Breakthrough Privacy Policy

Breakthrough Behavioral, Inc. (“Breakthrough”) knows that you care about how your personal information is used and shared and takes your privacy seriously.

Breakthrough is an e-health platform that we offer to connect patients with our network of affiliated mental health professionals (“Treatment Providers”) to obtain online counseling and therapy services. “Treatment Providers” includes employees, agents, or independent contractors of Treatment Providers. “Breakthrough” or the terms “we” or “us” or similar terms refer to Breakthrough Behavioral, Inc. “You” or “your” or similar terms refer to you as a user of our Services (defined below).

THIS PRIVACY POLICY IS BOTH AN AGREEMENT HEREBY ENTERED INTO BY YOU AND BREAKTHROUGH, AND THE POLICY OF BREAKTHROUGH IN MAKING THE SERVICES AVAILABLE TO YOU.

1. Our Promise to You.

We know you are entrusting us with some of your most personal and valuable information, including your personal health information. Your trust is built, in part, on our commitment to respect the privacy and confidentiality of your health information. We are committed to safeguarding and protecting your personal information, including health information.

We are providing this Privacy Policy to inform you of our policies and procedures regarding the collection, use, and disclosure of the information that we collect and receive from users of our e-health platform at and through our website, www.breakthrough.com (the “Site”).

The Breakthrough e-health platform includes, without limitation, the following services (collectively, the “Services”):

(a) the facilitation of electronic or telephonic communications with Treatment Providers,

(b) the provision of appointment scheduling and reminders, claims submission and processing, and other services related to online counseling and therapy for both our registered users and Treatment Providers, and

(c) the provision of other information about Breakthrough and our products and services through the Site.

This Privacy Policy applies only to information that you provide to us through the Services. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Service [website link to Terms of Service] (the “Terms”).

By accepting our Privacy Policy during registration, or by visiting the Site and/or using the Services, you expressly consent to our collection, use, and disclosure of your Personal Information (as defined below) in accordance with this Privacy Policy.

As used in this Privacy Policy, the terms “using” and “processing” information include using cookies on a computer, subjecting the information to statistical or other analysis, and using or handling information in any way, including, without limitation, collecting, storing, evaluating, modifying, deleting, using, combining, disclosing, and transferring information within our organization or among our affiliates or with Treatment Providers within the United States or internationally.

2. Collection and Use of Information – In General.

When using our Services, we will ask you for certain personally identifiable information. This refers to information about you that can be used to contact or identify you, and information on your use or potential use of the Services and related services (collectively, “Personal Information”). Personal Information that we might collect would include things like your name, phone number, gender, occupation, hometown, personal interests, credit card or other billing information, your email address and the email address of your contacts, home and business postal addresses, website URLs, insurance data (such as your insurance carrier and insurance plan), certain health information (such as health care providers you have seen, your reason for scheduling an appointment with a Treatment Provider, and your medical history), and any other information or data that you provide when using the Services. We also collect information you provide voluntarily in free-form text boxes on the Site and through responses to surveys, questionnaires and the like. If you communicate with us by, for example, email, facsimile or letter, any information provided in such communication may be collected as Personal Information.

The main reason we collect Personal Information from you is to provide you a safe, smooth, efficient, and customized user experience. The collection of Personal Information also enables our users to establish a user account and profile that can be used to interact with Treatment Providers and other users through the Site. We only collect Personal Information we consider important to achieve that goal. You always have the option not to provide some, or any, Personal Information by either choosing not to become a registered user of the Services, or else by skipping the particular feature of the Services for which the Personal Information is being collected. You can use some of the Services anonymously, but once you become a registered user of the Services, we will ask you to provide Personal Information, such as:

· Contact and identity information (e.g., mailing address and phone number)

· Insurance and other billing information (e.g., credit card number)

· Health information (e.g., date of birth, past health history, allergies)

· Other personal information as indicated (our forms indicate what information is required, and what information is optional)

You are under no obligation to provide us with this Personal Information. We use your Personal Information to provide the Services and administer your inquiries. You may change some of the information that you provide. Please see “Changing or Deleting Your Information” below for further information.

