Effective Date: May 1, 2026

Next Step Rehab LLC ("Next Step Rehab," "we," "us," or "our") is a Maryland-based mobile and in-home rehabilitation practice providing physical therapy (PT), occupational therapy (OT), consulting and wellness programs. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or contact us through any digital channel.

This Policy applies to website visitors and online inquiries only. For information about how we handle your protected health information (PHI) as a patient, please refer to our separate Notice of Privacy Practices, provided at the time of your initial evaluation.

1. Our Status as a HIPAA Covered Entity

Next Step Rehab LLC is a HIPAA-covered entity under 45 C.F.R. §160.102. As a healthcare provider that electronically transmits health information in connection with standard transactions, we are legally required to protect the privacy and security of protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act.

All clinical records, patient communications, and health information collected in connection with the provision of therapy services are governed by our Notice of Privacy Practices — a separate document provided to every patient at the time of initial evaluation. This Privacy Policy governs website interactions only.

2. Information We Collect

2.1 Information You Provide

When you complete and submit a contact or inquiry form on our website, we may collect:

Full name, email address, and phone number

Type of inquiry (e.g., service request, insurance question, career inquiry)

General area of interest (e.g., fall prevention, post-surgical rehabilitation, telehealth)

Any message content you voluntarily include

These forms are used solely to respond to your inquiry or schedule an initial consultation.

2.2 Information Collected Automatically

When you visit our website, certain technical data may be collected automatically, including:

IP address and approximate geographic location (city/region level)

Browser type and operating system

Pages visited, time on page, and referring URL

Date and time of visit

This information is used to maintain website security and improve user experience. It is not linked to your personal identity.

2.3 Cookies

Our website may use cookies to enhance functionality and analyze traffic. You may configure your browser to decline cookies; however, some features may not function as intended. We do not use cookies to track users across unaffiliated third-party websites.

3. How We Use Your Information

Information collected through this website is used to:

Respond to inquiries and schedule consultations or evaluations

Verify insurance eligibility prior to service delivery

Communicate with referral sources and healthcare partners

Improve website content and digital services

Comply with applicable federal and Maryland state law

Protect the security and integrity of our systems

4. How Form Submissions Are Received — Google Workspace and HIPAA

Next Step Rehab LLC uses Google Workspace (Gmail) to receive and manage communications, including submissions from this website's contact forms. We have executed a Business Associate Agreement (BAA) with Google LLC, which designates Google as a Business Associate under HIPAA and requires Google to safeguard any PHI processed through Google Workspace services in accordance with 45 C.F.R. Part 164.

What this means for you:

Once your form submission is received in our Google Workspace inbox, it is handled within a HIPAA-covered environment governed by our BAA with Google.

Google Workspace Gmail, Drive, and related core services are covered under that agreement.

Important Limitation: Your form submission travels through our website platform (ZenBusiness / Duda) before it reaches our inbox. At this time, we do not have a Business Associate Agreement with our website platform provider. This means the transmission of your submission from the web form to our inbox may not be fully covered under HIPAA. We are actively reviewing this gap.

For this reason, we strongly advise:

Do not submit specific diagnoses, medical record numbers, detailed health histories, or other sensitive PHI through this website's contact forms.

To share clinical information securely, please call us directly at 240-389-2935 or 202-780-6495, or fax documents to 410-413-7738.

All referral orders and clinical documentation should be transmitted by fax only.

General inquiries — such as requesting a call, asking about services, or submitting a career inquiry — are appropriate for the web form.

5. Disclosure of Your Information

5.1 Service Providers

We may share limited information with trusted third-party vendors (including Google LLC under our signed BAA) who assist us in operating our website, managing communications, and verifying insurance — solely to the extent necessary to provide those services.

5.2 Healthcare Partners and Referral Sources

With your knowledge and consent, we may communicate with referring physicians, hospitals, school-based programs, or other healthcare entities to coordinate care or confirm service arrangements.

5.3 Legal Requirements

We may disclose information when required by law, court order, regulatory mandate, or to protect the rights, safety, or property of Next Step Rehab LLC, our staff, or the public.

5.4 Business Transfers

In the event of a merger, acquisition, or transfer of substantially all business assets, your information may be transferred to a successor entity subject to equivalent privacy protections.

5.5 No Sale of Information

We do not sell, rent, or trade your personal information to third parties for marketing or commercial purposes.

6. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect information against unauthorized access, disclosure, alteration, or destruction, including:

SSL/TLS encrypted transmission on our website

Google Workspace with a signed HIPAA BAA for email communications

Access controls limiting staff access to information on a need-to-know basis

No method of electronic transmission or storage is 100% secure. As noted in Section 4, web form submissions may traverse a platform that does not currently have a BAA in place. For sensitive information, please contact us by phone or fax.

7. Retention of Information

We retain website-collected contact and inquiry information for as long as reasonably necessary to respond to your inquiry, fulfill service obligations, and comply with applicable Maryland record retention requirements. Clinical records are retained in accordance with our HIPAA-compliant records retention policy.

8. Third-Party Links

Our website may contain links to third-party websites, including insurance portals, health system directories, or scheduling platforms. We are not responsible for the privacy practices of those sites. Please review their privacy policies before submitting personal information.

9. Children's Privacy

Our website is not directed to children under the age of 13. We do not knowingly collect personal information from children without verifiable parental consent. If you believe we have inadvertently collected information from a minor, please contact us immediately.

10. Your Rights

You may have certain rights with respect to your personal information, including the right to request access, correction, or deletion of information we hold, subject to legal retention requirements. To exercise these rights, contact us using the information in Section 12.

For rights related to your PHI as a patient, please refer to our Notice of Privacy Practices.

11. Updates to This Policy

We reserve the right to update this Privacy Policy at any time. Changes will be posted with a revised effective date. Continued use of our website constitutes acceptance of the revised Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us at:

Registered Agents LLC

Attn: Next Step Rehab LLC

5000 Thayer Center, Oakland, Maryland 21550

Email: privacy@nextsteprehab.com

Website: nextstep-rehab.com