacy Policy is distinct from our Notice of Privacy Practices, which is a special notice required by a federal privacy law known as the HIPAA Privacy Rule. The Opya Notice of Privacy Practices describes how we use “individually identifiable health information” collected by Opya, both online and offline, to provide services to you and to administer the various programs that we administer. Our Digital Platform Privacy Policy describes how we use your Personal Information that we collect from you on our Digital Platform. The Opya Notice of Privacy Practices describes how we use your individually identifiable health information that we may collect from you in another manner.

This Digital Platform Privacy Policy makes distinctions between Personal Information contained in a Personal Health Record (“PHR”) that you might choose to maintain through one of our secure web portals and personal information otherwise provided through our general publicly available website. This Digital Platform Privacy Policy is distinct from the Notice of Privacy Practices, which is a special notice that describes how we may use and disclose your protected health information (“PHI”) to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law.

This Privacy Policy distinguishes between Personal Information contained in a Personal Health Record (“PHR”) that you might choose to maintain through on one of our secure web portals and personal information otherwise provided through our general publicly available website. This Website Privacy Policy is distinct from the Notice of Privacy Practices, which is a special notice that describes how we may use and disclose your protected health information (“PHI”) to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law.

Data Collection

  • Data collected directly from visitors. This Policy applies to the operation of the Website that directly links to this statement when you click on “Privacy Policy” in the website footer. Through the Website, we may collect information that can identify you, such as your name, address, telephone number, e-mail address, and other similar information (“Personal Information” or “Your Information”) when it is voluntarily submitted to us (see discussion below about “IP Addresses” if you have a broadband connection). We will use your Personal Information to respond to requests you may make of us, and from time to time, we may refer to your Personal Information to better understand your needs and how we can improve our Website, products, and services. You are not required to provide this information; however, if you choose not to, we may not be able to provide you the requested service.
  • Data collected automatically. The Website may use a technology known as web beacons – sometimes called single-pixel gifs – that allow this site to collect web log information. A web beacon is a graphic on a web page or in an e-mail message designed to track pages viewed or messages opened. Web log information is gathered when you visit one of our webpages by the computer (called a “webserver”) that hosts our Website . The webserver automatically recognizes some non-personal information, such as the date and time you visited our site, the pages you visited, the website you came from, the type of browser you are using (e.g., Edge), the type of operating system you are using (e.g., Windows 10), and the domain name and address of your Internet service provider (e.g., AT&T). We may also include web beacons in promotional e-mail messages in order to determine whether messages have been opened.

This Website may use a technology called a “cookie”. A cookie is a piece of information that our webserver sends to a browser file on your computer when you access a website. When you come back to our Website, we will detect whether you have one of our cookies on your computer. Our cookies help provide additional functionality to the site and help us analyze site usage more accurately. For instance, our site may set a cookie on your browser that keeps you from needing to remember and then enter a password more than once during a visit to a site.

  • Website uses Internet Protocol (IP) Addresses. An IP Address is a number assigned to your computer by your Internet service provider so you can access the Internet. Generally, an IP address changes each time you connect to the Internet. Note, however, that if you have a broadband connection, depending on your individual circumstance, it is possible that your IP Address that we collect, or even perhaps a cookie we use, may contain information that could be deemed identifiable. This is because, with some broadband connections, your IP Address does not change and could be associated with your personal computer. We use your IP address to report aggregate information on use and to help improve the Website. Any other information transferred by you in connection with your visit to our Website (“Other Information” – that is, information that cannot be used to identify you) may be included in databases owned and maintained by Opya or its agents. Opya retains all rights to these databases and the information contained in them. Other Information we collect may include your IP Address and other information gathered through our weblogs and cookies.

Our Use of Personal Data

We will use Personal Information only for the purposes set forth below.

