Privacy Policy

Beachmont Behavioral Health (BBH) is committed to protecting the privacy and personal data of all individuals who interact with our organization, including clients, employees, and website visitors. This Privacy Policy describes in detail how BBH collects, uses, stores, protects, and discloses information, and outlines the rights of individuals under applicable laws and regulations.

Applicable Laws and Regulations

This policy is compliant with the following federal and state laws:

  • Information Practices Act of 1977 (California Civil Code §1798 et seq.)

  • California Public Records Act (Government Code §6250 et seq.)

  • Government Code §§11015.5 and 11019.9 – State agency internet privacy policies and conditions for electronic transactions

  • Title 13 of the California Code of Regulations, Article 5 (commencing at §350.02) – Protection of personal information

  • Health Insurance Portability and Accountability Act (HIPAA)

  • Health Information Technology for Economic and Clinical Health Act (HITECH)

  • Family Educational Rights and Privacy Act (FERPA)

  • California Consumer Privacy Act (CCPA)

  • California Civil Code §1798.82 – Data breach notification requirements

BBH does not share or sell personally identifiable information (PII) or protected health information (PHI) to third parties for marketing purposes.

I. Client PHI Handling

a. Collection of PHI:

  • Collected during face-to-face assessments, via secure web forms, phone intakes, and through digital systems such as practice management and related EHR/practice management tools.

  • Includes personal identifiers, diagnostic information, treatment plans, progress notes, service logs, and billing details.

b. Data Security Measures:

  • All PHI is encrypted both in transit (using HTTPS/TLS protocols) and at rest on HIPAA-compliant servers.

  • Two-factor authentication is required for systems that store or transmit PHI.

  • Role-based access controls ensure that only staff with a legitimate clinical or administrative need can access client information.

c. No Marketing Disclosure:

  • PHI and PII are never sold or disclosed for marketing, advertising, or commercial outreach.

  • BBH maintains business associate agreements (BAAs) with all vendors who may process PHI.

II. Employee Information Handling

a. Information Collected:

  • Includes employment applications, background checks, tax documentation (W-4, I-9), payroll data, benefits enrollment, disciplinary actions, and performance evaluations.

b. Storage and Access:

  • Digital files are stored in a secure HRIS platform with encrypted transmission and role-based access.

  • Any physical files are kept in locked file cabinets within access-controlled office spaces.

  • Access is restricted to HR personnel and executive leadership, and usage is logged.

c. Employee Rights:

  • Employees may request access to their personnel file in accordance with California Labor Code §1198.5.

III. Website Data Collection and Transmission

a. User-Submitted Data:

  • Includes contact form entries, service inquiries, employment applications, and newsletter subscriptions via BBH’s Squarespace-hosted website.

  • All form data is transmitted securely using SSL encryption.

b. Cookies and Analytics:

  • Functional cookies are used to maintain session integrity and accessibility.

  • Analytical cookies track aggregate, anonymous user behavior to improve site design.

  • Users are notified via a cookie consent banner in compliance with CCPA regulations.

c. Third-Party Tools:

  • BBH does not allow third-party marketing trackers on its website.

  • All web forms include explicit consent statements where applicable.

IV. Practice Management and EHR Data

a. EHR Systems:

  • BBH uses ReThink Behavioral Health for managing clinical documentation, scheduling, and billing.

  • This system is certified HIPAA-compliant and designed to meet FERPA obligations for school-based services.

b. Data Protections:

  • System access is limited via password protection, IP whitelisting, and device security standards.

  • All data entries and modifications are tracked through audit trails to ensure accountability and transparency.

c. Staff Training:

  • All employees are trained annually on HIPAA and FERPA compliance, data privacy, and incident response protocols.

V. Text Messaging

a. Secure Messaging Practices:

  • HIPAA-compliant texting platforms (e.g., Spruce, OhMD) are used for appointment reminders, scheduling changes, and operational updates.

  • Only minimal necessary information (e.g., time of appointment) is included in messages.

b. Consent and Opt-Outs:

  • Clients and employees must provide documented consent before receiving SMS communications.

  • Opt-out options are clearly provided and honored immediately.

VI. FERPA Compliance

a. Student Privacy Protections:

  • For school-based ABA programs, educational records are protected under FERPA.

  • This includes service documentation, behavioral assessments, progress data, and individualized education program (IEP) coordination notes.

b. Disclosure Rules:

  • BBH will not release education records without signed parental/legal guardian consent unless legally authorized (e.g., in cases of threat, subpoena, or agency audits).

  • Parents/legal guardians have the right to inspect and request amendments to their child’s education records.

VII. CCPA Rights and Disclosures

a. California Resident Rights: Under the California Consumer Privacy Act (CCPA), individuals have the right to:

  • Request disclosure of categories and specific pieces of personal data BBH has collected.

  • Request deletion of personal data, subject to legal and clinical recordkeeping obligations.

  • Correct inaccurate information.

  • Opt out of the sale or use of personal data for commercial purposes.

b. Submitting a Request: Requests must be submitted in writing to: Compliance Office
Beachmont Behavioral Health
701 E. Santa Clara St. V-16
Ventura, CA 93001
compliance@beachmontbh.com

c. Verification and Timeline:

  • BBH verifies the identity of requestors before processing data access or deletion requests.

  • Responses are issued within 45 calendar days of receipt of a verifiable consumer request.

VIII. Data Breach Notification

a. Internal Assessment:

  • In the event of unauthorized access, use, or disclosure of PHI/PII, BBH conducts a breach risk assessment within 72 hours of discovery.

b. Notification Requirements:

  • Affected individuals will receive written notification within 15 calendar days.

  • Notification will include the nature of the breach, types of information involved, mitigation steps taken, and contact information for further assistance.

c. Regulatory Reporting:

  • BBH will notify the U.S. Department of Health and Human Services (HHS), the California Attorney General, and any other required authorities in accordance with applicable regulations.

IX. Changes to This Privacy Policy

  • This Privacy Policy may be updated periodically to reflect changes in legal requirements or organizational practices.

  • Updates will be posted publicly on the BBH website with an updated effective date.

  • Substantive changes will be communicated to affected individuals when appropriate.

X. Contact Us

For any questions, concerns, or requests related to privacy or this policy, please contact:

Privacy Officer
Beachmont Behavioral Health
701 E. Santa Clara St. V-16
Ventura, CA 93001
compliance@beachmontbh.com
(805) 232-4711