Get Help: (319) 390-4611
Donate

Privacy Policy

Notice of Privacy Practices

EFFECTIVE DATES: 02/01/2026

THIS NOTICE DESCRIBES:

  • HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
  • YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
  • HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION

YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH THE PRIVACY OFFICER AT 319-390-4611 OR PRIVACY@ASAC.US IF YOU HAVE ANY QUESTIONS.

We are required by federal and state law to maintain the privacy of your medical information and to give you our Notice of Privacy Practices (this “Notice”) that describes our privacy practices, our legal duties and your rights concerning your medical information. Specifically, ASAC is required to follow the federal HIPAA Privacy and Security rules (which are collectively sometimes referred to as the HIPAA Final Omnibus Rule.) As a federally funded substance abuse treatment program, ASAC is also required to follow the federal Substance Abuse Privacy Regulations, 42 CFR Part 2. In addition, ASAC follows Iowa law concerning mental health treatment and AIDS/HIV treatment information.

We are committed to protecting medical information about you. We need your medical information to provide you with quality care and services in addition to complying with the applicable legal requirements.

This notice applies to and will be followed by all counseling staff, employees and other personnel of the Area Substance Abuse Council.

We reserve the right to revise or amend our Notice of Privacy Practices without additional notice to you. Any revision or amendment to this Notice will be effective for all your records we have created or maintained in the past, and for any of your records we may create or maintain in the future. We will post a copy of our current Notice and any amended Notice at all our locations and on our website.

Our Obligation to You

We are required by law to:

  • Make sure that medical information that identifies you is kept private except as otherwise provided by federal or state law.
  • Give you this notice of our legal duties and privacy practices with respect to medical information about you;
  • Follow the terms of the notice that is currently in effect.
  • Inform you of any unauthorized access, use or disclosure of your unencrypted confidential medical information in the event its privacy or security is compromised (i.e. if a reportable breach occurs as provided by the HIPAA Final Omnibus Rule.) We will provide such notice to you without unreasonable delay but in no case later than sixty days after we discover the breach.

How We May Use and Disclose Your Medical Information

Uses and disclosures that generally require your written consent

Generally, ASAC may not disclose to persons outside our facilities that a patient is being or has been treated at our facilities or disclose any medical information about a patient unless you consent in writing.

  • We may use your medical information with a single written consent or authorization for all future uses as follows:

    • For Treatment: We may use medical information about you to provide you with medical treatment. We may share your medical information with doctors, therapists, or other ASAC staff who are involved in taking care of you or providing services to you, as well as other health care facilities. For example, we may share information with other providers or entities for treatment, care coordination, or quality improvement activities, or for emergency services.
    • For Payment: We may use medical information about you so that treatment and services you receive at ASAC may be billed to you, an insurance company, or a third party. For example, our billing department will use your medical information to prepare claims.
    • For “Health Care Operations:” We may use your medical information for our “health care operations,” which include internal administration and planning and quality improvement, and to evaluate the quality and competence of our clinical staff. An example of how we may use your medication information is to review the care you received and evaluate the performance of your team to ensure you receive quality care.
  • We may use or disclose your PHI for treatment, payment and health care operations (or our business associates) as permitted by HIPAA regulations until you revoke such consent in writing.
  • Records that are disclosed to ASAC pursuant to your written consent for treatment, payment, and health care operations may be further disclosed without your written consent, to the extent the HIPAA regulations permit such disclosure.
  • We may disclose patient records to a central registry or to any withdrawal management or maintenance treatment program within 200 miles for the purpose of multiple enrollments, as allowed by law.
  • If you were mandated to treatment through the criminal legal system (including drug court, probation, or parole) and you sign a consent authorizing disclosures to elements of the criminal legal system such as the court, probation officers, parole officers, prosecutors, or other law enforcement.
  • We may report any SUD medication prescribed or dispensed to you to an applicable state prescription drug monitoring program, if required by applicable law.
  • In some situations, you can consent to whether we share your SUD information to family members, friends, or others involved in your care or payment for your care.
  • You may revoke your consent at any time, except to the extent that ASAC has acted in reliance upon it. You may revoke consent by submitting a request in writing to the Privacy Officer at (319) 390-4611 or privacy@asac.us. If you were mandated to treatment through the criminal legal system (including drug court, probation, or parole) and you sign a consent authorizing disclosures to elements of the criminal legal system such as the court, probation officers, parole officers, prosecutors, or other law enforce ment, your right to revoke consent may be more limited.