3. How We Use Your Non-Medical Personal Information.

Some of the Personal Information we collect from you is unrelated to your receipt of counseling and therapy services through the Services. Examples of how we may use your Personal Information include, but are not limited to, the following:

· Enable you to easily navigate the Services

· Resolve service and billing problems via telephone or email

· Troubleshoot technical problems

· Bill any amounts due from you

· Better understand users’ needs and interests

· Personalize your experience

· Detect and protect us against error, fraud, and other criminal activity

· Enforce our Terms

· Provide you with system or administrative messages, and as otherwise described to you at the time of collection

· Provide you with further information and offers from us that we believe you may find useful or interesting

If you decide at any time that you no longer wish to receive certain communications from us, please follow the unsubscribe instructions provided in any of the communications or select the appropriate option in your user profile. (See “Changing or Deleting Your Information,” below.) You cannot elect to unsubscribe some administrative communications, such as notification of new messages from your Treatment Providers. To stop receiving these communications, you will need to deactivate your account.

4. How We Use Your Medical Personal Information (PHI).

We are dedicated to maintaining the privacy and integrity of your protected health information (“PHI”). PHI is information about you that may be used to identify you (such as your name, social security number, or address), and that relates to (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care. In providing the Services, we will receive and create records containing your PHI, and may use it to assist you in scheduling appointments, remind you of upcoming or follow-up appointments, inform you of canceled appointments, allow Treatment Providers to make appointments with other Treatment Providers on your behalf through the Services, bill amounts due for health care services provided by a Treatment Provider under the Services or the Site, develop and conduct surveys with you to assist in providing you better Services, conduct our management and administrative activities, and otherwise as stated in this Privacy Policy. We may also use your de-identified PHI to run (or authorize third parties to run) statistical research on individual or aggregate health or medical trends. Such research would only use your PHI in an anonymous manner that cannot be tied directly back to you. We are required by law to maintain the privacy and confidentiality of your PHI, and we operate the Services consistent with applicable federal and state laws governing health information privacy and security.

This Privacy Policy describes how we protect your privacy as a general user of the Services, not as a patient receiving mental health advice or consultation through the Services from a Treatment Provider. If you are a patient receiving mental health advice or consultations through the Services from a Treatment Provider, you have other rights with respect to the access, use, and disclosure of PHI. For a more complete description of a patient’s rights under HIPAA, please refer to your Treatment Provider’s Notice of Privacy Practices, which provides important information to you about how your PHI may be used and disclosed.

5. Log Data.

When you visit the Services, our servers automatically record information that your browser sends whenever you visit a website (“Log Data”). This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, or the webpage you were visiting before you came to our Services, pages of our website and Services that you visit, the time spent on those pages, information you search for on our Services, access times and dates, and other statistics. We use this information to monitor and analyze use of the Services and for the Services’ technical administration, to increase our Services’ functionality and user-friendliness, and to better tailor it to our visitors’ needs. For example, some of this information is collected so that when you visit the Services again, it will recognize you and provide information appropriate to your interests. We also use this information to verify that visitors to the Services meet the criteria required to process their requests.

Generally, our service automatically collects usage information, such as the numbers and frequency of visitors to our site and its components, similar to TV ratings that indicate how many people watched a particular show. Breakthrough only uses these data in aggregate form, that is, as a statistical measure, and not in a manner that would identify you personally. These type of aggregate data enable us to figure out how often users use parts of the Site or the Services so that we can improve the Services.

6. Cookies.

We also use “cookies” to collect information. A cookie is a small data file that we transfer to your computer’s hard disk for record-keeping purposes. We use cookies for two purposes. First, we may utilize persistent cookies to save your user credentials for future logins to the Services. Second, we may utilize session ID cookies to enable certain features of the Services, to better understand how you interact with the Services and to monitor aggregate usage by users of the Services and web traffic routing on the Services. Unlike persistent cookies, session cookies are deleted from your computer when you log off from the Services and then close your browser. We may work with third parties that place or read cookies on your browser to improve your user experience.

You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use all portions or all functionality of the Services.

