PRIVACY POLICY

Hearts of the Canyon Therapy

www.heartsofthecanyon.com


Effective Date: February 17, 2026

Last Updated: February 17, 2026


============================================================


Hearts of the Canyon Therapy ("we," "our," or "us") is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, store, share, and protect your information when you visit our website (www.heartsofthecanyon.com), use our services, or communicate with us. We encourage you to read this policy carefully so you understand your rights and our responsibilities.


This policy applies to all visitors of our website, current and prospective clients, and anyone who communicates with us through any channel.


Practice Information:

 Practice Name: Hearts of the Canyon Therapy

 Owner/Provider: Vickie Larson-Hills, MSW, LCSW, LLC

 Location: Lyons, Oregon

 Service Areas: Lyons, Salem, Albany, Stayton, and throughout Oregon (including virtual services)

 Phone: (360) 356-2508

 Email: larsonhills.ecotherapy@gmail.com

 Website: www.heartsofthecanyon.com

 Privacy Officer: Vickie Larson-Hills


============================================================

TABLE OF CONTENTS

============================================================


1. Information We Collect

2. How We Collect Your Information

3. Why We Collect Your Information

4. How We Use Your Information

5. Who We Share Your Information With

6. How Long We Retain Your Information

7. How We Protect Your Information

8. Your Rights Regarding Your Information

9. Cookies and Tracking Technologies

10. Website Accessibility (UserWay)

11. Notice of Privacy Practices (HIPAA)

12. Telehealth and Virtual Services

13. Social Media Policy

14. Children's Privacy

15. Data Breach Notification Procedures

16. Changes to This Privacy Policy

17. Contact Information


============================================================

1. INFORMATION WE COLLECT

============================================================


We may collect the following categories of information depending on how you interact with our practice and website:


Personal Identification Information:

 - Full name

 - Date of birth

 - Mailing address

 - Email address

 - Phone number


Health and Clinical Information:

 - Mental health history and diagnoses

 - Treatment plans and session notes

 - Information related to childhood trauma, couples therapy, medical trauma, grief, equine therapy, or clinical supervision services

 - Emergency contact information

 - Referring provider information

 - Insurance information (if applicable)


Financial and Payment Information:

 - Credit card or debit card numbers

 - Health savings account (HSA) card information

 - Billing address

 - Superbill and payment records


Technical and Website Information:

 - IP address

 - Browser type and version

 - Device type

 - Pages visited on our website

 - Date and time of visits

 - Referring website URL

 - General geographic location (city/region level)


Communications Information:

 - Messages submitted through our website contact form (first name, last name, phone number, email, subject, and message content)

 - Emails, phone calls, and text messages exchanged with our office

 - Free consultation inquiry details


============================================================

2. HOW WE COLLECT YOUR INFORMATION

============================================================


We collect personal information through the following methods:


Website Forms: When you submit inquiries through our website contact form or book a free consultation.


Client Portal: When you register, schedule appointments, or communicate through our secure client portal hosted on ClientSecure.me (TherapyNotes).


Direct Communication: When you contact us by phone at (360) 356-2508, email at larsonhills.ecotherapy@gmail.com, or text message.


In-Person and Virtual Sessions: During therapy sessions conducted in person at our Lyons, Oregon location or via telehealth video sessions.


Equine Therapy Sessions: During on-site equine-assisted therapy sessions.


Payment Transactions: When you provide payment at the time of your appointment via credit card, debit card, or health savings account card.


Cookies and Analytics: Through cookies and similar tracking technologies used on our website (see Section 9 for details).


Third-Party Platforms: Through our electronic medical records (EMR) system, client portal, and website hosting platform (Duda).


============================================================

3. WHY WE COLLECT YOUR INFORMATION

============================================================


We collect your information for the following purposes:


- To provide mental health therapy services including childhood trauma therapy, couples therapy, medical trauma therapy, grief therapy, equine therapy, and clinical supervision

- To schedule and manage appointments through our client portal

- To conduct free consultations

- To communicate with you about your care, appointments, and our services

- To process payments and provide superbills for out-of-network insurance reimbursement

- To comply with legal and regulatory obligations, including HIPAA requirements

- To maintain accurate clinical records as required by Oregon state law and professional licensing standards

- To improve our website experience and service delivery

- To respond to your inquiries submitted through our website contact form, email, or phone

- To provide the Good Faith Estimate as required under the No Surprises Act


============================================================

4. HOW WE USE YOUR INFORMATION

============================================================


Your information is used in the following ways:


Clinical Care: Your health and personal information is used to provide trauma therapy, couples therapy, grief therapy, medical trauma therapy, equine-assisted therapy, and clinical supervision services. This includes developing treatment plans, documenting session notes, and coordinating care when appropriate.