  • Services and Transactions. We use your Personal Information to deliver treatment services or execute transactions you request, such as answering customer service requests, providing information about our products and services, and processing orders. We may also enhance or merge your Personal Information with data obtained from third parties for the same purposes.
  • Marketing Communications. With your permission, we may use Your Information to inform you of products or services available from the Company. When collecting information that might be used to contact you about our products and services, we give you the opportunity to opt-out from receiving such communications. Moreover, each email communication we send includes an unsubscribe link allowing you to stop delivery of that type of communication. If you elect to unsubscribe, we will, within 10 business days, remove you from the relevant email list.
  • Employment Applications. In connection with a job application or inquiry, you may provide us with data about yourself, including your educational background, resume, and other information, including your ethnicity, sex, veteran status or other identifying information, where required or permitted by law. We may use your Personal Information for the purpose of employment consideration. We will keep the information for future consideration unless you direct us not to do so.
  • Website Improvement. We may use data about you to improve our Website (including our security measures) and related products or services.

Disclosure of Personal Information

Except as described below, Personal Information that you provide to us via our Digital Platform will not be shared outside of Opya, or its business partners who have agreed to maintain the confidentiality of your Personal Information, without your consent.

  • Sharing Data with our Contractors. We may share Your Information with agents, contractors, or partners of Opya in connection with services that these individuals or entities perform for, or with, Opya. These agents, contractors, or partners are restricted from using this data in any way other than to provide services for Opya, or services for the collaboration in which they and Opya are engaged (for example, some of our products may be developed and marketed through joint agreements with other companies). We may, for example, provide your information to agents, contractors, or partners for hosting our databases, for data processing services, or so that they can send you information that you requested.
  • Security Matters. Opya reserves the right to share your Personal Information to respond to duly authorized information requests of governmental authorities or where required by law. In exceptionally rare circumstances where national, state, or company security is at issue, Opya reserves the right to share our entire database of visitors and customers with appropriate governmental authorities.
  • Business Sale. We may also provide your Personal Information to a third party in connection with the sale, assignment, or other transfer of the business of the Digital Platform to which the information relates, in which case we will require any such buyer to agree to treat Your Information in accordance with this Privacy Policy.
  • Information You Make Public Through Use of Our Services and User Privacy Settings. Our Digital Platform may contain certain features that give you an opportunity to interact with Opya and others. These may include chats, forums, message boards, and personal community profiles. When you use these features, you should be aware that any information you submit, including your name, location and email address, may be publicly available to anyone, including other users, search engines, advertisers, third party application developers, and anyone else with access to our Online Services. We are not responsible for any information you choose to submit and make public through these interactive features.

Security

Areas of our Digital Platform that collect Your Information use industry standard secure socket layer encryption (SSL); however, to take advantage of this, your browser must support encryption protection. Additionally, we take the security of your information very seriously, and enforce additional security efforts via physical, electronic, and managerial procedures. We cannot guarantee the security of PII (Personally Identifiable Information) transmitted to us. We highly recommend that you take all precautions to protect your PII while you are on the internet.

Reviewing Personal Data

In some cases, you can review and correct your Personal Information provided through our Digital Platform by going to the page on which you provided the data.

International Transfers of Personal Data

Personal data collected on our Digital Platform may be stored and processed in the United States or another country where our service providers are located. By choosing to use our Digital Platform and to provide data to it, you consent to any such transfer of information. We offer our Services only to individuals located in the United States, and we do not advertise our Services outside the United States. If you are located outside the United States and choose to provide your Personal Information to us, please note that we may transfer your Personal Information to the United States or another country where our service providers are located, and such countries may not provide the same data protection. Those who choose to access and use the Services from outside the United States do so on their own initiative, at their own risk, with this understanding.

Links to other Websites

As a convenience to our visitors, our Digital Platform may contain links to a number of sites that we believe may offer useful information.

Children

We are committed to protecting the privacy of children in connection with the use of our Services. Our Digital Platform is not intended for use by individuals under the age of 18. We do not knowingly collect Personally Identifiable Information (“PII”) from any individual under the age of 18. If you become aware that your child has provided us with personal information without your consent, please contact us at privacy@opyacare.com.