7. Web Beacons.

We may also occasionally use “web beacons” (also known as “clear gifs,” “web bugs,” “1-pixel gifs,” etc.) that allow us to collect non-personal information about your response to our email communications, and for other purposes. Web beacons are tiny images, placed on a Web page or e-mail, that can tell us if you have visited a particular area of the Services. For example, if you have given us permission to send you emails, we may send you an email urging you to use a certain feature of the Services. If you do respond to that email and use that feature, the web beacon will tell us that our email communication with you has been successful. We do not collect any PHI with a web beacon, and do not link web beacons with any PHI you have given us.

Because Web beacons are used in conjunction with persistent cookies (described above), if you set your browser to decline or deactivate cookies, Web beacons cannot function.

8. Emails.

We may use a third-party vendor to help us manage some of our email communications with you. While we may supply this vendor with email addresses of those we wish them to contact, your email address is never used for any purpose other than to communicate with you on our or your Treatment Provider's behalf. When you click on a link in an email, you may temporarily be redirected through one of the vendor’s servers (although this process will be invisible to you) which will register that you have clicked on that link, and have visited our Services. We also often receive a confirmation when you open an email from Breakthrough if your computer supports this type of program. Breakthrough uses this confirmation to help us make emails more useful to you.

Secure electronic messaging is always preferred to insecure email, but under specific circumstances, insecure email communication containing PHI may take place between you and Breakthrough.

For your convenience, Breakthrough lets you choose whether to receive email communications containing PHI. This email communication is not encrypted and may include messages from your Treatment Provider, appointment reminders, treatment referrals, and prescription information.

You should consider that standard email is not a secure means of communication. There is some risk that any PHI contained in email may be disclosed to, or intercepted, printed, or stored by, unauthorized third parties. Breakthrough cannot ensure the security or confidentiality of messages sent by email.

You will receive email communication from Breakthrough and Treatment Providers. If you choose to receive PHI in emails, you authorize Breakthrough to send you messages that include PHI, which may include disclosure of mental illness, substance abuse, and sexually transmitted disease. This authorization indicates you understand and accept the risks involved with insecure email communication of your PHI.

You may always elect not to receive message content containing PHI. In that case, you would instead receive secure notifications of new messages that require you to log in to Breakthrough’s secure site to read message content. We recommend this option if you want to increase the security and confidentiality of your communications on Breakthrough.

Even if you have requested us to send email containing PHI to you, you may revoke this request by changing this setting at any time on the user registration page, at the bottom of emails from Breakthrough, or in your account profile.

Even if you have given us permission to send emails to you, you may revoke that permission at any time by following the “unsubscribe” information at the bottom of each such email.

9. Messages and Transactions.

Comments or questions sent to us using email or secure messaging forms will be shared with our staff who are most able to address your concerns. We will archive your messages once we have made our best effort to provide you with a complete and satisfactory response. However, these communications will not become part of your medical record (or other appropriate treatment record) unless and until you use the Services to obtain mental health advice or a consultation from a Treatment Provider.

When you use a service on the secure section of the Services to interact directly with Treatment Providers, some information you provide may be documented in your medical record or other appropriate treatment record, and available for use to guide your treatment as a patient.

10. Information Sharing and Disclosure

We will not rent, sell, or share Personal Information about you with other people or non-affiliated companies except to provide the Services, when we otherwise have your permission, or under the following circumstances:

· Treatment Providers. When you use the Site to access mental health services, you will be sharing your Personal Information with a Treatment Provider via the Services. By using the Services, you expressly consent to sharing your Personal Information with your Treatment Provider, and you understand that all information shared with your Treatment Provider is subject to your Treatment Provider’s professional and legal duties of confidentiality and responsibility, which Breakthrough does not control. To increase coordination of care and reduce overhead for you, you authorize the sharing of this information with other Treatment Providers on Breakthrough who you elect to contact.

· Group Sessions. If you enter a group session, any information you provide during the session, which could include posts, video, and audio, will be shared with the other group participants.

· User Profiles. User profile information, including your name, location, and other information you enter in your profile, may be displayed to your Treatment Providers to facilitate user interaction with the Site.

· Communications in Response to User Submissions. As part of the Site and the Services, you may receive from Breakthrough and other users email and other communications relating to your requests, mental health services, and other transactions. When you transmit information relating to your mental health services needs, Breakthrough and the Treatment Providers you select may send you emails and other communications that they determine in their sole discretion relate to your mental health services needs.