Appointment Management: We use your contact information to schedule, confirm, reschedule, or cancel appointments through our secure client portal.


Billing and Payments: Your financial information is used to process session payments ($150 per 60-minute session) and to generate superbills for clients seeking out-of-network insurance reimbursement.


Communication: We use your email, phone number, and mailing address to communicate with you regarding your care, respond to your inquiries, and provide appointment reminders.


Legal Compliance: We use and maintain your information as required by federal law (HIPAA), Oregon state law, and the regulations of the Oregon Board of Licensed Clinical Social Workers.


Website Analytics: We use anonymized and aggregated data from website cookies and analytics tools to understand how visitors interact with our website and to improve the user experience.


============================================================

5. WHO WE SHARE YOUR INFORMATION WITH

============================================================


We do not sell your personal information to any third party. We may share your information in the following limited circumstances:


Electronic Medical Records (EMR) and Client Portal Provider:

We use TherapyNotes (ClientSecure.me) as our secure EMR and client scheduling platform. Your clinical records, appointment information, and communications through the client portal are stored within this HIPAA-compliant system.


Payment Processors:

We use third-party payment processing services to securely handle credit card, debit card, and HSA card transactions. These processors are PCI-DSS compliant and do not have access to your clinical records.


Website Hosting and Technology:

Our website is hosted on the Duda platform. Duda may collect technical data such as IP addresses and browser information through standard website operations.


Accessibility Services:

We use the UserWay Accessibility Widget on our website to enhance accessibility (see Section 10 for details). UserWay does not collect personal information from visitors using the widget.


Healthcare Collaborators:

With your written consent, we may share relevant clinical information with other healthcare providers involved in your care (such as a referring physician or psychiatrist).


Legal and Regulatory Disclosures:

We may disclose your information without your consent when required or permitted by law, including:

 - Court orders or subpoenas

 - Mandatory reporting of suspected child abuse or elder abuse

 - When there is an imminent threat to your safety or the safety of others

 - Oregon state licensing board inquiries

 - As otherwise required by HIPAA or Oregon law


Insurance Companies:

If you choose to seek out-of-network reimbursement, the superbill we provide may contain diagnostic and service information that you would then submit to your insurance provider.


============================================================

6. HOW LONG WE RETAIN YOUR INFORMATION

============================================================


Clinical and Health Records:

In accordance with Oregon state law (ORS 166.705 and Oregon Administrative Rules) and HIPAA requirements, we retain clinical records for a minimum of seven (7) years after the last date of service for adult clients. For minor clients, records are retained for at least seven (7) years after the client reaches the age of 18, or seven (7) years after the last date of service, whichever is longer.


Financial and Billing Records:

Payment records and superbills are retained for a minimum of seven (7) years for tax and auditing purposes.


Website Data:

Technical data collected through cookies and analytics may be retained for up to twenty-four (24) months, depending on the analytics tool and cookie settings.


Contact Form Submissions:

Inquiries submitted through our website contact form are retained for as long as necessary to respond to your inquiry and are then archived or deleted in accordance with our data management practices.


Deletion Protocol:

When records have reached the end of their required retention period, they are securely destroyed. Paper records are shredded, and electronic records are permanently deleted using industry-standard data destruction methods.


============================================================

7. HOW WE PROTECT YOUR INFORMATION

============================================================


We take the security of your personal and health information seriously and implement the following safeguards:


Technical Safeguards:

 - Encrypted electronic medical records through our HIPAA-compliant EMR system (TherapyNotes)

 - SSL/TLS encryption on our website (www.heartsofthecanyon.com) to protect data transmitted between your browser and our servers

 - Secure, password-protected access to all electronic systems containing client data

 - Regular software updates and security patches


Administrative Safeguards:

 - HIPAA Privacy and Security compliance policies and procedures

 - Restricted access to client information on a need-to-know basis

 - Ongoing education and awareness regarding privacy and security best practices


Physical Safeguards:

 - Secure storage of any paper records

 - Controlled access to physical office space


Telehealth Security:

 - Virtual therapy sessions are conducted through HIPAA-compliant telehealth platforms

 - Video sessions are encrypted and not recorded unless explicitly authorized


Payment Security:

 - All payment transactions are processed through PCI-DSS compliant payment processors

 - We do not store full credit card numbers on our systems


============================================================

8. YOUR RIGHTS REGARDING YOUR INFORMATION

============================================================


As a client of Hearts of the Canyon Therapy, you have the following rights regarding your personal and health information:


Right to Access:

You have the right to request and obtain a copy of your clinical records and other personal information we hold about you. Requests should be made in writing to our Privacy Officer.


Right to Amend:

If you believe that information in your records is inaccurate or incomplete, you have the right to request an amendment. We will respond to your request within thirty (30) days. We may deny the request under certain circumstances permitted by law, such as if the records were not created by us or if the information is already accurate.


Right to Restrict Disclosures:

You have the right to request restrictions on how we use or disclose your health information for treatment, payment, or healthcare operations. While we will consider your request, we are not required to agree to all restrictions.


Right to Confidential Communications:

You may request that we communicate with you through specific means or at a specific location (for example, by email only or at a particular phone number).


Right to an Accounting of Disclosures:

You have the right to request a list of certain disclosures we have made of your health information within the past six (6) years.


Right to a Copy of This Policy:

You have the right to obtain a paper or electronic copy of this Privacy Policy at any time.


Right to File a Complaint:

If you believe your privacy rights have been violated, you may file a complaint with:


 Hearts of the Canyon Therapy

 Privacy Officer: Vickie Larson-Hills

 Phone: (360) 356-2508

 Email: larsonhills.ecotherapy@gmail.com


 U.S. Department of Health and Human Services

 Office for Civil Rights

 Website: www.hhs.gov/ocr

 Phone: 1-877-696-6775


 Oregon Board of Licensed Social Workers

 Website: www.oregon.gov/oblsw


You will not be retaliated against for filing a complaint.


Exceptions:

There are limited circumstances under which we may withhold certain information from your records, including when disclosure could endanger the life or safety of you or another individual, when the information references another person (who is not a healthcare provider), or when release is prohibited by law.


How to Submit a Request:

All requests regarding your personal information should be submitted in writing (email or postal mail) to our Privacy Officer at the contact information listed in Section 17 of this policy. We will respond to your request within thirty (30) days.


============================================================

9. COOKIES AND TRACKING TECHNOLOGIES

============================================================


Our website (www.heartsofthecanyon.com) uses cookies and similar tracking technologies to improve your browsing experience and analyze website traffic.


What Are Cookies:

Cookies are small text files placed on your device when you visit a website. They help the website remember your preferences and understand how you use the site.


Types of Cookies We Use:


 Essential Cookies: These cookies are necessary for the website to function properly. They enable core features such as page navigation and access to secure areas. The website cannot function properly without these cookies.


 Analytics Cookies: We may use analytics services (such as Google Analytics or similar tools provided by our website hosting platform, Duda) to collect anonymized data about how visitors use our site. This may include pages visited, time spent on the site, and general geographic information. This data is used to improve our website and services.


 Third-Party Cookies: Some cookies may be set by third-party services embedded on our website, such as the UserWay Accessibility Widget. UserWay follows a Privacy by Design approach and does not collect personal information from users interacting with the widget.


Managing Cookies:

You can manage or disable cookies through your web browser settings. Please note that disabling certain cookies may affect the functionality of our website. Most browsers allow you to:

 - View what cookies are stored and delete them individually

 - Block third-party cookies

 - Block cookies from specific sites

 - Block all cookies

 - Delete all cookies when you close your browser


Do Not Track:

Our website may not respond to "Do Not Track" browser signals. However, you can manage your cookie preferences as described above.


============================================================

10. WEBSITE ACCESSIBILITY (USERWAY)

============================================================


Hearts of the Canyon Therapy is committed to ensuring that our website is accessible to all visitors, including individuals with disabilities.


We use the Accessibility Widget by UserWay to enhance the accessibility of our website. UserWay is an AI-powered accessibility solution that helps our website work toward compliance with the Web Content Accessibility Guidelines (WCAG) 2.1, the Americans with Disabilities Act (ADA), and Section 508 requirements.