California Privacy Rights

With respect to the California Consumer Privacy Act of 2018 (“CCPA”), you have certain rights in relation to the Personal Information you share with us.

  • The right to access. You have the right to know and request access to details around the Personal Information that we collect about you. These details include our use of your Personal Information, the categories of third parties with whom your Personal Information is shared, the categories of Personal Information we have collected about you, the categories of sources from which we collect your Personal Information, and the specific pieces of your Personal Information that we collect. These rights are subject to certain exceptions. For example, we cannot share specific pieces of Personal Information if the disclosure would create a substantial, articulable, and unreasonable risk to the security of that Personal Information, your account, or the security of our systems of networks.
  • The right to opt-out of the sale of your Personal Information. We do not sell your Personal Information and would not without your consent.
  • The right to delete. You have the right to request the deletion of your Personal Information. However, exemptions to this right exist if the Personal Information pertains to HIPAA as outlined under California Civil Codes 1798.145(c)(1)(A) and 1798.145(c)(1)(B). Under these codes, information is exempt if it pertains to treatment, payment, or healthcare operations; and if it is properly stored within the guidelines of HIPAA regulations.
  • The right to non-discrimination for exercising your rights.We will not discriminate against you for exercising your legal rights. This extends to the level of quality of services and goods, associated fees or charges, and the denial of any services and goods. If you wish to exercise your rights as outlined above, please see the section below, “Questions about your privacy practices”, for contact information.

Questions about our Privacy Practices

If you have questions regarding this Policy or would like to be removed from our email marketing list, please contact us by email – privacy@opyacare.com, or by mail at: Opya, Inc. Attn. Privacy Policy Matters, 400 Concar Dr. Suite 04-134, San Mateo, CA 94402

You can also make a request to review and correct your Personal Information collected via our websites or submit any inquiries or concerns you may have regarding your Personal Information. We may take steps to verify your identity before providing you access to personal data.

Changes to this Privacy Statement

We may modify this Policy from time to time. We encourage you to read this Policy periodically to ensure you have up-to-date knowledge of our privacy practices. The date of change will be shown next to “Last Updated” at the top of this page. By continuing to access or use the Services after changes to this Policy become effective, you accept the revised Policy. If any changes are unacceptable to you, you may stop using our Services at any time.

Notice of Privacy Practices

Effective Date: May 1, 2024

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT A CLIENT MAY BE USED AND DISCLOSED AND HOW CLIENT AND/OR A PARENT/GUARDIAN CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Opya, Inc. (“Opya”, “we”, “us”) is required by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) to provide confidentiality for all medical/mental health records and other individually identifiable health information in our possession. This Notice is to inform you of the uses and disclosures of confidential information that may be made by Opya, Opya’s legal duties with respect to confidential information, and of your individual rights.

Our Pledge Regarding Medical And/or Mental/Behavioral Health Information 

  • We understand that information about you and your health is personal.
  • We are committed to protecting information about you.

We create a record of the care and services you receive. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by us.

Ways in which we may use and disclose your Protected Health Information (PHI): 

We may use and disclose, at our discretion, your health information for each of the following purposes only. For each category of uses or disclosures, we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the following categories:

  • Disclosure at Your Request. We may disclose information when requested by you. This disclosure at your request may require a written authorization by you.
  • For Treatment. We may disclose information for providing, coordinating or managing treatment and related services.
  • For Payment. We may use and disclose information about you so that the treatment and services you receive may be billed to and payment collected from you, an insurance company or a third party. For example, we may need to give information about treatment you received to your health plan so it will pay us or reimburse you for the treatment.
  • Health Care Operations. We may use and disclose information about you for health care operations. These uses and disclosures are necessary to run our facility and make sure that you receive quality care. For example, we may use information to review our treatment and services and to evaluate the performance of our staff in caring for you.
  • Incidental Uses and Disclosures. There are certain incidental uses or disclosures of your health information that occur while we are providing services to you or conducting our business. For example, other individuals waiting in the same area may hear your name called. We will make reasonable efforts to limit these incidental uses and disclosures.
  • Members of Our Workforce. It is our policy to allow members of our workforce to share client health information with one another to the extent necessary to permit them to perform their legitimate functions. At the same time, we will work with and train our workforce members to ensure that there are no unnecessary or extraneous communications that will violate your rights to have the confidentiality of your health information maintained.
  • Business Associates. Opya may contract with certain individuals or entities to provide services on its behalf. Examples include data processing/data exchange, quality assurance, legal or accounting services. We may disclose health information to a business associate, only as necessary, to allow the business associate to perform its functions on behalf of Opya. We will have a contract with our business associates which obligates them to maintain the confidentiality of your health information.
  • Appointment Reminders. We may use or disclose information about you to inform you about appointments.
  • Family Members or Others You Designate. We may disclose your information with your family members or others you designate as a caregiver so long as the information is limited to information directly relevant to that person’s involvement in the client’s care. For example, we may tell a person living with you that you need plenty of rest. We will not disclose your information if you specifically request that we do not.
  • As Required by Law. We will disclose information about you when required to do so by federal, state or local law.
  • Research. We may occasionally conduct studies that may involve your current care, or that involve reviews of your medical history. For example, research is ongoing to advance care, to compare the health of patients who have received one medication with those who have received another treatment for the same condition, and to learn from medical record studies. We generally ask for your written authorization before using your health information or sharing it with others to conduct research. Under limited circumstances, we may use and disclose your health information without your authorization. In most of these latter situations, we must comply legally and obtain approval through an independent review process to ensure that research conducted without your authorization poses minimal risk to your privacy. Researchers may also contact you to see if you are interested in, or eligible to participate, in a study.

Special Situations that Do Not Require Your Authorization 

  • Public Health Activities. We may disclose information about you for public health activities. These activities may include, without limitation, the following:
    • To prevent or control disease, injury or disability;
    • To report regarding the abuse or neglect of children, elders and dependent adults;
    • To notify a person whom may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
    • To notify emergency response employees regarding exposure to HIV/AIDS, to the extent necessary to comply with state and federal laws.
  • As Required by Law. We will use and disclose your protected health information when required by federal, state or local law. There are certain situations in which as a provider we may be required to reveal information obtained during therapy to persons or agencies even if you do not give permission. These situations are as follows: (a) If you threaten grave bodily harm or death to yourself or another person, we may be required to inform the intended victim and/or appropriate law enforcement agencies; (b) if you report to us your knowledge of physical or sexual abuse of a minor child, or of an elder (over 65), or any sexual conduct/contact with a minor; we are required by law to inform the appropriate child welfare or social agency which may then investigate the matter; (c) if we are required by a court of law (court order) to turn over records to the court or if we are ordered to testify regarding those records.
  • Multidisciplinary Personnel Teams. We may disclose information to a multidisciplinary personnel team relevant to the prevention, identification, management or treatment of an abused child and the child’s parents, or elder abuse or dependent adult and neglect.
  • Therapy Notes. Therapy notes are notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session; or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. We may use or disclose your therapy notes, as required by law, or:
    • For use by the originator of the notes;
    • In supervised mental health training programs for students, trainees, or practitioners;
    • By the covered entity to defend a legal action or other proceeding brought by the individual;
    • To prevent or lessen a serious and imminent threat to the health or safety of a person or the public;
    • For the health oversight of the originator of the psychotherapy notes.  