· Aggregate Information and Non-Identifying Information. We may share aggregated information that does not include Personal Information and we may otherwise disclose non-identifying Information and Log Data with third parties for industry analysis, demographic profiling, and other purposes. Any aggregated information shared in these contexts will not contain your Personal Information.

· Service Providers. We may employ third-party companies and individuals to process your payments, facilitate our Services, to provide the Services on our behalf, to perform Services-related services (including, without limitation, maintenance services, database management, web analytics and improvement of the Services’ features), or to assist us in analyzing how our Services are used. These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

· Compliance with Laws and Law Enforcement. We cooperate with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect the property and rights of Breakthrough or a third party, to protect the safety of the public or any person, or to prevent or stop activity we may consider to be, or to pose a risk of being, any illegal, unethical or legally actionable activity. This includes, without limitation, exchanging information with Treatment Providers and law enforcement in response to Treatment Providers’ professional and legal responsibilities.

· Business Transfers. We may sell, transfer or otherwise share some or all of our assets, including your Personal Information, in connection with a merger, acquisition, reorganization or sale of assets, or in the event of bankruptcy.

PLEASE NOTE THAT ANY INFORMATION, TEXT AND IMAGES THAT YOU POST OR DISCLOSE ON OR THROUGH PUBLIC PORTIONS OF THE SITE, OR ANY OTHER PUBLIC FORUMS, BECOMES PUBLIC INFORMATION AND MAY BE AVAILABLE TO VISITORS TO THE SITE AND/OR SEARCHABLE VIA THE INTERNET. Information regarding your activities in such Services may also be available for view by other users (for example, other users may be able to view a list of all postings you have made in all available forums). We urge you to exercise discretion and caution when deciding to disclose your Personal Information through a forum or otherwise through the Site. BREAKTHROUGH IS NOT RESPONSIBLE FOR THE USE OF ANY PERSONAL INFORMATION YOU VOLUNTARILY DISCLOSE THROUGH A FORUM OR OTHERWISE THROUGH THE SITE OR THE SERVICES.

11. Changing or Deleting Your Information.

You may review, update, correct or delete some portions of your Personal Information in your registration profile by making the appropriate modifications in your user account settings or by contacting us at techsupport@breakthrough.com Some Personal Information, such as your answers to online assessments, may not be updateable or deleted once submitted. If you delete certain information required to receive Services, such as a credit card on file, then you may no longer be able to receive Services and your account may be deactivated. If you would like us to remove your records from our system, please contact us and we will attempt to accommodate your request if we do not have any legal obligation to retain the records.

Please note that we may need to retain certain information for recordkeeping purposes, and there may also be residual information that will remain within our databases and other records, which, irrespective of any efforts by us to delete information, will not be removed from them. We also reserve the right, from time to time, to re-contact former users of the Site. Finally, we are not responsible for removing information from the databases of third parties with whom we have already shared Personal Information about you.

12. Security.

We employ administrative, physical, and technical measures designed to safeguard and protect information under our control from unauthorized access, use, and disclosure. Except for appointment reminders, treatment referrals and prescription information, these measures include encrypting your communications by utilizing Secure Sockets Layer (“SSL”) software, and using a secured messaging service when we send your Personal Information electronically. In addition, when we collect, maintain, access, use, or disclose your Personal Information, we will do so using systems and processes consistent with information privacy and security requirements under applicable federal and state laws, including, without limitation, HIPAA. Except when you have requested us to send emails to you outside of the secure section of our Services and the Site, all electronic PHI will be encrypted when we store it or transmit it, and we will use secure servers that we will back up regularly.