Uses and disclosures we may make without your written consent

We may use or disclose your substance use disorder (“SUD”) records without your written consent in the limited situations allowed by Part 2 and other applicable law, including:

  • We may use your medical information for the following external uses or disclosures without your consent:

    • To tell you about treatment alternatives if we do not receive monetary compensation from a third
      party in doing so.
    • To contact you to provide appointment reminders or information about treatment alternatives or
      other health-related benefits and services that may be of interest to you if we do not receive
      monetary compensation from a third party in doing so.
    • For internal communications within our program or to entities that directly manage us, when
      needed for your diagnosis, treatment, or referral.
  • To qualified service organizations (such as billing, lab, or data‑processing vendors) that have written
    agreements with us requiring them to safeguard your SUD information.
  • To certain entities or individuals, called business associates, who perform services to ASAC using your
    medical information. These entities are bound by the confidentiality requirements of the HIPAA Privacy
    and Security Rules and 45 CFR Part 2.
  • To report a crime or threat of a crime on our premises or against our staff, but only limited information about the incident and your identity, name and address, and last known whereabouts.
  • To report suspected child abuse or neglect to appropriate authorities, consistent with law.
  • For medical emergencies: When needed to treat a condition that poses an immediate threat to your health and when your prior consent cannot be obtained.
  • Disclosures made to a public health authority; however, we will de-identify the content of the information from the record disclosed so that there is no reasonable basis to believe the information can be used to identify the patient.
  • For research, when the researcher meets federal privacy and security requirements and any other conditions required by law.
  • For audits or evaluations of our program or those who pay for your care, when the law allows, and only if your information is not used to investigate or bring a case against you.
  • For the Secretary of the Department of Health and Human Services to investigate our compliance with HIPAA.
  • When the disclosure is required by court order. Specifically,

    • Records, or testimony relaying the content of such records, will not be used or disclosed in any civil, administrative, criminal, or legislative proceedings against you unless based on specific written consent or a court order;
    • Records will only be used or disclosed based on a court order after notice and an opportunity to be heard is provided to you or the holder of the record, where required; and
    • A court order authorizing use or disclosure must be accompanied by a subpoena or other similar legal mandate compelling disclosure before we use or disclose the record.
  • If the use or disclosure for any purpose described above is prohibited or materially limited by other applicable laws, we will follow the more stringent law.

Your Rights

All requests to exercise the following rights must be in writing. We will follow written policies to handle requests, and we will notify you of our decision or actions and your rights. Contact the ASAC Privacy Officer using the contact information at the end of this Notice for more information or to obtain request forms.

  • Request for Restrictions: You have the right to request a restriction on how we use or disclose your medical information made for purposes of treatment, payment, and health care operations, even when you have signed a written consent for such disclosures. We are not required to grant the request unless the disclosure is to a health plan or other payer for purposes of carrying out payment and you have paid for the services yourself in their entirety at the time the services are rendered. If we agree to a restriction, we may not use or disclose the records except in limited circumstances allowed by law.
  • Accounting: You are entitled to an accounting of disclosures of records (with some limitations) for treatment, payment, or health care operations for the prior three (3) years where such disclosures are made through an electronic health record. All other disclosures may have a six (6) year period. The first accounting in any 12-month period will be provided to you for free; you may be charged a fee for each subsequent list you request within the same 12-month period.
  • Confidential Communications/Alternate Means of Communication: You have the right to request that we communicate with you about medical matters in a different manner or at a different place. We will agree to your request if it is reasonable and you specify an alternative means or location to contact you.
  • Access to Medical Information: You may request to inspect and copy much of the medical information we maintain about you, with some exceptions. This includes most medical and billing records, but does not include psychotherapy or substance use disorder counseling notes. For any medical information maintained by us in electronic form, your written request may include a request to provide a copy in electronic form. In addition, we will transmit information from your electronic medical record directly to a person or entity of your choosing if the request is made in writing and you sign an authorization. We will usually respond within 30 days of your request.
  • List of disclosures by an intermediary: You have a right to request from an intermediary provider that you consent to disclosure of your records using a general designation), a list of persons to which your records have been disclosed. The request must be made in writing and is limited to disclosures in the last three years.
  • Amendment: You may request that we amend certain portions of your medical information if you believe that it is incorrect or incomplete, including medical and billing records, but not psychotherapy or substance use disorder counseling notes. We may require you to give a reason to support your request. We are not required to make all requested amendments, but we will give each request careful consideration and will respond within 60 days of the request. We will deny a request for amendment if the information:

    • was not created by us, unless the person or entity that created the information is no longer available to make the amendment.
    • is not part of the medical information kept by ASAC.
    • is not part of the information which you would be permitted to inspect or copy; or
    • Is accurate and complete.