Features of the UserWay Accessibility Widget include:

 - Screen reader optimization for visually impaired users

 - Keyboard navigation support for users who cannot use a mouse

 - Text size adjustment allowing visitors to increase or decrease font size

 - Color contrast adjustment with multiple contrast options for users with visual impairments

 - Text spacing adjustment to improve readability

 - Link highlighting to make links more visible on each page

 - Cursor enlargement options for improved visibility

 - Reading guide tools for users who benefit from focused reading assistance

 - Pause animations feature for users sensitive to motion

 - Dyslexia-friendly font option

 - Page structure and heading navigation tools

 - Image description (alt text) identification


Privacy and UserWay:

UserWay follows a Privacy by Design approach. The UserWay Accessibility Widget does not collect any personal information from users who interact with it. The widget operates on the client side (within your browser) and is designed to enhance accessibility without compromising your privacy. For more information, you may review UserWay's Privacy Policy at www.userway.org/privacy.


If you encounter any accessibility barriers on our website, please contact us at:

 Phone: (360) 356-2508

 Email: larsonhills.ecotherapy@gmail.com


We welcome your feedback and are committed to making our website accessible to everyone.


============================================================

11. NOTICE OF PRIVACY PRACTICES (HIPAA)

============================================================


This section serves as our Notice of Privacy Practices as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).


THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.


Our Legal Duty:

We are required by federal law to maintain the privacy of your Protected Health Information (PHI), provide you with this notice of our privacy practices, and follow the terms of this notice currently in effect. PHI is information that may identify you and relates to your past, present, or future physical or mental health condition, treatment, or payment for healthcare services.


How We May Use and Disclose Your PHI:


 For Treatment: We may use and disclose your PHI to provide, coordinate, or manage your mental health treatment. For example, your diagnosis and treatment plan are recorded in your clinical file and used to guide your care.


 For Payment: We may use and disclose your PHI to process payments for services provided. For example, we may include your diagnosis on a superbill that you submit to your insurance company for reimbursement.


 For Healthcare Operations: We may use and disclose your PHI for our healthcare operations, including quality assessment and improvement activities, professional licensing, and conducting or arranging for other business activities.


 With Your Authorization: Other uses and disclosures of your PHI not covered by this notice or applicable law will be made only with your written authorization. You may revoke your authorization at any time in writing, except to the extent that we have already taken action in reliance on your authorization.


Disclosures That May Be Made Without Your Authorization:

In certain limited situations, we may use or disclose your PHI without your written authorization, including:

 - When required by law

 - For public health activities (e.g., reporting communicable diseases)

 - To report suspected abuse, neglect, or domestic violence

 - For health oversight activities

 - In response to a court order or subpoena

 - To avert a serious threat to health or safety

 - For workers' compensation purposes

 - To coroners, funeral directors, or organ procurement organizations

 - For certain government functions, including military and veterans' activities


Psychotherapy Notes:

We maintain psychotherapy notes separately from your clinical record. These notes receive additional protection under HIPAA and generally require your specific written authorization before they can be used or disclosed, except in limited situations such as when required by law or to defend against a legal action.


Your Rights Under HIPAA:

Please refer to Section 8 of this policy for a complete list of your rights regarding your health information.


Oregon-Specific Protections:

Oregon law may provide additional protections for your mental health records beyond what HIPAA requires. Where Oregon law provides greater privacy protection, we will follow the stricter standard.


============================================================

12. TELEHEALTH AND VIRTUAL SERVICES

============================================================


Hearts of the Canyon Therapy offers virtual trauma therapy services throughout the state of Oregon.


When you engage in telehealth sessions, please be aware of the following:


Platform Security: Virtual sessions are conducted through HIPAA-compliant video conferencing platforms. All sessions are encrypted in transit to protect your privacy.


Your Responsibilities: We recommend that you participate in telehealth sessions from a private, secure location where you will not be overheard. You are responsible for ensuring the privacy of your own environment during virtual sessions.


Recording: Sessions are not recorded by our practice unless you provide explicit written consent. We ask that you do not record sessions without mutual agreement.


Technical Data: The telehealth platform may collect limited technical data (such as connection quality and device type) to maintain service functionality.


Emergency Protocols: When participating in telehealth, please ensure we have your current physical location at the time of each session. This information may be needed in the event of a clinical emergency.