We will make any legally required disclosures of any breach of the security, confidentiality, or integrity of your Personal Information, including, without limitation, breaches of your unencrypted electronically stored “personal information” (including but not limited to PHI or “medical information” (as defined in applicable state statutes on security breach notification)). To the extent permitted by applicable laws, we will make such disclosures to you via email or conspicuous posting on the Services in the most expedient time possible and without unreasonable delay, insofar as consistent with (i) the legitimate needs of law enforcement or (ii) any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Despite these measures, the confidentiality of any communication or material transmitted to or from us via the Services by Internet or email, or any electronic storage system, cannot be guaranteed. As a result, although we strive to protect your Personal Information, we cannot ensure or warrant the security of any information you transmit to us through or in connection with the Site or that is stored by us. You acknowledge and agree that any information you transmit through the Site or upload for storage in connection with the Site is so transmitted or stored at your own risk. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any Account you might have with us has been compromised), you must immediately notify us of the problem by contacting us in accordance with the “Contacting Us” section below (note that if you choose to notify us via physical mail, this will delay the time it takes for us to respond to the problem). In addition, if you have privacy or data security related questions, please feel free to contact the office identified at the end of this document.

13. Our Employees.

Every one of our employees, whose job might allow them to come into contact with your Personal Information has completed HIPAA training and job-specific training on how to protect and respect your Personal Information, including your PHI. We have clear policies in place in the event of a privacy or security concern regarding your Personal Information, so we can react quickly and resolve the issue appropriately. We will limit access to your Personal Information to personnel who have a need to know it for purposes of delivering our Services. All of our personnel must comply with our restrictions on access, use, and disclosure of PHI or face disciplinary action, up to and including termination.

14. International Transfer.

Your information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide information to us, we may transfer your Personal Information to the United States and process it there. Your submission of such information represents your agreement to that transfer.

15. Links to Other Sites.

We may offer you the opportunity to access third-party content, services, or products by linking to a third party’s website. If you choose to visit an advertiser by “clicking on” a banner ad or other type of advertisement, or click on another third party link, you will be directed to that third party’s website. The fact that we may link to a website or present a banner ad or other type of advertisement is not an endorsement, authorization, or representation of our affiliation with that third party, nor is it an endorsement of their privacy or information security policies or practices. We do not exercise control over third-party websites. These other websites may place their own cookies or other files on your computer, collect data or solicit personal information from you. Other services follow different rules regarding the use or disclosure of the Personal Information you submit to them. Our Privacy Policy only applies to the Services and we are not responsible for the privacy practices or the content of other websites. You should check the privacy policies of those sites before providing your Personal Information to them.

16. Children.

The Services are not directed to children. We do not knowingly allow or solicit anyone under the age of 13 to participate independently in any of the Services. We do not knowingly collect personally identifiable information from children, except in the context of a Treatment Provider’s mental health consultation through the Services when a parent is present and has consented to treatment. If a parent or guardian becomes aware that his or her child has provided us with Personal Information without their consent, please contact us at tech support@breakthrough.com. Access to the Services for dependents (children over the age of 3 or a spouse or domestic partner) is only permitted through the primary account holder’s username and password. Minors are not allowed to use the Services without parental consent and assistance. If we become aware that a user of the Services is under the age of 13 and has provided us with Personal Information without verifiable parental consent, we may delete such information from our files and may deactivate the related account.

17. Agreement and Changes.

By using the Services, you agree to the current Privacy Policy and our Terms, into which this Privacy Policy is incorporated. We reserve the right, in our sole discretion, to modify, discontinue, or terminate the Services or to modify this Privacy Policy at any time. If we modify this Privacy Policy, we will notify you of such changes by posting them on the Services or providing you with notice of the modification. We will also indicate when such terms are effective below. By continuing to access or use the Services after we have posted a modification or have provided you with notice of a modification, you are indicating that you agree to be bound by the modified Privacy Policy. If the modified Privacy Policy is not acceptable to you, your only recourse is to cease using the Services.

18. Contacting Us.

We encourage you to contact us at techsupport@breakthrough.com if you have any questions concerning our Privacy Policy or if you have any questions or concerns about our access, use, or disclosure of your Personal Information. Please note that email communications will not necessarily be secure; accordingly, you should not include credit card information, PHI, or other sensitive information in your email correspondence with us. If you would like to contact us via physical mail, our mailing address is: Breakthrough, 702 Marshall St., Suite #510, Redwood City, CA 94063, Attention: Security Officer.

Last Revised: July 8, 2013

Site copyright 2009-2014 Breakthrough Behavioral, Inc. unless otherwise noted. All rights reserved.