    If we deny your request, we will provide you with a written explanation of the reason(s) and your rights.

  • Paper or Electronic Copy: You are entitled to receive a written copy of this Notice at any time.
  • You have a right to discuss the notice: You have the right to discuss this notice with the office designated at the end of this notice.

How to exercise these rights

  • Complaints: If you believe your privacy rights have been violated, you may file a complaint with ASAC using the contact information at the end of this Notice. You may also submit a complaint to the Secretary Complaints: If you believe your privacy rights have been violated, you may file a complaint with ASAC using the contact information at the end of this Notice. You may also submit a complaint to the Secretary of the Department of Health and Human Services (www.HHS.gov/OCR). All complaints must be submitted in writing. You will not be penalized or retaliated against for filing a complaint.
  • Questions: If you have questions about this Notice, please contact your counselor or the Privacy Officer at the telephone number listed below.

AREA SUBSTANCE ABUSE COUNCIL (ASAC)
3601 16th Avenue SW | Cedar Rapids, IA 52404
Phone: (319) 390-4611 | Fax: (319) 390-4381| E-mail: privacy@asac.us

Our Web Policies

INTRODUCTION

Area Substance Abuse Council is committed to protecting the privacy of our customers and visitors. This statement details the steps we take to protect personal information provided on our websites. It describes the types of personal information that we collect, the purposes for which we use such information, and the choices our users have regarding our use of it. The steps we take to protect personal information and how it can be reviewed and corrected are also covered here. By accessing our websites, users are consenting to the information collection and use practices described in this privacy statement.

OUR COLLECTION OF INFORMATION

In the course of a visit to asac.us and any of our sub-domains, we collect a variety of information directly from visitors and customers. Anyone can visit our site without entering any personal information. On certain pages, users may be asked for personal information to provide a service or carry out a transaction that they have requested. The personal information we collect from a user in any of these circumstances may include:

  • contact details, such as a user’s name, company/organization name, e-mail address, telephone and fax numbers, and physical address;
  • information about the user’s company/organization and role;
  • country of residence;
  • email marketing preferences;
  • information used to customize and facilitate the use of our websites;
  • inquiries about and for our services;
  • information that assists us in identifying the services that best meet visitors’ needs;
  • event and service registration information;
  • feedback from users about our websites and about our products and services in general;
  • the content of a testimonial, rating, review or comment, or other user-generated content that may be posted publicly on our sites. We also collect and securely store information about our customers from sources other than our websites.

INFORMATION WE COLLECT FROM VISITORS TO OUR WEBSITE

WEB SERVER LOGS

As is common with websites, a record of all visits to Area Substance Abuse Council’s site is stored on our web servers. These log files include data that is not associated with any visitor’s identity that is not used to associate with personally identifiable information provided by any visitors to our sites. Information collected in these logs includes details such as a visitor’s IP address, browser type, referring page and time of visit. We also collect information about visits to our sites, including what pages are viewed, the number of bytes transferred, the links clicked, the materials accessed, and other actions taken within Area Substance Abuse Council sites/subdomains.

COOKIES

Many of the advanced functions available to users of our sites require the use of files called cookies, which store a small digital record of user preferences and recent activity on our visitor’s computers. While cookies are not required in order to browse our site, they are an integral part of the browsing.

EMAIL ADDRESSES

When customers register an account with a Area Substance Abuse Council site, we gather the email address and password provided. Passwords are stored in an encrypted format for the protection of our customers. Email addresses provided to us for the purposes of creating an account or subscribing to a newsletter are stored securely on our servers. With our customers’ permission, we may use their personal information gathered via our website to inform them of products or services available from Area Substance Abuse Council. When collecting information that might be used to contact subscribers about our products and services, we will always provide the opportunity to opt-out of receiving such communications. Moreover, each e-mail communication we send includes an unsubscribe link allowing customers to stop delivery of that type of communication. If they elect to unsubscribe, we will remove them from the relevant list immediately.

COMMENTS

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

MEDIA

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

HOW WE USE THE COLLECTED DATA

We use our subscriber’s personal information to deliver information and communicate in a permission-based manner, facilitating the use of our websites, and so forth. In order to offer a more consistent experience in interactions with Area Substance Abuse Council, information collected by our websites may be combined with information we collect by other means.

