Privacy Policy

Introduction

Marie Keese Lelash Foundation Inc ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with our charitable health and social assistance programs.

As a grantmaking foundation providing general health services and social assistance, we understand the sensitive nature of health-related information and are committed to maintaining the highest standards of privacy and confidentiality in accordance with applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

Please read this Privacy Policy carefully. By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy.

Information We Collect

Personal Information

We may collect personal information that you voluntarily provide to us when you:

• Apply for grants or assistance programs
• Register for our services or programs
• Contact us through our website or email
• Subscribe to our newsletter or communications
• Participate in surveys or feedback forms
• Make donations or financial contributions

This personal information may include:

• Full name and contact information (address, phone number, email)
• Date of birth and age
• Social Security number or tax identification number (when required for grant processing)
• Financial information (income, assets, banking details for grant disbursement)
• Employment and education history
• Emergency contact information

Protected Health Information (PHI)

In connection with our health care and social assistance programs, we may collect Protected Health Information (PHI) as defined under HIPAA. This may include:

• Medical history and current health conditions
• Treatment and diagnosis information
• Prescription and medication records
• Health insurance information
• Mental health and behavioral health information
• Disability status and accommodation needs

We collect PHI only when necessary to provide health services, process grant applications, or fulfill our charitable mission. All PHI is handled in strict accordance with HIPAA regulations and our internal security protocols.

Automatically Collected Information

When you visit our website, we may automatically collect certain information about your device and browsing activity, including:

• IP address and geographic location
• Browser type and version
• Operating system and device information
• Pages visited and time spent on our website
• Referring website or source
• Cookies and similar tracking technologies

How We Use Your Information

We use the information we collect for the following purposes:

Program Administration and Service Delivery

• Processing grant applications and determining eligibility
• Providing health care and social assistance services
• Coordinating care with healthcare providers and social service agencies
• Managing program enrollment and participation
• Disbursing grants and financial assistance
• Evaluating program effectiveness and outcomes

Communication and Support

• Responding to your inquiries and requests
• Sending program updates and important notifications
• Providing customer support and assistance
• Sending newsletters and educational materials (with your consent)
• Conducting surveys and gathering feedback

Legal and Regulatory Compliance

• Complying with HIPAA and other healthcare privacy regulations
• Meeting IRS requirements for charitable organizations
• Fulfilling reporting obligations to government agencies
• Preventing fraud and ensuring program integrity
• Protecting our legal rights and interests

Website Improvement and Analytics

• Analyzing website usage and performance
• Improving user experience and functionality
• Developing new programs and services
• Conducting research and statistical analysis

HIPAA Compliance and Protected Health Information

As a provider of health care and social assistance services, we are committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, including the Privacy Rule and Security Rule.

Notice of Privacy Practices

If you receive health services from us, you will receive a separate Notice of Privacy Practices that provides detailed information about how we use and disclose your Protected Health Information (PHI). This notice describes your rights under HIPAA and our legal duties regarding your health information.

Permitted Uses and Disclosures of PHI

We may use and disclose your PHI without your authorization for the following purposes:

• Treatment: To provide, coordinate, or manage your health care and related services
• Payment: To obtain payment for services provided or determine eligibility for benefits
• Healthcare Operations: To support our business operations, quality improvement, and program evaluation
• Required by Law: When disclosure is mandated by federal, state, or local law
• Public Health Activities: To prevent or control disease, injury, or disability
• Health Oversight: To authorized health oversight agencies for audits and investigations

Your HIPAA Rights

Under HIPAA, you have the following rights regarding your PHI:

• Right to access and obtain a copy of your health records
• Right to request amendments to your health information
• Right to receive an accounting of disclosures
• Right to request restrictions on uses and disclosures
• Right to request confidential communications
• Right to receive a paper copy of our Notice of Privacy Practices
• Right to file a complaint if you believe your privacy rights have been violated

Security Safeguards

We maintain physical, technical, and administrative safeguards to protect PHI, including:

• Encryption of electronic PHI in transit and at rest
• Secure access controls and authentication procedures
• Regular security risk assessments and audits
• Employee training on HIPAA compliance and privacy practices
• Business associate agreements with third-party service providers
• Incident response and breach notification procedures

Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following circumstances:

Service Providers and Business Associates

We may share information with trusted third-party service providers who assist us in operating our programs and services, including:

• Healthcare providers and medical professionals
• Social service agencies and community partners
• Payment processors and financial institutions
• IT service providers and data hosting companies
• Legal and accounting professionals

All service providers are contractually obligated to maintain the confidentiality and security of your information and may only use it for the specific purposes we authorize.