============================================================

13. SOCIAL MEDIA POLICY

============================================================


Hearts of the Canyon Therapy may maintain a presence on social media platforms. Please be aware of the following:


Confidentiality: We will never acknowledge or disclose that you are a client through social media or any public platform. To protect your confidentiality, we recommend that you do not contact us through social media regarding clinical matters or reference your therapeutic relationship on public platforms.


No Therapeutic Relationship Via Social Media: Social media interactions (such as follows, likes, comments, or direct messages) do not constitute a therapeutic relationship and are not a substitute for therapy sessions.


Third-Party Privacy Policies: Social media platforms have their own privacy policies and terms of service that govern how your information is collected and used on those platforms. We are not responsible for the privacy practices of third-party social media sites.


============================================================

14. CHILDREN'S PRIVACY

============================================================


Our website is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 through our website.


When we provide therapy services to minors (under the age of 18), we collect personal and health information as necessary to provide treatment, with the consent and involvement of a parent or legal guardian as required by Oregon law. Parents and legal guardians of minor clients have the right to access their child's records, subject to certain exceptions under Oregon law where the minor has consented to treatment independently.


============================================================

15. DATA BREACH NOTIFICATION PROCEDURES

============================================================


In the unlikely event of a breach of unsecured Protected Health Information, we will follow the breach notification requirements under HIPAA and Oregon state law.


Individual Notification:

We will notify affected individuals in writing (by first-class mail or email if you have agreed to electronic communication) without unreasonable delay and no later than sixty (60) days after the discovery of the breach. The notification will include:

 - A description of the breach, including the date(s) of the breach and when it was discovered

 - The types of information involved

 - Steps you should take to protect yourself

 - What we are doing to investigate the breach, mitigate harm, and prevent future breaches

 - Contact information for you to ask questions or obtain additional information


Regulatory Notification:

We will also notify the U.S. Department of Health and Human Services (HHS) as required by law. If the breach affects 500 or more individuals, we will also notify prominent media outlets in Oregon.


Oregon-Specific Requirements:

Under the Oregon Consumer Identity Theft Protection Act (ORS 646A.604), we will provide notification as required by Oregon state law for breaches involving personal information, including providing notice to the Oregon Attorney General when applicable.


============================================================

16. CHANGES TO THIS PRIVACY POLICY

============================================================


We reserve the right to update or modify this Privacy Policy at any time. When we make changes, we will:


 - Update the "Last Updated" date at the top of this policy

 - Post the revised policy on our website at www.heartsofthecanyon.com

 - For material changes that significantly affect how we handle your personal or health information, we will make reasonable efforts to notify you directly (such as by email or through a notice on our website)


We encourage you to review this Privacy Policy periodically. Your continued use of our website and services after any changes are posted constitutes your acceptance of those changes.


If changes affect how we use or disclose your Protected Health Information, we will provide an updated Notice of Privacy Practices and will not apply the changes retroactively to information collected before the update without your consent, except as permitted by law.


============================================================

17. CONTACT INFORMATION

============================================================


If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact us:


 Privacy Officer: Vickie Larson-Hills, MSW, LCSW

 Practice: Hearts of the Canyon Therapy

 Address: Lyons, Oregon

 Phone: (360) 356-2508

 Email: larsonhills.ecotherapy@gmail.com

 Website: www.heartsofthecanyon.com


 Office Hours:

 Monday through Friday: 8:00 AM - 5:00 PM

 Saturday and Sunday: Closed


For HIPAA-related complaints, you may also contact:


 U.S. Department of Health and Human Services

 Office for Civil Rights

 200 Independence Avenue, S.W.

 Washington, D.C. 20201

 Phone: 1-877-696-6775

 Website: www.hhs.gov/ocr


 Oregon Board of Licensed Social Workers

 Website: www.oregon.gov/oblsw


============================================================


ACKNOWLEDGMENT


By using our website, scheduling an appointment, or receiving services from Hearts of the Canyon Therapy, you acknowledge that you have read and understood this Privacy Policy. If you are a client, you will be provided with a copy of this policy and may be asked to sign an acknowledgment form during your intake process.


============================================================


(c) 2026 Hearts of the Canyon Therapy. All Rights Reserved.

Website: www.heartsofthecanyon.com

Website Designed by: Thriving Mind Marketing - Website Design For Therapists (www.thrivingmindmarketing.com)