 

COOKIES AND TRACKING PIXELS

We may use session cookies to store elements of user profiles, to facilitate movement around our site and other information useful in administering the session. We may also use this information to make our websites easier to use by eliminating the need for customers to repeatedly enter the same information or by customizing our site to their particular preference or interests. Our sites also may contain electronic images known as tracking pixels that allow us to count the number of users who have visited those pages. We may include tracking pixels in promotional e-mail messages or newsletters in order to determine whether messages have been opened and acted upon.

We use Google Analytics, Google AdWords Conversion tracker, and other Google services that place cookies on browsers visiting our websites. These cookies are set and read by Google, and they are used to increase the effectiveness of our websites for our visitors. To opt out of Google tracking, please visit this page.

We may use Google AdWords remarketing to market our sites across the web, which places a cookie on browsers visiting our sites. Google reads these cookies and may serve ads on other sites based on pages and products viewed on our sites. You may opt out of this advertising program by visiting Google’s opt out page. If you are concerned about 3rd party cookies served by other networks, you should also visit the Network Advertising Initiative opt-out page.

We may use a CRM to collect insights on user behavior and manage our content marketing to subscribers and contacts who provide us with their contact information for the purpose of communications.

DATA STORAGE/DATA RETENTION POLICY

Records of online customer communications are stored securely on our servers and platform, and accessible to members of Area Substance Abuse Council’s employees. We will retain records of those communications unless requested otherwise by the contact. We consider our contacts, whether they are active clients or not, an active contact in the course of doing business, unless otherwise requested.

CREDIT CARD INFORMATION

Credit card information collected from customers is used to process payment for invoices and will not be stored by Area Substance Abuse Council. 

OUR USE OF WEB ANALYTICS

Area Substance Abuse Council uses industry standard web analytics to track web visits. Users may opt out of web analytics by installing the following tools on their computer. Please visit https://tools.google.com/dlpage/gaoptout for more information.

DISCLOSURE OF PERSONAL INFORMATION

Except as described below, personal information provided to Area Substance Abuse Council through our website will not be shared outside of Area Substance Abuse Council without permission. Area Substance Abuse Council contracts with other companies to provide services on our behalf, such as hosting websites, sending out information, processing transactions, and analyzing our websites. We provide these companies with only those elements of our customers’ personal information they need to deliver those services. These companies and their employees are prohibited from using that personal information for any other purpose.

We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to comply with legal requirements or with legal process served on us, to protect and defend our rights or property, or in urgent circumstances to protect the personal safety of any individual.

SECURITY

Area Substance Abuse Council is committed to protecting the security of the non-public personal information shared with us by our contacts. We maintain physical, electronic and procedural safeguards to help protect that non-public personal information from unauthorized access, use, or disclosure. Our payment processing systems, as well as those of our partners in payment processing, are PCI compliant, using industry-standard Secure Socket Layer (SSL) technology to encrypt sensitive customer data both in transit and in storage. This technology is designed to prevent unauthorized persons from accessing your personal information in the course of a transaction.

REVIEWING PERSONAL INFORMATION

Contacts may request to review and correct any personal information collected via our websites, or request to stop using it by emailing us through our Contact Form. We may take steps to verify the identity of the person making the request before providing any access to personal information. Contacts can help us to maintain the accuracy of their information by notifying us of any change to their mailing address, phone number, or e-mail address.

 LINKS TO OTHER SITES

Our websites may contain links to other sites and content such as social media, video archives, professional, non-profit and government organizations, and publications. We also link to third-party providers that host, maintain and operate a variety of web-based services. While we try to link only to sites and services that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other companies and their sites.

COMPLIANCE WITH THE GENERAL DATA PROTECTION REGULATION (GDPR)

Area Substance Abuse Council procedures and policies meet the general spirit of GDPR. In the event of a security breach of our contact’s private data, all reporting protocols will be met. Data collection will be considered valid until a contact requests to be removed from communications, have their data deleted or otherwise requests clarification on data use.

Should a contact residing in the EU at the time submit their information, Area Substance Abuse Council will follow GDPR requirements as they pertain to all policies stated within this statement.

ENFORCEMENT OF THIS PRIVACY STATEMENT

Questions regarding this statement or our handling of personal information should be addressed through our Contact Form. We will promptly address any concerns and strive to reach a satisfactory resolution.

CHANGES TO THIS PRIVACY STATEMENT

Area Substance Abuse Council may occasionally update this privacy statement. When we do, we will revise the “last updated” date at the top of the privacy statement.