PRIVACY POLICY

Effective date:  January 1, 2026

Within Reach Housing Solutions (“Organization,” “we,” or “us”) is committed to protecting the privacy and confidentiality of information about residents and applicants. The Organization maintains safeguards and practices intended to comply with the Health Insurance Portability and Accountability Act (HIPAA), the Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181), and other applicable Texas and local requirements to the extent they apply to our operations.

Texas‑Specific Compliance

The Organization implements privacy and security practices designed to meet or exceed applicable Texas and federal standards for medical and personal information.

• Full HIPAA adherence, when HIPAA applies to the services being provided or the information being handled.

• Protection of medical information consistent with the Texas Health & Safety Code, including the Texas Medical Records Privacy Act.

• Resident data confidentiality is guaranteed by policy, subject to limited exceptions required or permitted by law (such as safety, abuse reporting, and court orders).

• Secure digital and physical record storage is required for all resident information in our custody.

Covered and Protected Information

The Organization limits collection and use of resident information to what is reasonably necessary to operate housing and related services, comply with funding and regulatory requirements, and protect the safety of residents, staff, and the community.

Covered information includes, but is not limited to:

• Personal identification details, such as name, date of birth, contact information, government‑issued identifiers (when necessary and permitted by law), and emergency contact details.

• Medical records and health history, including diagnoses, medications, treatment plans, functional assessments, and disability‑related information needed to coordinate services and support safe housing.

• Mental health information, such as behavioral health assessments, treatment notes, crisis plans, or other mental‑health‑related documentation, subject to any stricter protections under applicable federal and Texas laws.

• Demographic data, including age, gender, race or ethnicity (when required for nondiscrimination or funding reports), veteran status, disability status, and similar information.

• Treatment and placement records, including intake forms, assessments, service plans, housing placement and transfer history, incident reports, progress notes, and discharge summaries.

• Criminal background information, obtained only when necessary for safety, eligibility, or legal compliance; access is limited to personnel with a legitimate need to know for those purposes.

Resident Rights

Residents have important privacy and information rights under federal and Texas law and under this policy, subject to specific limits and exceptions set out in those laws.

Right to Access Personal Information

Residents have the right to:

• Request a complete copy of their personal file, including housing, service, and (when applicable) health‑related information maintained by the Organization, within legally required time frames.

• Receive an explanation of what categories of information are stored, how the information is generally used, and the types of entities to whom the information may be disclosed.

• Challenge the accuracy or completeness of information contained in their records through the correction process described below.

Data correction rights

Residents have the right to:

• Submit written requests to correct or amend information they believe is inaccurate, incomplete, or outdated.

• Receive written confirmation that the request was received and a response within 30 days unless an extension is permissible under applicable law.

• Dispute information that the Organization declines to amend; in such cases, the resident may submit a written statement of disagreement, which will be added to the record and, when required by law, included with future disclosures of the disputed information.

Information usage limitations

Residents have the right to:

• Expect that consent or written authorization will be obtained for most data sharing that is not otherwise required or specifically allowed by law (for example, many uses and disclosures for non‑treatment, non‑payment, or non‑operations purposes).

• Request that certain disclosures or uses of their information be restricted; while the Organization is not always required to agree, all requests will be considered and any accepted restriction will be honored except in emergencies or when disclosure is legally required.

• Request an accounting of certain disclosures of protected health information made by the Organization, for the period and in the manner required by applicable law.

Additional Rights

Residents also have the right to:

• Be informed of this privacy policy and receive a copy upon admission, upon request, and whenever the policy is materially revised.

• File a complaint or concern about privacy practices without fear of retaliation, using the contact information provided at the end of this policy and, if desired, directly with appropriate state or federal oversight agencies.

Authorized Disclosures (Without Resident Consent)

The Organization will not share resident information with unrelated third parties for marketing or sales purposes. However, certain disclosures may be made without resident consent or authorization when permitted or required by law. In such cases, the Organization will limit the information shared to the minimum necessary for the stated purpose, when a minimum‑necessary standard applies.

Examples include:

• Safety investigations: When needed to prevent or lessen a serious and imminent threat to the health or safety of a resident or another person, including disclosures to law enforcement, emergency responders, or other appropriate parties.

• Licensing and compliance checks: To federal, state, or local agencies, including Texas and Harris County oversight authorities, that are conducting inspections, audits, investigations, or other legally authorized oversight activities.

• Law enforcement requests: In response to a valid warrant, subpoena, court order, or other lawful process, or in limited circumstances otherwise permitted by law (such as reporting certain crimes or locating a missing person).

• Public health emergencies: To public health authorities or other authorized entities for public health activities, including preventing or controlling disease or responding to public health threats.

• Court‑ordered information sharing: When a court or administrative body issues an order compelling disclosure; the Organization will disclose only the information specifically required by the order.

• Mandatory reporting: When reporting suspected abuse, neglect, exploitation, or other conditions that must be reported under Texas law.

Data Protection Protocols and Security Practices

The Organization maintains administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of resident information, in alignment with HIPAA and applicable Texas requirements.

Security measures include:

• Encrypted digital storage: Electronic records are maintained in systems that use encryption, password protection, and role‑based access controls, along with reasonable cybersecurity practices to reduce the risk of unauthorized access.

• Locked physical filing systems: Paper records are stored in locked cabinets or secure rooms with access limited to authorized personnel whose job duties require access.

• Staff HIPAA and confidentiality training: All employees, contractors, and volunteers with access to resident information must complete initial and periodic training on privacy, confidentiality, and security obligations.

• Annual privacy protocol review: Policies, procedures, and security controls are reviewed at least annually, and more frequently as laws, regulations, or operational needs change.

• Immediate breach notification: If a breach of unsecured protected health information or other sensitive personal data is discovered, the Organization will investigate promptly and provide required notices to affected individuals and, when applicable, to regulators or other parties, consistent with federal and Texas breach‑notification laws.

• No third‑party information sharing without consent: Except where permitted or required by law as described in the “Authorized disclosures” section, the Organization does not share resident information with third parties without appropriate resident consent or authorization.

Record Retention and Destruction

The Organization follows a written record‑retention schedule that is designed to meet or exceed applicable Texas requirements for housing, service, and, where applicable, health‑related records.

• Resident records are generally retained for at least seven (7) years after the last date of service or discharge, unless a longer period is required by contract, funding source, or law.

• When records reach the end of the retention period and are no longer required to be kept, they will be destroyed securely, including cross‑cut shredding or comparable destruction for paper records and secure deletion or destruction for electronic records, so that the information cannot be reconstructed.

Questions, Requests, and Complaints

Residents may exercise their rights under this policy or submit questions or complaints about privacy practices by contacting:

Within  Reach Housing Solutions

Phone: +1 (832) 990-7490

Email: info@withinreachhousing.net

No resident will be retaliated against for exercising privacy rights or submitting a good‑faith privacy complaint.