Privacy Policy

IMPORTANT: This Website Privacy Policy governs how Mountains Community Health collects and uses information through this website (mch75.com). It is separate from our HIPAA Notice of Privacy Practices, which governs how we handle your Protected Health Information (PHI) as a patient. Please review both documents. A link to our HIPAA Notice of Privacy Practices is provided below and in Section 3.

Your Rights and Privacy: We at Mountains Community Hospital are partners in your healthcare. When you are well informed, participate in treatment decisions, and communicate openly with your doctor and other health professionals, you help make your care as effective as possible. Mountains Community Hospital encourages respect for the personal preferences and values of each individual.

1. Introduction

Mountains Community Health (“MCH,” “we,” “our,” or “us”) is a full-service health system located in Lake Arrowhead, California, serving communities throughout the San Bernardino Mountains. We are committed to protecting the privacy of everyone who visits our website.

This Website Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit mch75.com and its associated pages (the “Site”). It applies to:

  • General website visitors
  • Individuals who submit a contact form inquiry
  • Newsletter subscribers
  • Foundation donors and prospective donors
  • Community members seeking information about our services


This Policy is designed to comply with applicable privacy laws, including:

  • The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — Cal. Civ. Code §§ 1798.100 et seq.
  • The California Confidentiality of Medical Information Act (CMIA) — Cal. Civ. Code §§ 56 et seq.
  • The Health Insurance Portability and Accountability Act (HIPAA) — 45 C.F.R. Parts 160 and 164 (as applicable to website interactions)
  • The FTC Health Breach Notification Rule — 16 C.F.R. Part 318
  • The General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 (for EEA visitors)
  • Other applicable federal, California, and local privacy regulations


By using this Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Site.

2. Scope of This Policy

This Privacy Policy covers only the data collected through this website (mch75.com). It does not govern:

  • Patient health information (PHI) collected in the course of your medical care, treatment, payment, or healthcare operations — that information is governed by our HIPAA Notice of Privacy Practices (see Section 3).
  • Third-party platforms linked from this Site (e.g., the Patient Portal, online bill pay, DonorPerfect donation platform, Mailchimp newsletter service, or social media platforms). Each of those services operates under its own privacy policy.
  • Employee or job applicant data collected through our separate careers platform.


Note: If you use the contact form on this Site and include health-related information in your message, that information may not receive the full protections afforded to PHI under HIPAA. Please do not submit sensitive medical information through the general contact form. For clinical matters, contact us directly by phone at (909) 336-3651 or visit our Patient Portal.

3. HIPAA Notice of Privacy Practices

As a HIPAA-covered entity, Mountains Community Health maintains a separate Notice of Privacy Practices (NPP) that describes how we may use and disclose your Protected Health Information (PHI) for treatment, payment, and healthcare operations, and explains your rights as a patient under HIPAA.

Our HIPAA Notice of Privacy Practices is available in this link.

You may also request a paper copy of the Notice at the registration desk at any of our facilities, or by calling (909) 336-3651.

Nothing in this Website Privacy Policy is intended to limit or supersede your rights under HIPAA or the California Confidentiality of Medical Information Act (CMIA).

4. Information We Collect

4.1 Information You Provide Directly

We collect personal information when you voluntarily interact with the Site, including when you:

Contact Form

  • First name, last name
  • Email address
  • Phone number (optional)
  • Message content

Newsletter Subscription

  • Email address (submitted to our newsletter platform, Mailchimp)

Foundation Donations

Clicking “Donate” on this Site routes you to DonorPerfect (donorperfect.net), a third-party donation processing platform. Any financial or personal information you provide during the donation process is collected and handled by DonorPerfect under its own privacy policy. MCH does not collect or store your payment card information.

4.2 Information Collected Automatically

When you visit the Site, we and our technology service providers may automatically collect:

  • IP address and approximate geographic location (city/region level)
  • Browser type, version, and language settings
  • Operating system and device type
  • Pages visited, time spent on each page, and navigation path
  • Referring URL (the page or platform that directed you to our Site)
  • Date and time of each visit
  • Cookies and similar tracking technologies (see Section 8)

4.3 Information from Third Parties

We may receive information from:

  • Social media platforms (Facebook, Instagram, LinkedIn, YouTube) when you interact with our social media pages or click social links on our Site
  • Analytics providers that aggregate Site usage data

5. How We Use Your Information

5.1 Site Operations and Communications

  • To operate, maintain, and improve the Site
  • To respond to inquiries submitted through the contact form
  • To send our newsletter to subscribers who have opted in
  • To process and acknowledge Foundation donations (in coordination with DonorPerfect)
  • To schedule or coordinate general (non-clinical) requests

5.2 Analytics and Site Improvement

  • To analyze website traffic, usage patterns, and visitor behavior
  • To evaluate the effectiveness of content and site structure
  • To identify and fix technical issues

5.3 Legal Compliance and Safety

  • To comply with applicable laws, regulations, and court orders
  • To detect and prevent fraud, abuse, or security threats
  • To protect the rights, property, and safety of MCH, our patients, staff, and the public

5.4 Community and Foundation Engagement

  • To communicate about Foundation events, campaigns, and giving opportunities (for donors and subscribers)
  • To recognize donors and supporters in accordance with our donor recognition practices

5.5 Legal Basis for Processing (GDPR — EEA Visitors)

For visitors from the European Economic Area, we process personal data on the following legal bases:

  • Legitimate Interests: Operating the Site, responding to inquiries, and improving our services, provided our interests are not overridden by your rights.
  • Consent: For newsletter subscriptions and non-essential cookies. You may withdraw consent at any time.
  • Legal Obligation: Where processing is required by applicable law.