Your Rights Regarding Medical and/or Mental/Behavioral Health Information About You:

  • Right to Inspect and Copy. You have the right to inspect and obtain a copy of information that may be used to make decisions about your care. Usually, this includes medical and billing records, but may not include some mental health information. To inspect and obtain a copy of information that may be used to make decisions about you, you must submit your request in writing to quality@opyacare.com or to Opya, Inc., Attn: Records, 400 Concar Dr. Suite 04-134, San Mateo, CA 94402. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request to inspect and obtain a copy in certain, very limited circumstances. If you are denied access to mental health/behavioral information, you may request that the denial be reviewed. Another licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
  • Right To Amend. If you feel that information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by us. To request an amendment, your request must be made in writing and submitted to quality@opyacare.com or to Opya, Inc., Attn: Records, 400 Concar Dr. Suite 04-134, San Mateo, CA 94402. In addition, you may provide a reason that supports your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
    • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
    • Is not part of the information kept by or for us;
    • Is not part of the information which you would be permitted to inspect and copy;
    • Is accurate and complete.

Even if we deny your request for amendment, you have the right to submit a written addendum, not to exceed 250 words, with respect to any item or statement in your record you believe is incomplete or incorrect. If you clearly indicate in writing that you want the addendum to be made part of your health record, we will attach it to your records and include it whenever we make a disclosure of the item or statement you believe to be incomplete or incorrect.

  • Right To An Accounting Of Disclosures. You have the right to request an “accounting of disclosures.” This is a list of the disclosures we made of information about you other than our own uses for treatment, payment and health care operations (as those functions are described above), and with other exceptions by law. To request this list of accounting of disclosures, you must submit your request in writing to quality@opyacare.com or to Opya, Inc. Attn: Records, 400 Concar Dr. Suite 04-134, San Mateo, CA 94402. Your request must state a time period which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. In addition, we will notify you as required by law following a breach of your unsecured protected health information.
  • Right To Request Restrictions. You have the right to request a restriction or limitation on the information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a therapy you received. We are not required to agree to your request, except to the extent that you request us to restrict disclosure to a health plan or insurer for payment or health care operations purposes if you, or someone else on your behalf (other than the health plan or insurer), has paid for the item or service out of pocket in full. Even if you request this special restriction, we can disclose the information to a health plan or insurer for purposes of treating you. If we agree to another special restriction, we will comply with your request unless the information is needed to provide you emergency treatment. To request restrictions, you must make your request in writing to quality@opyacare.com or to Opya, Inc., Attn: Records, 400 Concar Dr. Suite 04-134, San Mateo, CA 94402. In your request, you must tell us 1) what information you want to limit; 2) whether you want to limit our use, disclosure or both; and 3) to whom you want the limits to apply; for example: disclosures to your spouse.
  • Right To Request Confidential Communications. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to quality@opyacare.com or to Opya, Inc, Attn: Records, 400 Concar Dr. Suite 04-134, San Mateo, CA 94402. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
  • Right To A Paper Copy Of This Notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. To obtain a paper copy of this notice contact quality@opyacare.com or Opya, Inc., Attn: Records, 400 Concar Dr. Suite 04-134, San Mateo, CA 94402.

Other Uses Of Medical Health Information. Other uses and disclosures of information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose information about you, you may revoke the permission, in writing, at any time. If you revoke your permission, this will stop any further use or disclosure of your information for the purposes covered by your written authorization, except if we have already acted in reliance on your permission. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.

Changes To This Notice. We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for information we already have about you, as well as any information we receive in the future. We will post a copy of the current notice in the facility. The notice will contain the effective date on the first page.

Complaints. If you believe your privacy rights have been violated, you may file a complaint with us and by contacting the U.S. Department of Health and Human Services, Office of Civil Rights by sending a letter to: 90 7th Street, Suite 4-100, San Francisco, CA 94103, Attention: OCR Regional Manager; and/or by calling (800) 368-1019, faxing (202) 619-3818, TDD (800) 537-7697 or by emailing OCRmail@hhs.gov. All complaints must be submitted in writing. Opya will not retaliate or otherwise penalize you if you file a complaint.