Legal Requirements and Protection

We may disclose your information when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Protect the safety and rights of individuals or the public
• Prevent fraud or illegal activities
• Defend our legal rights in litigation
• Report suspected abuse, neglect, or domestic violence as mandated by law

With Your Consent

We may share your information with other parties when you provide explicit consent or authorization. You may revoke your consent at any time by contacting us in writing.

Data Security

We implement comprehensive security measures to protect your personal information and PHI from unauthorized access, use, disclosure, alteration, or destruction. Our security practices include:

Technical Safeguards

• SSL/TLS encryption for data transmission
• Encryption of sensitive data at rest
• Secure firewalls and intrusion detection systems
• Regular security updates and patch management
• Multi-factor authentication for system access
• Automated backup and disaster recovery procedures

Administrative Safeguards

• Comprehensive privacy and security policies
• Regular employee training on data protection
• Background checks for employees with access to sensitive information
• Role-based access controls and least privilege principles
• Regular security audits and risk assessments
• Incident response and breach notification procedures

Physical Safeguards

• Secure facilities with controlled access
• Locked storage for physical records
• Secure disposal of documents containing sensitive information
• Visitor logs and identification requirements

While we strive to protect your information using industry-standard security measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents that may occur.

Data Retention

We retain your personal information and PHI for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention practices include:

• Grant Records: Maintained for a minimum of seven years after grant completion for IRS compliance
• Medical Records: Retained in accordance with HIPAA requirements and state law (typically 6-10 years)
• Financial Records: Kept for seven years for tax and audit purposes
• General Communications: Retained for three years unless ongoing relationship exists

When information is no longer needed, we securely destroy or anonymize it in accordance with our data retention and disposal policies.

Your Privacy Rights and Choices

You have the following rights regarding your personal information:

Access and Correction

You may request access to your personal information and PHI that we maintain. You may also request corrections to inaccurate or incomplete information. We will respond to your request within 30 days and may charge a reasonable fee for copying costs.

Opt-Out of Communications

You may opt out of receiving promotional emails and newsletters by clicking the unsubscribe link in any email or contacting us directly. Please note that you cannot opt out of receiving essential service-related communications regarding your grant applications or program participation.

Restriction Requests

You may request restrictions on how we use or disclose your PHI. While we will consider your request, we are not required to agree to all restrictions. If we do agree, we will comply with your request unless the information is needed for emergency treatment.

Confidential Communications

You may request that we communicate with you about your health information by alternative means or at alternative locations. We will accommodate reasonable requests.

Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made by us during the six years prior to your request. This accounting will not include disclosures made for treatment, payment, healthcare operations, or disclosures you authorized.

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyze website usage. Cookies are small text files stored on your device that help us:

• Remember your preferences and settings
• Understand how you use our website
• Improve website functionality and performance
• Provide relevant content and information

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our website. We do not use cookies to collect PHI or other sensitive personal information.

Third-Party Links

Our website may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

When you click on a third-party link, you are leaving our website and this Privacy Policy no longer applies. We do not endorse or make any representations about third-party websites.

Children's Privacy

Our services may be provided to individuals of all ages, including minors. When we collect information from or about children under 18, we do so with parental or guardian consent as required by law. We take additional precautions to protect the privacy of children's information.

Parents and guardians have the right to review, request deletion of, and refuse further collection of their child's personal information. If you believe we have collected information from a child without proper consent, please contact us immediately.

California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of your personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, please contact us using the information provided below. We will verify your identity before processing your request and respond within 45 days.

Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Post a notice on our website homepage
• Send notification to registered users via email
• Obtain consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.

Breach Notification

In the event of a data breach involving your personal information or PHI, we will notify you and relevant authorities as required by law. Our breach notification procedures comply with HIPAA breach notification requirements and include:

• Individual notification within 60 days of discovery
• Notification to the Department of Health and Human Services when required
• Media notification for breaches affecting more than 500 individuals
• Description of the breach and information compromised
• Steps we are taking to investigate and mitigate harm
• Recommendations for protecting yourself from potential harm

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

We will respond to your inquiry within 30 days. For HIPAA-related requests, please clearly indicate "HIPAA Request" in your communication.

Filing a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the appropriate regulatory authority:

• Internal Complaint: Contact our Privacy Officer using the information above
• HIPAA Complaints: U.S. Department of Health and Human Services, Office for Civil Rights
• California Residents: California Attorney General's Office

You will not be retaliated against or penalized for filing a complaint. We take all privacy concerns seriously and will investigate complaints promptly and thoroughly.