6. How We Share Your Information

We do not sell your personal information. We do not share your personal information for monetary or other valuable consideration. We may share information as described below.

6.1 Service Providers

We work with trusted third-party vendors who assist us in operating the Site. These providers may have access to your information only as necessary to perform their services and are contractually bound to maintain appropriate security measures:

  • Website hosting and CMS: WordPress-based hosting provider
  • Newsletter distribution: Mailchimp (The Rocket Science Group, LLC) — receives email addresses of newsletter subscribers
  • Donation processing: DonorPerfect — receives donor information when you complete a donation through the linked portal
  • Analytics: Website analytics tools that help us understand Site usage
  • Video hosting: YouTube (Google LLC) — embedded video players on this Site may set cookies and collect viewing data under Google’s privacy policy
  • Patient Portal: Meditech — the Patient Portal is a separate platform governed by its own terms and privacy practices
  • Online bill pay: Third-party bill payment processor — governed by its own privacy policy

6.2 Internal Sharing

Information submitted through the Site may be accessed by MCH staff in relevant departments (e.g., administration, Foundation team, communications) on a need-to-know basis.

6.3 Legal Requirements

We may disclose your information when required or permitted by law, including:

  • In response to a valid subpoena, court order, or government request
  • To comply with applicable federal or California law or regulation
  • To protect the rights, property, or safety of MCH, patients, staff, or others
  • In connection with investigations of fraud, security threats, or illegal activity

6.4 Business Transfers

In the event of a merger, consolidation, acquisition, or transfer of assets, personal information collected through this Site may be transferred to a successor entity. We will provide notice of any such transfer that materially affects your information, as required by law.

7. California Privacy Rights (CCPA / CPRA)

This section applies to California residents. Under the CCPA, as amended by the CPRA, California residents have specific rights regarding their personal information.

California Medical Information: Personal information about your health condition, treatment, or medical history collected in connection with your care as a patient is also subject to the California Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code §§ 56 et seq., and HIPAA. Your rights under those laws are described in our HIPAA Notice of Privacy Practices.

7.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories through this website:

  • Identifiers: Name, email address, phone number, IP address
  • Internet or Network Activity: Pages visited, referring URL, browser and device data
  • Geolocation Data: Approximate location derived from IP address
  • Commercial Information: Donation records (processed through DonorPerfect)
  • Communications Content: Content of messages submitted through the contact form


We do not intentionally collect sensitive personal information such as Social Security numbers, financial account numbers, precise geolocation, health information, or racial/ethnic origin through this website.

7.2 Your California Privacy Rights

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and third parties with whom we share it.
  • Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information as defined under the CCPA/CPRA.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond purposes permitted by the CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

7.3 How to Submit a California Privacy Request

To exercise your CCPA/CPRA rights, contact us:

  • Phone: (909) 336-3651
  • Mail: Mountains Community Health, Attn: Privacy Officer, 29101 Hospital Road, Lake Arrowhead, CA 92352
  • Email: [INSERT PRIVACY OFFICER EMAIL]


We will verify your identity before processing your request and respond within 45 days (extendable to 90 days with notice). You may designate an authorized agent to submit a request on your behalf with written proof of authorization.

8. California Confidentiality of Medical Information Act (CMIA)

The California Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56 et seq.) provides additional protections for medical information about California residents. As a provider of healthcare services, Mountains Community Health complies with the CMIA with respect to any medical information collected or maintained in connection with the provision of healthcare services.

The CMIA prohibits us from disclosing your medical information without your written authorization except as permitted by law (e.g., for treatment, payment, or healthcare operations). If you believe your CMIA rights have been violated, you may contact:

  • MCH Privacy Officer at the contact information in Section 7.3
  • California Department of Public Health: www.cdph.ca.gov
  • California Attorney General: oag.ca.gov

9. Rights of EEA Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under applicable data protection law:

  • Right of Access (Art. 15): Obtain confirmation of processing and receive a copy of your personal data.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data in certain circumstances.
  • Right to Restrict Processing (Art. 18): Request that we limit processing in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.
  • Right to Lodge a Complaint: File a complaint with your local supervisory authority if you believe your rights have been violated.


To exercise these rights, contact us using the information in Section 12. We will respond within 30 days and may need to verify your identity before processing your request.

9.1 International Data Transfers

Mountains Community Health is based in the United States. If you are located outside the United States, your information may be transferred to and processed in the U.S., where data protection laws may differ. For EEA residents, we will ensure that any such transfer is subject to appropriate safeguards, such as Standard Contractual Clauses, as required by the GDPR.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Site. A cookie is a small file placed on your device when you visit a website.

10.1 Types of Cookies We Use

  • Strictly Necessary Cookies: Required for the Site to function (e.g., session management, security). Cannot be disabled.
  • Functional Cookies: Remember your preferences to improve your browsing experience.
  • Analytics Cookies: Help us understand how visitors interact with the Site. We may use tools such as Google Analytics for this purpose.
  • Third-Party / Social Media Cookies: The Site includes links and embedded content from Facebook, Instagram, LinkedIn, and YouTube. These platforms may set their own cookies when you interact with their content. We do not control these third-party cookies.
  • YouTube Embedded Video Cookies: Videos embedded on this Site are served by YouTube (Google LLC). When a video loads, YouTube may set cookies and collect data per Google’s Privacy Policy, even if you do not play the video.

10.2 Cookie Consent and Management

For California and EEA visitors, we provide cookie consent options in accordance with applicable law. You may manage your preferences through our Cookie Policy page or by adjusting your browser settings to refuse or delete cookies. Note that disabling certain cookies may affect Site functionality.

10.3 Do Not Track

Our Site does not currently respond to browser Do Not Track (DNT) signals, as no uniform standard has been adopted for how websites must respond. We will update this section if that changes.

11. Third-Party Platforms Linked from This Site

11.1 Newsletter — Mailchimp

Our newsletter subscription is managed through Mailchimp, operated by The Rocket Science Group, LLC. When you subscribe, your email address is transmitted to and stored by Mailchimp. Mailchimp’s privacy practices are governed by their own Privacy Policy, available at mailchimp.com/legal/privacy. You may unsubscribe at any time by clicking the unsubscribe link in any newsletter email.

11.2 Donations — DonorPerfect

Clicking the Donate button on this Site directs you to DonorPerfect (donorperfect.net), a third-party fundraising platform. Any information you provide during the donation process — including your name, contact details, and payment information — is collected and handled by DonorPerfect under their own Privacy Policy. Mountains Community Health does not collect or store payment card information.

11.3 Patient Portal — Meditech

Links to the Patient Portal on this Site direct you to a separate platform operated by Meditech. Your login credentials, health records, and activity within the Patient Portal are governed by Meditech’s terms of service and MCH’s HIPAA Notice of Privacy Practices, not this Website Privacy Policy.

11.4 Online Bill Pay

The bill pay link on this Site directs you to a separate third-party payment processor. Payment information submitted through that platform is governed by that platform’s privacy policy. MCH does not receive or store your payment card information.

11.5 Social Media Platforms

This Site links to MCH’s social media profiles on Facebook, Instagram, LinkedIn, and YouTube. These platforms operate independently and collect their own data from your interactions. We encourage you to review each platform’s privacy policy before engaging. MCH is not responsible for the data practices of these third-party services.

12. Data Retention

We retain personal information collected through this website for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law.

  • Contact form submissions are generally retained for [INSERT RETENTION PERIOD] and then securely deleted or anonymized.
  • Newsletter subscriber data is retained until you unsubscribe or request deletion.
  • Website analytics and usage data may be retained for [INSERT PERIOD].
  • Foundation donor records may be retained for longer periods in accordance with nonprofit accounting and tax compliance requirements.


Patient health records are subject to HIPAA and California medical record retention requirements and are governed separately by our HIPAA Notice of Privacy Practices.

13. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect personal information from unauthorized access, disclosure, alteration, or destruction. These measures are designed to be appropriate to the nature of the information and the risks presented by our processing activities.

However, no transmission over the Internet and no data storage system is completely secure. We cannot guarantee absolute security of your information. In the event of a data breach involving personal information collected through this website, we will notify affected individuals as required by applicable law, including the California Consumer Privacy Act and the FTC Health Breach Notification Rule (16 C.F.R. Part 318), where applicable.

If you believe your information has been compromised, please contact us immediately using the information in Section 15.

14. Children’s Privacy

This website is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 through this Site. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us and we will take steps to delete that information. Clinical services for pediatric patients are governed by HIPAA and our Notice of Privacy Practices.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last Updated” date at the top of this Policy. We encourage you to review this Policy periodically. Your continued use of the Site following the posting of changes constitutes your acceptance of the updated Policy.

16. Contact Us — Privacy Questions

If you have questions, concerns, or requests relating to this Website Privacy Policy or how Mountains Community Health handles your personal information, please contact:

Mountains Community Health

Attn: Privacy Officer

29101 Hospital Road, Lake Arrowhead, CA 92352

Mailing Address: PO Box 1493, Lake Arrowhead, CA 92352

Phone: (909) 336-3651

Email: [INSERT PRIVACY OFFICER EMAIL]

Website: mch75.com

For HIPAA-related concerns regarding your patient health information, refer to our HIPAA Notice of Privacy Practices at mchcares.com/patients-visitors/patients-rights/ or request a copy at any MCH registration desk.

For GDPR-related inquiries from EEA residents, you may also contact your local data protection authority. A directory of EEA supervisory authorities is available at: edpb.europa.eu/about-edpb/board/members_en